Researchers discovered a new method of tracking users on the internet by using a computer’s graphics processor unit (GPU).
A device fingerprint or machine fingerprint is information that is collected about the hardware, installed software, as well as the web browser and its associated add-ons from a remote computing device for the purpose of unique identification.
Fingerprints are a dual-edged sword. A fingerprint algorithm can be used by a bank or service provider to prevent credit card fraud and identity theft. It can be misused to collect long-term information about individual browsing activities for targeted advertising.
Browser fingerprinting, in a similar vein, primarily relies on stitching together key pieces of information gleaned from the browser to create the fingerprint. These attributes include the browser’s OS version, screen resolution, timezone and screen as well as the list of fonts and how the browser displays text.
But browser fingerprints also suffer from one major drawback in that they can evolve over time, making it harder to track users for extended periods. That’s where DrawnApart comes in.
It’s not only the first-of-its-kind mechanism to explore and weaponize the manufacturing differences between identical GPUs, but also for reliably using the approach to distinguish between machines with identical hardware and software configurations, effectively undermining users’ privacy.
At its core, the proposed tracking system involves measuring the time required to render different graphics primitives using the WebGL API, each targeting different execution units that comprise a GPU, to create a fingerprint trace that’s then fed into a deep learning network to uniquely identify the specific device that generated it.
In an evaluation setup constituting 88 devices, including Windows 10 desktops, Apple Mac mini devices, and multiple generations of Samsung Galaxy smartphones, the researchers found that when used in conjunction with state-of-the-art fingerprint linking algorithms like FP-STALKER, DrawnApart extended the median average tracking period from 17. 5 days to 28 days.
Countermeasures to block the GPU fingerprinting method range from script blocking to disabling WebGL, and limiting each web page to a single execution unit, or even turning off hardware-accelerated rendering — a move the researchers warn could severely affect usability and responsiveness.
Furthermore, the ongoing development into the WebGPU standard — currently available in canary releases of Google Chrome and Mozilla Firefox — is expected to drastically reduce the time taken to collect the fingerprint, prompting the academics to conclude that the “effects of accelerated compute APIs on user privacy should be considered before they are enabled globally. “