Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

  • Stephan WieflingEmail author
  • Nils Gruschka
  • Luigi Lo Iacono
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)


Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them.

In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted—among other things—a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.


Black box testing Evaluation Testing framework 



We would like to thank Tanvi Patil for proofreading a draft of the paper. This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia.


  1. 1.
  2. 2.
    Allen, N.A.: Risk based authentication. Patent number US9202038B1 (2015)Google Scholar
  3. 3.
    Amazon: Help: How do I request my data? (2019).
  4. 4.
    Auer, S., Bizer, C., Kobilarov, G., Lehmann, J., Cyganiak, R., Ives, Z.: DBpedia: a nucleus for a web of open data. In: Aberer, K., et al. (eds.) ASWC/ISWC 2007. LNCS, vol. 4825, pp. 722–735. Springer, Heidelberg (2007). Scholar
  5. 5.
    Blythe, J., et al.: Testing cyber security with simulated humans. In: IAAI 2011, San Francisco, CA, USA, August 2011Google Scholar
  6. 6.
    Bond, R.M., et al.: A 61-million-person experiment in social influence and political mobilization. Nature 489(7415), 295–298 (2012)CrossRefGoogle Scholar
  7. 7.
    Bujlow, T., Carela-Espanol, V., Lee, B.R., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)CrossRefGoogle Scholar
  8. 8.
    Card, S.K., Moran, T.P., Newell, A.: The keystroke-level model for user performance time with interactive systems. Commun. ACM 23(7), 396–410 (1980)CrossRefGoogle Scholar
  9. 9.
    Chaabane, A., Kaafar, M.A., Boreli, R.: Big friend is watching you: analyzing online social networks tracking capabilities. In: WOSN 2012, Helsinki, Finland, pp. 7–12. ACM, August 2012Google Scholar
  10. 10.
    Choudhary, S.R., Prasad, M.R., Alessandro Orso: X-PERT: a web application testing tool for cross-browser inconsistency detection. In: ISSTA 2014, San Jose, CA, USA, pp. 417–420. ACM (2014)Google Scholar
  11. 11.
    Dalai, A.K., Jena, S.K.: Online identification of illegitimate web server requests. In: Venugopal, K.R., Patnaik, L.M. (eds.) ICIP 2011. CCIS, vol. 157, pp. 123–131. Springer, Heidelberg (2011). Scholar
  12. 12.
    Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... Now take some cookies: measuring the GDPR’s impact on web privacy. In: NDSS 2019, San Diego, CA, USA, February 2019Google Scholar
  13. 13.
  14. 14.
    Drury, C.G., Hoffmann, E.R.: A model for movement time on data-entry keyboards. Ergonomics 35(2), 129–147 (1992)CrossRefGoogle Scholar
  15. 15.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS 2016, Vienna, Austria, pp. 1388–1401. ACM, October 2016Google Scholar
  16. 16.
    European Parliament and Council: Regulation (EU) 2016/679 (GDPR), January 2016.
  17. 17.
    Franken, G., Goethem, T.V., Joosen, W.: Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies. In: USENIX Security 2018, Baltimore, MD, USA, August 2018Google Scholar
  18. 18.
    Freeman, D., Jain, S., Duermuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016, San Diego, CA, USA, February 2016Google Scholar
  19. 19.
    Golla, M., Dürmuth, M.: On the accuracy of password strength meters. In: CCS 2018, Toronto, Canada, pp. 1567–1582. ACM, October 2018Google Scholar
  20. 20.
    Google: reCAPTCHA v3, July 2019.
  21. 21.
    Google Chrome: Puppeteer - Headless Chrome node API, July 2019.
  22. 22.
    Grassi, P.A., et al.: Digital identity guidelines: authentication and lifecycle management. Technical report, NIST SP 800–63b, National Institute of Standards and Technology, Gaithersburg, MD, June 2017Google Scholar
  23. 23.
    Iaroshevych, O.: Improving second factor authentication challenges to help protect Facebook account owners. In: SOUPS 2017, Santa Clara, CA, USA. USENIX Association, July 2017Google Scholar
  24. 24.
    Judd, T., Kennedy, G.: A five-year study of on-campus Internet use by undergraduate biomedical students. Comput. Educ. 55(4), 1564–1571 (2010)CrossRefGoogle Scholar
  25. 25.
    Komandur, S., Johnson, P.W., Storch, R.: Relation between mouse button click duration and muscle contraction time. In: EMBC 2008. IEEE, August 2008Google Scholar
  26. 26.
    Li, T.-C., Hang, H., Faloutsos, M., Efstathopoulos, P.: TrackAdvisor: taking back browsing privacy from third-party trackers. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 277–289. Springer, Cham (2015). Scholar
  27. 27.
    Mark, G., Wang, Y., Niiya, M.: Stress and multitasking in everyday college life: an empirical study of online activity. In: CHI 2014, Toronto, Canada. ACM (2014)Google Scholar
  28. 28.
    Milka, G.: Anatomy of account takeover. In: Enigma 2018, Santa Clara, CA. USENIX Association, January 2018.
  29. 29.
    Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready?: quantifying 2FA adoption. In: EuroSec 2015, Bordeaux, France, pp. 4:1–4:7. ACM, April 2015Google Scholar
  30. 30.
    Rsmwe: Chrome Headless Detection, February 2018.
  31. 31.
    Smith, B., Linden, G.: Two decades of recommender systems at IEEE Internet Comput. 21(3), 12–18 (2017)CrossRefGoogle Scholar
  32. 32.
    Snickars, P., Mähler, R.: SpotiBot - turing testing spotify. Digit. Hum. Q. 12, 12 (2018)Google Scholar
  33. 33.
    Soukoreff, R.W., MacKenzie, I.S.: Towards a standard for pointing device evaluation, perspectives on 27 years of Fitts’ law research in HCI. Int. J. Hum. Comput. Stud. 61(6), 751–789 (2004)CrossRefGoogle Scholar
  34. 34.
    Starov, O., Nikiforakis, N.: XHOUND: quantifying the fingerprintability of browser extensions. In: IEEE S&P, San Jose, CA, USA. IEEE, May 2017Google Scholar
  35. 35.
    Steward, S., Burns, D.: WebDriver - W3C Recommendation, June 2018.
  36. 36.
    Sulikowski, P., Zdziebko, T., Turzyński, D., Kańtoch, E.: Human-website interaction monitoring in recommender systems. Procedia Comput. Sci. 126, 1587–1596 (2018)CrossRefGoogle Scholar
  37. 37.
    Trauzettel-Klosinski, S., Dietz, K.: Standardized assessment of reading performance: the new international reading speed texts IReST. Investig. Opthalmol. Vis. Sci. 53(9), 5452 (2012)CrossRefGoogle Scholar
  38. 38.
    UK Financial Conduct Authority: Regulatory Sandbox Lessons Learned Report (2017).
  39. 39.
    UK Information Commissioner’s Office: Call for Views on Building a Sandbox: Summary of Responses and ICO Comment (2018).
  40. 40.
    Vastel, A.: Detecting Chrome headless, new techniques, January 2018.
  41. 41.
    Vastel, A.: How to monitor the execution of JavaScript code with Puppeteer and Chrome headless, June 2019.
  42. 42.
    Velayathan, G., Yamada, S.: Behavior-based web page evaluation. In: WI-IAT 2006, pp. 409–412, December 2006Google Scholar
  43. 43.
    Venkatadri, G., Lucherini, E., Sapiezynski, P., Mislove, A.: Investigating sources of PII used in Facebook’s targeted advertising. In: PETS 2019, pp. 227–244 (2019)CrossRefGoogle Scholar
  44. 44.
    W3Schools: Browser Statistics: The Most Popular Browsers (2019).
  45. 45.
    Wiefling, S., Lo Iacono, L., Dürmuth, M.: Is this really you? An empirical study on risk-based authentication applied in the wild. In: Dhillon, G., Karlsson, F., Hedström, K., Zúquete, A. (eds.) SEC 2019. IFIPAICT, vol. 562, pp. 134–148. Springer, Cham (2019). Scholar
  46. 46.
    Williams, J.L., Skinner, C.H., Floyd, R.G., Hale, A.D., Neddenriep, C., Kirk, E.P.: Words correct per minute: the variance in standardized reading scores accounted for by reading speed. Psychol. Sch. 48(2), 87–101 (2011)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.TH Köln - University of Applied SciencesCologneGermany
  2. 2.University of OsloOsloNorway

Personalised recommendations