This post is also available in: heעברית (Hebrew)

The privacy focused Tor network has been a regular feature of the news in recent years, most recently with the confirmation by a US Federal judge the Carnegie Mellon University was commissioned by the US government to break Tor’s encryption. Now, a security researcher from Barcelona claims he has developed a proof-of-concept for a method to identify Tor users based on their mouse movements.

Jose Carlos Norte used several fingerprinting methods implemented in JavaScript – the programming language of the Web – to track mouse wheel movements; mouse speed, movement directions, distances, among others to uniquely identify each individual user.

“Every user moves the mouse in a unique way,” Norte told Motherboard. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user. Then you can identify him inside of Tor, based on how he or she uses the mouse,” he said.


Lukasz Olejnik, a security researcher, told Motherboard that he finds Norte’s findings doubtful. According to him, to identify a user, a threat actor would need much more information than Norte’s method, which would include: angle of curvature, acceleration, curvature distance, and more. “[T]ime and mouse movements analysis are known in the research community to differentiate between devices/users, it still poses a challenge to use them effectively,” he said.

The Tor Project has yet to respond to requests for comment, but Motherboard reports that “it seems that its developers are looking into this issue, according to two official bug reports.”

In either case, it would be advisable to disable JavaScript for untrusted on the wider Web, and most definitely when using Tor, to avoid these tracking methods altogether.