High-frequency audio could be used to stealthily track netizens

Technical folks looking to improve web privacy haven't been able to decide whether sound beyond the range of human hearing poses enough of a privacy risk to merit restriction.

People can generally hear audio frequencies ranging from 20 Hz and 20,000 Hz, though individual hearing ranges vary. Audio frequencies below and above the threshold of human hearing are known as infrasound and ultrasound, respectively.

[...] A warning from America's trade watchdog, the FTC, in 2016 and research published the following year identifying 234 Android apps listening covertly for ultrasound beacons, helped discourage inaudible tracking.

Several of the companies called out for these privacy-invading practices, such as SilverPush, have moved on to other sorts of services. But the ability to craft code that communicates silently with mobile devices through inaudible sound remains a possibility, both for native apps and web apps. Computer security researchers continue to find novel ways to use inaudible audio for data exfiltration. And ultrasound is still used for legitimate operations – Google's Cast app, for example, relies on an ultrasonic token when pairing with a nearby Chromecast.

[...] Weiler raised the subject three weeks ago – one element in a larger debate about reducing the fingerprinting surface of the Web Audio API. And last week, the discussion thread was closed by Raymond Toy, a Google software engineer and co-chair of the W3C's Audio Working Group.

Toy argued that if a developer is allowed to use a specific audio sampling rate, no additional permission should be required – few users enjoy dealing with permission prompts, after all. And other web developers participating in the debate expressed concern that limiting available frequency ranges could introduce phase shifting or latency and that there's no sensible lower or upper threshold suitable for everyone.