The way you move your mouse while lazily browsing the internet could be unique enough to be used to track you—and even to identify and unmask you.
A security researcher has devised a way to create a unique fingerprint of internet users that could potentially be used to track them when using the Tor browser, a well known anonymity software.
“Every user moves the mouse in a unique way,” Norte, who's the CTO of Barcelona-based startup eyeOS, told Motherboard in an online chat. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user. Then you can identify him inside of Tor, based on how he or she uses the mouse.”
“Every user moves the mouse in a unique way.”
Norte created a proof of concept of this technique, showing the kind of unique data a mouse movement creates, and how that could be used to fingerprint a user. The key is the getClientRects, a Tor Browswer API element that can be used as a fingerprint vector, according to Norte.
Well-known security expert Mikko Hypponen called it “clever,” but not everyone agrees this technique as it was devised by Norte could really be effective.
In this case “the utilized techniques seems to be used in a rather basic form, time and mouse movements analysis are known in the research community to differentiate between devices/users, it still poses a challenge to use them effectively,” privacy and security researcher Lukasz Olejnik, told Motherboard. "If enhanced, mouse movements tracking could be a form of behavioral tracking.”
Olejnik added that other researchers, including himself, have warned in the past that mouse movements could be used to track users online. He also explained that one would need much more features, such as acceleration, angle of curvature, curvature distance, and other data, to uniquely fingerprint a user. Norte's technique, on the other hand, only uses a limited amount of information, according to Olejnik.
In any case, if you’re worried about being fingerprinted and tracked based on how you move the mouse, there’s an easy solution.
This post has been updated to add references to previous research into tracking users based on their mouse movements.