Determine if AudioBuffers/OfflineAudioContext are a fingerprinting vector

WebAudio allows you to write data to AudioBuffers and perform effects/manipulation/spectral analysis on them, and extract their contents.

If the underlying routines are OS supported, they may be fingerprintable. https://developer.mozilla.org/en-US/docs/Web_Audio_API

added component::applications/tor browser owner::arthuredelstein priority::high severity::major status::new tbb-fingerprinting type::task labels

Trac:
Keywords: N/A deleted, TorBrowserTeam201409 added

This may be easy for someone who has a bunch of different OSes and writes some test JS to print out values from some audio manipulation tests using these buffer extraction functions. Well, easy to test for differences anyway.

Trac:
Keywords: N/A deleted, tbb-easy added

Trac:
Keywords: TorBrowserTeam201409 deleted, TorBrowserTeam201409Easy added

Trac:
Keywords: N/A deleted, TorBrowserTeam201410 added

Trac:
Keywords: TorBrowserTeam201409Easy deleted, TorBrowserTeam201410Easy added

Trac:
Keywords: TorBrowserTeam201410 deleted, N/A added

Trac:
Keywords: tbb-fingerprinting, TorBrowserTeam201410Easy deleted, tbb-fingerprinting-os added

https://developer.mozilla.org/en-US/docs/Web/API/OfflineAudioContext may leak audio processing capabilities.

Trac:
Keywords: ff31-esr deleted, ff38-esr added
Summary: Determine if AudioBuffers are a fingerprinting vector to Determine if AudioBuffers/OfflineAudioContext are a fingerprinting vector

Tag the set of things we should have implemented before a full 5.0 launch, and add them to the July radar.

Trac:
Keywords: N/A deleted, tbb-5.0a, TorBrowserTeam201507 added

Trac:
Keywords: TorBrowserTeam201507 deleted, TorBrowserTeam201508 added

I am going to shoot from the hip on this one and guess that this is at most an OS fingerprinting vector.

Certainly not something we'll solve by 5.0 anyways.

Trac:
Keywords: ff38-esr, TorBrowserTeam201508, tbb-5.0a deleted, N/A added

"This page tests browser-fingerprinting using the AudioContext and Canvas API. Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine - an AudioContext fingerprint is a property of your machine's audio stack itself. "

https://audiofingerprint.openwpm.com/

Trac:
Sponsor: N/A to N/A
Reviewer: N/A to N/A
Severity: N/A to Blocker

Trac:
Severity: Blocker to Normal

Trac:
Cc: N/A to arthuredelstein

I have three different machines, one Windows and two Linux ones and I can verify that for each different machine using Tor Browser 5.5.5 the fingerprints are exactly the same for each machine.

The fingerprinting persists on OS reboots, Tor Browser restarts and using Tor Browser's "New identity".

I have tested using the website above (https://audiofingerprint.openwpm.com) in Tor Browser 5.5.5 and have done the test three times for each machine.

This is very problematic, hope this can be fixed soon! Thanks all!

By the way, for those who want to do the test themselves, use this one: https://valve.github.io/fingerprintjs2/ Because https://audiofingerprint.openwpm.com automatically sends information to Princeton.

Edit: Sorry I thought fingerprintjs2 used the same "Audio fingerprinting" as Princeton's test. So for those who want to do the test themselves, use https://audiofingerprint.openwpm.com and you might want to first enable Javascript, put yourself in Offline mode, and then do the test, so that no information about your machine/browser is sent to Princeton.

Trac:
Severity: Normal to Critical
Priority: Medium to Very High

Replying to cypherpunks:

I have three different machines, one Windows and two Linux ones and I can verify that for each different machine using Tor Browser 5.5.5 the fingerprints are exactly the same for each machine.

Hm... if they are exactly the same for each machine isn't that a good thing? It allows you hiding in the crowd which is our strategy to beat fingerprinters. That said, I tested it as well with two different Linux machines (and distributions) and on a Windows computer. I got the same fingerprint for the Linux machines but a different one with Windows (which is on one of the Linux boxes, too). Thus, this seems to support the theory that this is an OS-fingerprinting problem. Or did I miss anything?

Trac:
Severity: Critical to Normal
Priority: Very High to Medium
Status: new to needs_information

Replying to gk:

Replying to cypherpunks:

I have three different machines, one Windows and two Linux ones and I can verify that for each different machine using Tor Browser 5.5.5 the fingerprints are exactly the same for each machine.

Hm... if they are exactly the same for each machine isn't that a good thing? It allows you hiding in the crowd which is our strategy to beat fingerprinters. That said, I tested it as well with two different Linux machines (and distributions) and on a Windows computer. I got the same fingerprint for the Linux machines but a different one with Windows (which is on one of the Linux boxes, too). Thus, this seems to support the theory that this is an OS-fingerprinting problem. Or did I miss anything?

The fingerprints are the same for Tor Browser 5.5.5 on each machine individually independent of browser, OS, or computer restarts. So each Tor Browser can be uniquely identified. This is very problematic ...

Trac:
Severity: Normal to Critical
Priority: Medium to Very High

Replying to cypherpunks:

By the way, for those who want to do the test themselves, use this one: https://valve.github.io/fingerprintjs2/

Wrong.

fingerprintjs2 does not (currently) contain tests for AudioContext fingerprinting: https://github.com/valve/fingerprintjs2/. The OpenWPM page has the tests in an embedded script tag (it has several implementations, apparently observed in the wild Internet).

This page has some actual information: https://webtransparency.cs.princeton.edu/webcensus/. There's also this paper (see section 6.4): https://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf

Okay, we take a closer look and get to the bottom of it.

Trac:
Owner: tbb-team to arthuredelstein
Status: needs_information to assigned
Keywords: N/A deleted, TorBrowserTeam201605 added