We collect certain device and network connection information when you access the Service. This information includes your device model, operating system, keystroke patterns or rhythms, IP address, and system language. We also collect service-related, diagnostic, and performance information, including crash reports and performance logs. We automatically assign you a device ID and user ID. Where you log-in from multiple devices, we use information such as your device ID and user ID to identify your activity across devices to give you a seamless log-in experience and for security purposes.
It looks to me that they are using it to identify the user uniquely, maybe also related to captcha to prevent bots (it’s common practice to capture mouse and keyboard while resolving captchas to see if the movement is human-like).
Maybe. They could also be doing things like paying attention to input cadence and typos/pre-send typo corrections to use as part of a fingerprint associated with the identifying information a user gives them when creating an account so that they can then attempt to detect the user elsewhere on the web whether they are using an identifying account or not.
the chance of this is almost zero. if you are a dangerous cybercriminal, they will track your device down by a networking solution, wait until you leave it unattended and install a hardware-based spy device and capture evidence. No fbi agent will fuck around with keyboard sounds or movie bs like that
Not usually. Keystroke info is different than text input, like if you didn’t click onto any field and typed it would only be captured if keystroke are all being grabbed. It’s especially scary if you keep the app running in the bg and then type something and it still captures it. Not saying they’re doing that, but the privacy policy says they might.
The rhythm part is annoying, it’s commonly used to ID people even through things like ad blocks and dns blocks. Could also (in theory) be used to capture what people are typing just by hearing how they type.
I’m confused. Isn’t “collecting keystroke data” just an alarmist way to describe text entry?
This is the full paragraph:
It looks to me that they are using it to identify the user uniquely, maybe also related to captcha to prevent bots (it’s common practice to capture mouse and keyboard while resolving captchas to see if the movement is human-like).
Looks like there are more things I need to start randomizing and injecting with noise.
Maybe. They could also be doing things like paying attention to input cadence and typos/pre-send typo corrections to use as part of a fingerprint associated with the identifying information a user gives them when creating an account so that they can then attempt to detect the user elsewhere on the web whether they are using an identifying account or not.
So, basically using Facebook technology in their AI app?
You’ll hear no arguments from me on that point, US tech companies are toxic af.
How far we’ve come
Not exactly. Timing between key presses can be used to identify people.
lol no. only the sounds of the keys can identify the keyboard’s model
The goal is not to identify keyboard model. The goal is to identify person. And people tend to have something called habbits.
the chance of this is almost zero. if you are a dangerous cybercriminal, they will track your device down by a networking solution, wait until you leave it unattended and install a hardware-based spy device and capture evidence. No fbi agent will fuck around with keyboard sounds or movie bs like that
Ok, I see you are intentionally going in circles.
I am literally so paranoid I regularly vary my keysteoke rhythms and explore polyrhytmic techniques to create variations. Not even joking.
this. i mean, the session logs for the prompt are kept at least for your user, right?
Not usually. Keystroke info is different than text input, like if you didn’t click onto any field and typed it would only be captured if keystroke are all being grabbed. It’s especially scary if you keep the app running in the bg and then type something and it still captures it. Not saying they’re doing that, but the privacy policy says they might.
The rhythm part is annoying, it’s commonly used to ID people even through things like ad blocks and dns blocks. Could also (in theory) be used to capture what people are typing just by hearing how they type.
Yes.