JavaScript can turn a computer’s drive rhythm into a new tracking signal
Web signals can reveal more about a device than users expect.📷 AI-generated image / TECH&SPACE
- ★Ars Technica says telltale SSD activity can be measured in the browser with simple JavaScript.
- ★The risk is privacy-focused: a website may get a device-behavior signal without a classic cookie or installed software.
- ★The technique could push changes in browser protections, measurement limits, and anti-fingerprinting rules.
For web security, that matters because the browser is supposed to be a hard boundary. A site may run scripts, render content, store limited data, and talk to approved APIs. It should not get a messy side channel into what is happening underneath. If timing and performance measurements can expose traces of SSD activity, then the web environment has another fingerprinting surface: not a user’s name, but a behavioral trace of the machine.
The technical detail that makes the story important is the ordinariness of the tool. JavaScript is the standard language of the web, not a suspicious add-on. Browser makers therefore have to keep balancing useful capability, performance, and abuse resistance. Any measurement channel that is precise enough can become a sensor, even when it was not designed as one.
Ars Technica describes a new privacy technique where ordinary JavaScript measures SSD activity signals from inside the browser.
SSD activity becomes a measurable trace in the browser privacy model.📷 AI-generated image / TECH&SPACE
The boundary should be stated clearly: the supplied context does not show that a website can read files, copy a disk, or inspect SSD contents. The problem is different and more subtle. Activity signals can help distinguish devices, infer behavior patterns, or connect sessions without relying on the most visible tracking techniques. That is the logic of fingerprinting: enough small traces, combined together, can become identity.
That makes the issue more important for browser vendors than for an average user looking for a single settings toggle. Defenses against this kind of attack often involve coarser timers, stronger resource isolation, limits on performance observation, and tighter control over APIs that reveal local system state. MDN’s Web Storage API documentation shows how deeply the web is already tied to local storage behavior, while the WHATWG Storage Standard is a reminder that even normal web functions sit inside a security model.
The regulatory angle is not decorative either. If tracking moves from visible identifiers to measurable physical or performance traces of a device, consent and transparency rules lag behind practice. Privacy Sandbox documentation already shows how hard the industry finds it to replace older advertising mechanisms without opening new tracking channels. A browser-visible SSD side channel fits that tension exactly: the web wants to be fast and capable, but every precise detail about the local system can become evidence that the user has been recognized again.
