Tor users can be identified by their mouse movements

Tor users can be identified by their mouse movements

By Lee Mathews Mar. 11, 2016

Tor users can be identified by their mouse movements

Not long ago, it seemed like Tor was a bulletproof way to keep your browsing activities private. Today, however, we know that’s simply not the case.

Just last month it was confirmed that researchers at Carnegie Mellon University had tampered with the Tor network in 2014 as part of the DoJ’s Operation Onymous. Their intervention allowed authorities to identify dozens of IPs linked to Silk Road 2.0 vendor accounts and facilitated the shutdown of 27 dark web sites.

CMU helped identify users by “operating relays and tampering with user traffic,” according to a statement by the Tor Project. Now, security researcher Jose Carlos Norte has figured out a much more targeted way to reveal a Tor user’s identity: by the way they move their mouse.

His method uses only JavaScript, which is supported by default in the Tor browser. By inserting different elements into a web page that can track movements over time, Norte was able to successfully identify Tor users “in a controlled environment.” For now, that’s slightly reassuring. Just because Norte was able to do this in a lab-type setting doesn’t mean it would be easy to pull off in the real world.

That said, he’s proven that it can be done, and — unlike Carnegie Mellon — Norte didn’t have to exploit any vulnerabilities that the Tor Project could simply patch to mitigate the threat to their users’ privacy. Shutting off JavaScript is an easy way to protect yourself from mouse-based fingerprinting, but it’s also an easy way to break 99% of modern websites.

So while Tor remains one of the best tools to protect your privacy online, there are plenty of chinks in the armor. Fortunately, the Tor Project’s engineers are always hard at work — and they’re already looking at ways to nullify mouse fingerprinting.

Leave a Reply