What is it about?
When you log into your bank's website, hidden scripts may be watching how you move your mouse, type your password, and tap your screen. This is called "behavioral biometrics" — a security technique that uses your unique physical habits to confirm you're really you and not a hacker or a bot. We built a system that automatically finds and identifies these hidden scripts across the web. Our tool combines an AI-powered web crawler that can navigate websites like a human to find login pages, a code analysis technique that traces how this data moves through a website's code, and a machine learning classifier that tells these security scripts apart from similar-looking tools like analytics trackers. We tested our system on over 9,500 U.S. bank websites and 100,000 of the web's most popular sites. We found that banks are far more likely to use these tracking scripts specifically on login pages than on their regular pages, confirming that this technology is deployed strategically to protect the riskiest moments: when someone is trying to access an account.
Featured Image
Photo by Maxim Hopman on Unsplash
Why is it important?
This is the first large-scale study to systematically measure how widely behavioral biometric tracking is deployed across the web. While these scripts are marketed as fraud prevention tools, they also raise privacy questions since they can quietly collect detailed data about how a person interacts with their device, sometimes without clear user awareness or consent. Our open-source detection framework, including a novel AI-driven login page crawler and a vendor-agnostic machine learning classifier, gives researchers, privacy advocates, and regulators the tools to independently audit this previously invisible layer of web security. By open-sourcing our entire pipeline and dataset, we enable continued monitoring of this fast-moving space as new vendors emerge and tracking techniques evolve.
Perspectives
This project sat at an interesting intersection for me: building practical systems (an LLM-powered crawler, a static analysis pipeline) while also surfacing real privacy questions that affect everyday people using daily website applications like banks. I hope this work gives researchers and policymakers a concrete, reproducible way to keep tabs on a technology that mostly operates in the shadows
Aswad Tariq
University of Waterloo
Read the Original
This page is a summary of: Tracking for Good: Finding Behavioral Biometrics on the Web using Static Taint Analysis, July 2026, ACM (Association for Computing Machinery),
DOI: 10.1145/3750555.3811893.
You can read the full text:
Contributors
The following have contributed to this page
