New research into web-tracking techniques has found some websites using audio fingerprinting for identifying and monitoring web users.
During a scan of one million websites, researchers at Princeton University have found that a number of them use the AudioContext API to identify an audio signal that reveals a unique browser and device combination.
“Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines, while the same combination of machine and browser will produce the same output,” the researchers explain.
The method doesn’t require access to a device’s microphone, but rather relies on the way a signal is processed. The researchers, Arvind Narayanan and Steven Englehardt,
have published a test page to demonstrate what your browser’s audio fingerprint looks like.
“Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine. An AudioContext fingerprint is a property of your machine’s audio stack itself,” they note on the test page.
The technique isn’t widely adopted but joins a number of other approaches that may be used in conjunction for tracking users as they browse the web.
For example, one script that they found combined a device’s current charge level, a canvas-font fingerprint and a local IP address derived from WebRTC, the framework for real-time communications between two browsers.
The researchers found 715 of the top one million websites are using WebRTC to discover the local IP address of users. Most of these are third-party trackers.
Meanwhile, Canvass fingerprinting was found on 14,371 sites with scripts loaded from 400 different domains. The researchers analysed canvass fingerprinting in 2014, and note three changes since then.