processed on different machines or browsers may have slight
differences due to hardware or software differences between the
machines, while the same combination of machine and browser will
produce the same output," the researchers explain.
The method doesn't
require access to a device's microphone, but rather relies on the
way a signal is processed.
Arvind Narayanan and Steven Englehardt, have published a
test page to demonstrate what your
browser's audio fingerprint looks like.
AudioContext API to fingerprint does not collect sound played or
recorded by your machine. An AudioContext fingerprint is a
property of your machine's audio stack itself," they note on the
The technique isn't
widely adopted but joins a number of other approaches that may be
used in conjunction for tracking users as they browse the web.
For example, one
script that they found combined a device's current charge level, a
canvas-font fingerprint and a local IP address derived from
WebRTC, the framework for real-time
communications between two browsers.
found 715 of the top one million
websites are using WebRTC to discover the local IP address of users.
Most of these are third-party trackers.
Another more widely
used method is fingerprinting based on the HTML Canvass API, which
aims to deduce the fonts installed on a browser. They found 3,250
first-party sites using this technique.
analyzed canvass fingerprinting in 2014, and note three changes
most prominent trackers have by and large stopped using it,
suggesting that the public backlash following that study was
overall number of domains employing it has increased
considerably, indicating that knowledge of the technique has
spread and that more obscure trackers are less concerned about
Third, the use
has shifted from behavioral tracking to fraud detection, in line
with the ad industry's self-regulatory norm regarding acceptable
uses of fingerprinting."
The other key
finding, which may be good news depending on your attitude to,
that the number of third-party trackers that users will encounter on
a daily basis is small.
"All of the top
five third parties, as well as 12 of the top 20, are
Google, Facebook, and Twitter are the only third-party entities
present on more than 10 percent of sites," the researchers note.
The researchers say
their data suggests there has been a consolidation in the market for
third-party tracking, which contrasts to the perception that there
has been an explosion in third-party trackers.
And that could be
good news in terms of pressuring the industry to make
"For 100 or so
third parties that are prevalent on one percent or more of
sites, we might expect that they are large enough entities that
their behavior can be regulated by public-relations pressure and
the possibility of legal or enforcement actions," they argued.