Researchers from Israeli, French and Australian universities found a way to create unique fingerprints for persistent online tracking using people’s GPUs.
The extensive research, which involved 2,550 devices with 1,605 unique GPU configurations, proved that its GPU fingerprinting technique, named DrawnApart, could boost the median tracking duration by 67% compared with using current tracking methods alone.
Reportedly, a current state-of-the-art tracking algorithm could reach an average tracking duration of 17.5 days. Pairing it with DrawnApart, however, could extend the tracking time to 28 days.
Researchers decided to explore ways to create distinctive GPU-based fingerprints by relying on WebGL (Web Graphics Library), a cross-platform 3D graphics rendering API supported by all modern browsers. With WebGL’s assistance, DrawnApart can detect speed variations of individual Execution Units (EU) in the GPU and identify a complete system in a unique manner.
The experiment was conducted on GPUs with operational temperature ranges between 26.4 °C and 37 °C and no voltage variations. Other variables such as system restarts, workload variations, runtime changes, and GPU payloads from other browser tabs didn’t affect the tracking system.
As part of their experiment, researchers tried to replace other hardware parts on the observed systems to see if their tracking system can still detect them but fingerprinting apparently only works on GPUs.
“We believe that a similar method can also be found for the WebGPU API once it becomes generally available,” said one of the paper’s authors. “The effects of accelerated compute APIs on user privacy should be considered before they are enabled globally.”
Although impressive, the experiment could spell trouble for user privacy, considering that laws and regulations still focus on acquiring user consent to use website cookies. While cookie consent is not a bad idea to start with, it piqued interest in other elements that could be fingerprinted, such as the OS, timezone, hardware configuration, language, screen resolution and browser agent.
On the other hand, these pieces of data can change frequently so they only provide a rough categorization of users instead of accurately pinpointing them.