A Barcelona-based security researcher has developed a proof-of-concept that he claims can identify Tor users based how they move their mice.

Researcher Jose Carlos Norte has developed a series of fingerprinting methods based on JavaScript that measure time, mouse wheel movements, mouse speed movements, CPU benchmarks and getClientRects, according to a 6 March post on the researcher's site.

Norte said if a website is able to generate a unique fingerprint that identifies each user that enters the page then it is possible to track a user's activity and correlate visits with that user.

“Every user moves the mouse in a unique way,” Norte told Vice's Motherboard in an online chat. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user,” he said. Norte recommended users disable JavaScript to avoid being fingerprinted.

Security researcher Lukasz Olejnik told Motherboard he doubted Norte's findings and said a threat actor would need much more information, such as acceleration, angle of curvature, curvature distance, and other data, to uniquely fingerprint a user.

SCMagazine.com attempted to contact the Tor Project for comment, but it has yet to respond. However, it appears that developers are looking into the issue based on two official bug reports that mention Norte's exploits.