The sliding scale of physical and behavioral “fingerprints”

(Part II in a series on behavioral biometrics)

On the side of a little inquiry I am making at the moment into the developing concept of “identity in the digital age” I stumbled upon behavioral biometrics. Writing my last post I was wondering about the various ways a person is both traceable and recognizable by its “fingerprints”.

Rereading my last post I was not comfortable with my categorization of biometrics especially because I realized there are many types of “fingerprints”. Both categories listed – physiological and behavioral biometrics – therefor need sub-categories if I want to be able to explain developments; especially in the realm of the interaction with the virtual/digital world and our behavior in the virtual world.

It is important to note that we can distinguish three types of concepts of identity:

  • personal/psychological identity;
  • social identity;
  • legal identity;
  • body identity. (explained here)

Biometrics refers to metrics related to human characteristics and traits. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals.(Wikipedia). As such biometrics are used to establish, even if this is done only via authentication instead of identification, the legal identity of a person.

Physiological biometrics.

I see two types of physiological biometrics: (1) static and (2) dynamic.

In 1788, the German anatomist Johann Christoph Andreas Mayer (1747–1801) recognized that fingerprints are unique to each individual. (Wikipedia). Since then we have seen a strong growth of body metrics and properties which are recognized as being unique per person. Next to fingerprints, we can use irises, retina’s, DNA, hand palm vein patterns, face characteristics, dental characteristics and most probably others I am not aware off, as unique identifiers of a person. The properties listed are intrinsic to and – basically – unchangeable hence static physiological biometrics of the human body. These metrics can be used to identify whether the person is dead or alive.

With our bodies we create unique sound, electrical currents, chemical substances and even biological patterns as well: e.g. voice patterns, heartbeat, odors and our bacteria biotope respectively. These patterns are produced by our bodies by being alive and being used. You could see this as “behavior” but I prefer to address these metrics as dynamic physiological biometrics.

With our ability to monitor and analyze these dynamic patterns with all kinds of sensor technologies increasingly available in our electronic devices and getting closer literally to the skin all the time these dynamic physiological metrics are becoming increasingly relevant for authentication and identification purposes.(An example is the approach of Bionym to use heartbeats for payments authentication)

Behavioral biometrics

Looking more closely into the types of our behaviors in the realm of our digital existence that are unique to a given person I see 3 distinct sub-types: (1) body-device interaction, (2) browsing behavior and (3) our social graph:

Body-device interaction is involving the dynamic patterns of behavior of a persons body while interacting with electronic devices; like typing/swiping rhythms, angle of holding a phone, electronic signatures etc. etc. On top of that static characteristics of the devices used by a person can be used to authenticate a person, especially when combined with other metrics “harvested” from the user. NB I see cookies as part of this as well.

By being active in the digital world a person leaves a unique trail of actions behind; lets call this browsing behavior (“What you do”) but obviously contains much more then just scrolling internet pages. Because a cow is an animal, an animal is not yet always a cow. Browsing behavior is used by the likes of Google and many others to profile a person. A profile does say a lot about a person and even could be theoretically unique per person. But profiling is not aiming to establish “who is who” but is aiming to establish “what your preferences are”. This has to do with our personal/psychological identity but not with establishing a persons (legal) identity.

The contacts we have are forming a social graph (= Who you are connected with). Per definition everybody has a unique graph as it is the only graph where the person in the middle has a connection with all the persons and parties in its graph while all others figuring in that graph will not. Because these social graphs can be monitored – e.g. by looking at the browsing behavior or by looking at the social media accounts of a person – we can associate one person to an other and establish a social identity. This graph can be used to build the concept of reputation (NB which some like David Birch in “Identity is the New Money” argue is part of identity and could be used for authentication and even becomes money itself, which I dispute for he mixes up the various types of identity).

To me, only body-device interaction is to be seen as biometrics. The other two – browsing behavior and our social graph – do say a lot about a person and its social and personal/psychological identity but cannot as such be used to identify / authenticate a person.

Just an example (which I find pretty scary )

via Digital fingerprinting could stop web trolls for good (Wired UK).

Digital fingerprinting firm Trustev has developed new technology that it claims could stop online trolls and abusive commenters for good. The software uses more than 1,000 data points to ensure that when a user is banned from commenting they remain banned forever.

First developed to prevent ecommerce fraud, Trustev’s system looks at everything from monitor size to browser version and even how a user moves their mouse to create a unique fingerprint. Each user account is linked to one of these fingerprints, making it easy to stop abusive commenters setting up additional accounts.

Trustev is able to look at data such as location, proxies, devices, browser IDs, email address, phone number, social network accounts and system settings to build a detailed profile of each user signed up to post comments using its service. Trustev CEO Pat Phelan told WIRED.co.uk:

“This is not about blocking free speech, it’s about enabling speech.”

While they indeed may pursue a sanitized environment for exchange of thoughts and ideas the repercussion of these type of systems can be devastating to individual and to groups whose thoughts are not heard. But how can individuals defend themselves against these type of exclusions? This will lead to large scale arbitrariness. To me such systems are actually an affront to free speech and democratic processes.

Ubiquitous Biometrics surveillance is as an invincible cage we are putting around every one of us. Unfortunately you are not holding the keys yourselves.