Tech

How You Move Your Mouse Could Help Others Track You—Even on Tor

The way you move your mouse while lazily browsing the internet could be unique enough to be used to track you—and even to identify and unmask you.

A security researcher has devised a way to create a unique fingerprint of internet users that could potentially be used to track them when using the Tor browser, a well known anonymity software.

Videos by VICE

Researcher Jose Carlos Norte realized that using Javascript, a ubiquitous coding language on the web that is enabled by default in Tor Browser, a spy or hacker controlling a certain website could fingerprint a user based on how he or she moves the mouse.

“Every user moves the mouse in a unique way,” Norte, who’s the CTO of Barcelona-based startup eyeOS, told Motherboard in an online chat. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user. Then you can identify him inside of Tor, based on how he or she uses the mouse.”

“Every user moves the mouse in a unique way.”

Norte created a proof of concept of this technique, showing the kind of unique data a mouse movement creates, and how that could be used to fingerprint a user. The key is the getClientRects, a Tor Browswer API element that can be used as a fingerprint vector, according to Norte.

Well-known security expert Mikko Hypponen called it “clever,” but not everyone agrees this technique as it was devised by Norte could really be effective.

In this case “the utilized techniques seems to be used in a rather basic form, time and mouse movements analysis are known in the research community to differentiate between devices/users, it still poses a challenge to use them effectively,” privacy and security researcher Lukasz Olejnik, told Motherboard. “If enhanced, mouse movements tracking could be a form of behavioral tracking.”

“As long as there’s Javascript, they’ll be able to fingerprint you, one way or the other.”

Olejnik added that other researchers, including himself, have warned in the past that mouse movements could be used to track users online. He also explained that one would need much more features, such as acceleration, angle of curvature, curvature distance, and other data, to uniquely fingerprint a user. Norte’s technique, on the other hand, only uses a limited amount of information, according to Olejnik.

The Tor Project did not respond to a request for comment, but it seems that its developers are looking into this issue, according to two official bug reports.

In any case, if you’re worried about being fingerprinted and tracked based on how you move the mouse, there’s an easy solution.

“The only solution is to deactivate Javascript completely,” Norte said. “As long as there’s Javascript, they’ll be able to fingerprint you, one way or the other.”

This post has been updated to add references to previous research into tracking users based on their mouse movements.