Tracking for Good: Finding Behavioral Biometrics on the Web using Static Taint Analysis

Abstract

Behavioral biometric technologies have emerged as powerful tools for enhancing digital security by analyzing unique user interactions such as keystrokes, mouse movements, and touch gestures. This thesis provides a systematic exploration and empirical measurement of behavioral biometric scripts deployed across the web, particularly focusing on their prevalence and implications in critical interactions such as user authentication and fraud prevention. Our comprehensive approach begins with manual and automated identification and char- acterization of scripts from major behavioral biometric providers including BioCatch, Be- havioSec, TransUnion’s Iovation, and Mastercard’s NuData, among others. Leveraging an advanced static taint analysis framework utilizing Visible V8, we effectively trace behav- ioral biometric data flows within JavaScript, accurately identifying sensitive data collection and transmission points. To reliably detect login webpages containing behavioral biomet- ric scripts, we developed LoginGPT, a state-of-the-art web crawler enhanced by Large Language Models (LLMs), significantly outperforming existing heuristic-based solutions in identifying login pages. Furthermore, we develop a supervised machine learning approach using Random Forest classifiers trained on vendor-agnostic static analysis features, achieving robust accuracy and strong generalization to previously unseen vendors. Our comprehensive empirical evaluation spans 9,502 U.S. banking websites and the Chrome User Experience (CrUX) top 100,000 domains, revealing that behavioral biometric scripts are deployed on 15.8% of banking domains with discoverable login pages and 1.79% of general web domains with discoverable login pages. Our findings demonstrate the strategic deployment of these technologies on high-risk interfaces such as authentication pages, uncover distinct vendor deployment patterns across industries, and highlight significant privacy concerns stemming from extensive behavioral data collection practices. This thesis contributes a robust framework and critical insights for detecting, character- izing, and understanding behavioral biometric technologies on the web, offering valuable perspectives for researchers, industry professionals, and policymakers engaged in digital security and privacy protection.