We all kind of know that our devices, and our activities on them, are being tracked. In response, there are entire categories of apps and services that let you browse incognito, block ads, or hide your tracks — and many of those are quite popular. But it turns out there’s another kind of tracking signal that those privacy protectors, for the most part, miss.
A study out of Princeton (PDF) has found that in addition to all the cookies and beacons and digital fingerprints we know leave behind us, there’s one that is metaphorically shouting your presence — you just can’t hear it.
It’s audio fingerprinting. As in yes, trackers are listening to you. Not to what you do, exactly, but to what you use. And no, it’s not weird science-fiction stuff; it’s tech that’s really in the world.
So, your computer makes sound. Not system sounds or booting beeps, or music or audio you actually play, but the sound of its own electrons doing their thing. It’s out of your range of hearing, but that sound cluster is there.
Now what you can do, if you really want a way to identify a particular machine, is add a unique sound into that mix. The user can’t hear it (nor, for that matter, can the tracker), but software can.
So in order to track you by the audio fingerprint your device makes, a script checks for the existence of certain audio-related code and then drops in a tiny extra bit of information, to create a unique fingerprint:
In the simplest case, a script from the company Liverail checks for the existence of an AudioContext and OscillatorNode to add a single bit of information to a broader fingerprint. More sophisticated scripts process an audio signal generated with an OscillatorNode to fingerprint the device. … Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines, while the same combination of machine and browser will produce the same output.
The researchers have a site where you can see a visualization of your own hardware’s audio fingerprint, as well as snippets of the relevant code if that’s a thing that makes sense to you.
This is not a widespread tracking tactic, the researchers make sure to emphasize. But because it is niche, the vast majority of privacy protecting services — including the common browser extensions consumers use — aren’t going to know to do anything about it.
Niche also doesn’t mean from someone you’ve never heard of, nor does it preclude the idea eventually becoming more widespread if it proves effective. LiveRail, the company that checks for the existence of audio code? They’re a Facebook company. That certainly means that if they wanted to expand the use of this technology, they’d sure have the means to do so.