[tbb-bugs] #30392 [Applications/Tor Browser]: CSS features allow real-time tracking

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 11 16:44:42 UTC 2019

#30392: CSS features allow real-time tracking
 Reporter:  davywtf                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by davywtf):

 Tracking in the sense that it can be used to fingerprint users based on
 behavior that's hard for the user to hide. And the user may be completely
 unaware that it's happening since they typically don't assume metrics are
 being collected on static pages with NoScript.

 To give you some ideas:
 - Based on motion you can determine mouse vs touchpad vs keyboard
 - If research into gait analysis translates you should be able to predict
 biometrics (arm dimensions) from mouse movement
 - Reveals screen visibility (scroll location, window dimensions, etc)

 So it's not a major threat in the sense that it's directly identifying a
 user or their machine (unless those metrics are already known) but it's a
 potential fingerprinting data point that could be mitigated entirely by
 preloading content linked from CSS. And the future of online tracking and
 privacy violation will almost certainly involve basic machine learning
 approaches applied to seemingly innocuous user input like this.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30392#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list