Dennis Hackethal’s Blog

My blog about philosophy, coding, and anything else that interests me.

Published

Your audio devices might divulge your private information. Here’s how to protect yourself.

Websites can track you based on your audio devices. Depending on the names of your devices, you may also be making yourself more easily identifiable to websites.

Say your name is John Appleseed, so you name your AirPods ‘John Appleseed’s AirPods’. If you have given a website permission to use your microphone and you have your AirPods connected, the website now knows your full name. I noticed this while using a site earlier today. Once I had connected my AirPods, it displayed their name back to me.

Apple’s naming convention is ‘-first name-’s AirPods’. That’s what they’re named automatically when you first set them up. It’s better than the full name, but you may not want websites to know your first name, either. If you have a common name, divulging it may not seem like an issue, but it still narrows a website’s visitors down a significant amount.

To be sure, not every website will have access to the names of your audio devices – only those websites you give permission to use your microphone. But just because you let a website use your microphone does not mean you want it to know who you are, let alone track you.

Here’s the proof. It only takes a single line of code for a website to list the names of all your audio devices once you’ve granted access to your microphone. Don’t worry if you don’t understand the code, just focus on the second line that lists the names:

(await navigator.mediaDevices.enumerateDevices()).map(device => device.label)
// => ['Default - John Appleseed's AirPods (Bluetooth)',
//     'John Appleseed's AirPods (Bluetooth)',
//     'Internal Microphone (Built-in)',
//     ...]

Worse, each audio device has a unique device ID. That means changing the names of your devices isn’t enough. Even the IDs of internal audio devices can be read, such as your laptop’s built-in speakers. That sucks because you can’t remove them like you could AirPods or other bluetooth headphones/speakers.

The MDN Web Docs, a widely used ‘authority’ on documenting all things web, say the following about device IDs:

[The device ID] is an identifier for the represented device that is persisted across sessions. It is un-guessable by other applications and unique to the origin of the calling application. It is reset when the user clears cookies (for Private Browsing, a different identifier is used that is not persisted across sessions).

Let’s go through it step by step. First, the fact that device IDs are “persisted across sessions” means, roughly speaking, that refreshing the page or even restarting the browser won’t change them. Second, un-guessability by other applications means you cannot be tracked across the web. However, and third, the uniqueness of each ID coupled with its persistent nature makes you trackable on the same website. Fourth, it is claimed that clearing cookies resets the IDs. I tried it on a site that did not set any cookies to begin with, then cleared all site data, including cookies for good measure. It did not change the device IDs; I remained completely trackable. (I’m currently running Chrome version 100.0.4896.127.) Maybe it works on sites that do set cookies, I don’t know. But users shouldn’t have to know or care. I have also tried renaming and resetting my AirPods, as well as restarting my computer, none of which changed their ID, either.

Interestingly, there is a warning further down the quoted page:

Note: For security reasons, the label field is always blank [as is the deviceId field] unless an active media stream exists or the user has granted persistent permission for media device access. The set of device labels could otherwise be used as part of a fingerprinting mechanism to identify a user.

Fingerprinting is a tracking mechanism. What the note fails to mention is that once you do give access, the website can track you. We have also established that device IDs do not change for the same site (at least currently, in Chrome), making tracking even easier. That means renaming your devices won’t help (and built-in devices can’t be renamed anyway).

How to protect yourself?

Follow these steps (at your own risk):

  1. For your external audio devices, use generic, non-unique names that anyone might use. Do not include any personally identifiable information. ‘My Headphones’ is a good example of a generic name. Here’s a guide on how to rename AirPods; it should work for other bluetooth headphones/speakers, too.
  2. Grant websites access to your microphone sparingly.
  3. Remove access to your microphone after you’re done using it. In Chrome, you can do so under Settings > Site Settings > Permissions > Microphone. Under ‘Allowed to use your microphone’, click on the trash icon next to the applicable site. But be advised that, as long as clearing cookies doesn’t make a difference and you haven’t cleared your cookies, each device ID will be the same next time you grant access to the same site, meaning the site may recognize you as the same user.
  4. Clear your cookies after using the microphone. That’s assuming that clearing cookies will change device IDs in the future. Alternatively, use private browsing (also known as incognito browsing), making sure to close all private windows from time to time.

While we’re talking about buggy browsers, I should mention that Safari (version 15.4 (17613.1.17.1.13)) lists not only the name of my laptop’s built-in camera, but also its device ID, even if I only grant access to the microphone.

Everything I’ve written in this article presumably applies to non-built-in cameras, too, and maybe even other kinds of devices. I have no such devices to test, hence my focus on audio, but I suggest you follow the above steps as much as possible for any external devices you may have.


What people are saying

What are your thoughts?

You are responding to comment #. Clear

Preview

Markdown supported. cmd + enter to submit. Your comment will appear upon approval. You are responsible for what you write.
This small puzzle helps protect the blog against automated spam.

Preview