Audio Fingerprinting: How the Web Audio API Tracks Your Device

What Is Audio Fingerprinting?

Audio fingerprinting is a browser tracking technique that generates a unique identifier from the way your device processes audio signals. It uses the Web Audio API — a legitimate browser feature designed for music applications, games, and audio effects — to create a short audio signal, process it through your device's audio stack, and measure the resulting output. Because different hardware and software configurations process audio slightly differently, the output is unique to your device. For the strategic overview of where audio fingerprinting fits in the broader picture, see our complete browser fingerprinting guide.

Like canvas and WebGL fingerprinting, audio fingerprinting requires no storage on your device and is unaffected by cookie deletion, private browsing mode, or VPN usage. It identifies your hardware and software configuration rather than tracking stored identifiers.

How Audio Fingerprinting Works

The audio fingerprinting process involves several technical steps that happen invisibly in the browser within milliseconds.

First, a script creates an AudioContext — the core Web Audio API object that manages audio processing. It then creates an OscillatorNode, which generates a simple audio signal (a sine wave or similar waveform). This signal is routed through an AnalyserNode, which measures frequency and time-domain data. Crucially, the audio is routed to an output with zero gain — meaning it produces no audible sound. The entire operation is silent.

The AnalyserNode captures the audio data as a Float32Array — a series of floating-point numbers representing the audio signal. These numbers are then mathematically processed (typically summed or hashed) to produce a fingerprint value. Because different devices' audio hardware and drivers introduce subtly different rounding errors, digital signal processing characteristics, and noise characteristics, the resulting floating-point values differ between devices.

The final fingerprint is a hash derived from these values. It is consistent across sessions on the same device but differs between devices with different audio processing characteristics. For the technical mechanics of how this fits with other tracking layers, see our browser fingerprinting explainer.

What Makes Audio Fingerprints Unique

The variation exploited by audio fingerprinting comes from two main sources. The first is hardware differences: audio chips from different manufacturers process signals differently, and even the same chip model may behave differently depending on firmware version and driver implementation. The second source is software differences: the operating system's audio processing pipeline introduces its own characteristics, including resampling algorithms, equalization settings, and sample rate conversions.

The combination of audio hardware and audio software creates a signal processing signature that is highly stable over time. A device's audio fingerprint changes only when audio hardware is replaced, audio drivers are updated, or significant operating system changes alter the audio processing pipeline.

Research on audio fingerprinting has demonstrated that it can distinguish between devices even when those devices have identical hardware specifications, because driver version differences and operating system configurations create distinguishable audio processing signatures.

The AudioContext Hash: What SpeedIQ Detects

SpeedIQ's audio fingerprint tool runs the standard AudioContext fingerprinting test and reports the resulting hash value. The hash is a unique number derived from the audio processing characteristics of your specific device.

If your browser blocks AudioContext access or the audio processing returns null data, the tool reports that the AudioContext was blocked by the browser — which itself is a fingerprinting signal, since very few users have AudioContext blocked.

A high hash value with decimal precision indicates that your device's audio processing is producing distinctive floating-point output that differs from other devices. A round number or simple value may indicate that your browser is applying fingerprinting resistance measures that standardize the audio output.

Audio Fingerprinting in the Wild

Audio fingerprinting is deployed across major commercial websites, advertising networks, and analytics platforms. It gained significant attention after researchers documented its use by several large ad networks as a cookie-replacement mechanism. Unlike cookies, audio fingerprints work across browsers on the same device, persist through browser updates, and cannot be deleted by users.

A particularly concerning use case is device linking: if you browse a website on Chrome and later visit it on Firefox, audio fingerprinting can recognize that both sessions came from the same device — even if you used different accounts or VPNs. This cross-browser tracking capability is extremely valuable to advertising networks and difficult for users to prevent.

How to Protect Against Audio Fingerprinting

Firefox with the privacy.resistFingerprinting setting enabled returns a constant audio output value regardless of the device's actual audio characteristics. This prevents audio fingerprinting by making all Firefox users appear identical from the audio perspective. The trade-off is that some web audio applications may behave differently when they receive standardized values.

The Tor Browser applies audio fingerprinting resistance by default, returning standardized audio values. Tor Browser is the strongest protection against all fingerprinting techniques, though it comes with performance and usability trade-offs that make it unsuitable for general everyday browsing.

Browser extensions like CanvasBlocker for Firefox can block or randomize AudioContext output. Randomization is generally preferable to blocking because it prevents the "AudioContext blocked" signal from being used as a fingerprint in itself.

Disabling JavaScript entirely would prevent audio fingerprinting but would also break the vast majority of modern websites. This is not a practical approach for general browsing.

Why Audio Adds Disproportionate Value to Composite Fingerprints

Audio fingerprinting contributes only 3–5 bits of entropy on its own — modest compared to canvas (7–10 bits) or WebGL (5–8 bits). But its strategic value is greater than the entropy suggests, for three reasons that make it a staple of commercial fingerprinting libraries.

First, audio is exceptionally stable. Most users update their GPU drivers more often than their audio drivers. Canvas fingerprints can shift when a Chrome update changes anti-aliasing behaviour; WebGL fingerprints shift when a graphics driver updates. Audio fingerprints typically remain identical for years, which makes them ideal for long-term re-identification across sessions separated by months.

Second, audio is rarely defended against. Privacy-focused users who block canvas, disable WebGL, and randomise font lists often leave AudioContext untouched because the threat is less well-known. A fingerprint built primarily on audio can therefore re-identify users who think they have protected themselves with browser extensions that don't cover the Web Audio API.

Third, audio is cross-browser. The same audio hardware and OS audio stack produce the same fingerprint whether you're running Chrome, Firefox, or Edge. This makes audio fingerprinting one of the few techniques that can link browser sessions across different browsers on the same device — exactly the kind of cross-browser tracking that advertising networks value most. Combined with TLS fingerprinting, HTTP header fingerprinting, and canvas fingerprinting, audio provides the redundancy that lets composite fingerprints survive when individual components fail.

The defense implication: addressing audio fingerprinting matters even though no single signal it produces is dramatic. Firefox's resistFingerprinting setting (which standardises audio output across all users with the setting enabled) is the simplest meaningful defense; the Tor Browser is the strongest. Both produce identical audio fingerprints for all users running them, effectively removing audio as an identification axis.

Frequently Asked Questions

Can I hear the audio used for fingerprinting?

No. Audio fingerprinting uses a gain node set to zero, meaning no sound is produced. The audio signal is generated, processed, and analyzed entirely within the browser's audio processing pipeline without being routed to your speakers or headphones. The entire process is completely silent.

Does audio fingerprinting require microphone access?

No. Audio fingerprinting uses the Web Audio API to generate and analyze audio internally. It does not access your microphone, speakers, or any external audio input. No browser permission prompt appears because no external audio hardware is accessed.

Does using headphones change my audio fingerprint?

Potentially yes, depending on how your operating system routes audio. If connecting headphones changes the active audio device and driver, it may alter the audio processing characteristics and produce a different fingerprint. However, the base audio fingerprint from your primary audio hardware is typically stable regardless of output device.

Is audio fingerprinting more or less accurate than canvas fingerprinting?

Audio fingerprinting is generally considered slightly less accurate than canvas fingerprinting in terms of uniqueness, but significantly more stable over time. Canvas fingerprints can change with browser updates that alter rendering; audio fingerprints change only with hardware or driver changes. Together, canvas and audio fingerprinting provide complementary coverage.

Does a VPN protect against audio fingerprinting?

No. A VPN changes your IP address but has no effect on your audio hardware or the Web Audio API output your browser generates. Audio fingerprinting happens entirely within your browser. For more on what a VPN does and does not hide, see our VPN speed test guide.