Tor Users Can Be Tracked Based On Their Mouse Movements

An anonymous reader writes: The way you move your mouse is unique, like fingerprints, and can be used by dark forces to track you on supposedly anonymous and secure networks like Tor, according to a Barcelona researcher. Because the Tor Project has failed to address a ten-month-old issue regarding "time measurement via JavaScript," there are a series of user fingerprinting techniques that are quite accurate at identifying users based on their mouse movements, scrolling speed, and how their browser and hardware reacts to certain JavaScript code. If a user visits a "fingerprinting" website via Tor and then via a normal browser, an attacker can have a general idea about their identity and can even pinpoint them to real IPs. The data that is usually logged in fingerprinting schemes is not 100% reliable or accurate for that matter, but it provides a starting point for future investigations.

Guess it's time to

[cdsparrow]

Start using a trackpad when you use websites you don't wanna be tracked on. Oh and maybe reduce your browser's processor priority so it reacts differently to their time based snooping. Oh and first post maybe?

Re:Guess it's time to

[bloodhawk]

I would imagine trackpads are vulnerable to the exact same fingerprinting techniques. browser priority is unlikely to have any significant effect on timing and tracking of these events and it would be an absolute pain in the arse.

Noscript.

[sims+2]

This one of the reasons why they should have never left noscript off by default.

Re:Noscript.

[Aighearach]

According to his user number he was born yesterday, and will continue believing that privacy is dead until he graduates from college and gets his own place to live.

Then there is some small, remote chance of discovering that where you shop was never really private, and that you want your bank to know what you spent money on, or else you'd have used cash. And that if you avoid specific behaviors, you get a lot-lot-lot less junk mail than less paranoid people.

If it is private, don't put it on the internet. If it is private, don't leave it on your porch. Don't give your phone number to a store just because you shopped there. (just say "no thank you" when they ask you for your number)

Google knows a lot about most people, but thankfully they don't sell that information. Or send junk mail. Or call your telephone. Or talk about you. Hopefully for your sake, your bank is also traditional like that.

Re:Gee Fucking Whiz

Absolutely right. I keep seeing stories about how TOR users can be tracked . . . and they always involve javascript . . . what gives? Perhaps the headline should read "javascript users can be tracked by mouse movements?"

If there was a story about people being tracked by network analysis of TOR traffic, or some other novel means, that would be news.

1. Use the Tor Browser Bundle to access .onion sites
2. Check that noscript is set to block all javascript in the Tor Browser. (it might not default to block all)
3. Don't use the Tor browser to access any site other than .onion sites.

Re:Gee Fucking Whiz

[Aighearach]

Yeah but if you're not on Tor, you're not doing anything illegal and you're not worried about tracking of that sort because normally of course the remote server knows your IP and everything, and there are a zillion potential logs or whatever in the middle.

If you're on Tor for free speech, of course you don't care because you're not there for privacy; you're there to disguise your activities from local observation of the network. You already have to trust the remote server not to tattle to your government in that case.