Bypassing Safari 17's advanced audio fingerprinting protection

Purpose and Ethics of Fingerprinting

  • Many object that a company selling fingerprinting tech is publishing a “how to bypass privacy” guide while claiming it’s for fraud detection.
  • Strong concern that user preference not to be tracked is overridden in the name of fraud prevention, likened to justifying wiretapping or attacks on encryption.
  • Others argue some fingerprinting is genuinely useful for payments, abuse prevention, and fraud, but concede it is easily repurposed for advertising and profiling.
  • Several see the vendor’s demos and pricing as oriented toward marketing/personalization, with “fraud only” language viewed as cover or CYA.

Technical Discussion: Audio Fingerprinting & Safari 17

  • Safari’s protection adds random, uniform noise to Web Audio output.
  • Commenters note this is weak: with enough samples, an attacker can average out the noise and recover the underlying deterministic differences.
  • Differences between browsers arise from floating‑point behavior, implementation details, SIMD code paths, OS libraries, and anti-aliasing choices in Web Audio oscillators.
  • Suggestions include: per-origin or time-rotating deterministic noise keyed by a secret; or fully standardizing deterministic audio algorithms across browsers.

Broader Web API and Browser Design Concerns

  • Strong skepticism about exposing rich audio, GPU, and similar APIs to every website; many see this as driven by Chrome/Google and app-like web ambitions.
  • Some want such APIs behind explicit permissions, or an opt‑in “rich JS engine,” keeping normal browsing to basic DOM/XHR.
  • Others counter that permissions prompts are annoying, widely ignored, and themselves degrade UX.

Other Fingerprinting Vectors & Defenses

  • Audio fingerprinting alone mostly narrows to browser/OS/hardware class but can be combined with IP, screen, timing, WebGL/GPU, etc. to become highly identifying.
  • GPU/WebGL fingerprinting (e.g., DrawnApart) is cited as another potent vector.
  • Disabling Web Audio/WebGL/JS or using unusual settings may itself make a user more unique. Tor and Mullvad browsers aim for a single shared fingerprint, but effectiveness depends on adoption.

Law, Policy, and Future Directions

  • Some want fingerprinting, at least for advertising, made illegal; others note it is hard to define in law and that regulators may allow it for fraud/abuse/CP detection.
  • Multiple comments argue privacy needs stronger legal codification because technical countermeasures alone are an endless, losing arms race.