Bypassing Safari 17's advanced audio fingerprinting protection
Purpose and Ethics of Fingerprinting
- Many object that a company selling fingerprinting tech is publishing a “how to bypass privacy” guide while claiming it’s for fraud detection.
- Strong concern that user preference not to be tracked is overridden in the name of fraud prevention, likened to justifying wiretapping or attacks on encryption.
- Others argue some fingerprinting is genuinely useful for payments, abuse prevention, and fraud, but concede it is easily repurposed for advertising and profiling.
- Several see the vendor’s demos and pricing as oriented toward marketing/personalization, with “fraud only” language viewed as cover or CYA.
Technical Discussion: Audio Fingerprinting & Safari 17
- Safari’s protection adds random, uniform noise to Web Audio output.
- Commenters note this is weak: with enough samples, an attacker can average out the noise and recover the underlying deterministic differences.
- Differences between browsers arise from floating‑point behavior, implementation details, SIMD code paths, OS libraries, and anti-aliasing choices in Web Audio oscillators.
- Suggestions include: per-origin or time-rotating deterministic noise keyed by a secret; or fully standardizing deterministic audio algorithms across browsers.
Broader Web API and Browser Design Concerns
- Strong skepticism about exposing rich audio, GPU, and similar APIs to every website; many see this as driven by Chrome/Google and app-like web ambitions.
- Some want such APIs behind explicit permissions, or an opt‑in “rich JS engine,” keeping normal browsing to basic DOM/XHR.
- Others counter that permissions prompts are annoying, widely ignored, and themselves degrade UX.
Other Fingerprinting Vectors & Defenses
- Audio fingerprinting alone mostly narrows to browser/OS/hardware class but can be combined with IP, screen, timing, WebGL/GPU, etc. to become highly identifying.
- GPU/WebGL fingerprinting (e.g., DrawnApart) is cited as another potent vector.
- Disabling Web Audio/WebGL/JS or using unusual settings may itself make a user more unique. Tor and Mullvad browsers aim for a single shared fingerprint, but effectiveness depends on adoption.
Law, Policy, and Future Directions
- Some want fingerprinting, at least for advertising, made illegal; others note it is hard to define in law and that regulators may allow it for fraud/abuse/CP detection.
- Multiple comments argue privacy needs stronger legal codification because technical countermeasures alone are an endless, losing arms race.