I don’t see much discussion of this and I suspect it’s not really an issue, but I started to wonder about it since some online bank payments ask you to type an e-mail address - any e-mail address - and monitor “how” you type it as a form of extra authentication (on top of some kind of 2FA like SMS).
The Wikipedia page suggests that this is a probabilistic measure which doesn’t provide high confidence, but I don’t know if it’s correct or up to date.
To take a concrete example, I’m writing this text online in the text box on the PG forum site, so in principle some Javascript could be sending the individual keypresses (including deletions and cursor movements as I edit and tweak) and their timings to a PG server for analysis. What are the chances that this could be correlated with (say) similar data extracted and analysed during my use of Google Docs and that PG could in principle say “our user SteveR is almost certainly the same person as quuxalot53 over on Google”?
Has anyone estimated the number of bits of fingerprinting this can provide? I suspect it’s not large, but unlike browser or OS fingerprinting, my typing style is something that stays with me even if I change browser, OS or machine.
Do any browsers attempt to mitigate this? I imagine for things like Google Docs this is hard, but I’d have thought it would be possible to just buffer keypresses locally until Enter is pressed in something like a search box. (You’d lose search suggestions as you type, of course.) Maybe the fact I couldn’t find any information on browser mitigations suggests this isn’t a serious concern in the first place.
The obvious manual workaround is to type the text into a separate editor then copy and paste it into the browser, but that gets old pretty fast when I’m not actually living in fear of three letter agencies.
I’m also now tempted to ask about how identifiable someone is by their writing style, but I should maybe research that myself first and post separately if I’m still curious once I’ve made a bit of an effort.