University researches into possibilities of web tracking through GPU fingerprints
French, Israeli, and Australian university researchers are exploring online tracking using consumers' graphics cards to construct distinctive fingerprints and use them for constant online monitoring. The question is, "at what cost to our privacy?"
DrawnApart tracking system may start using WebGL to track users through their onboard graphics card
Researchers executed an extensive experiment involving up to 2,550 devices, with a total of 1,605 different CPU formats, to demonstrate their technique, oddly called 'DrawnApart,' which boosts the median tracking period to 67% in comparison to existing next-gen processes.
With user privacy being the most prominent concern, some websites already collect information by unscrupulous means, such as managing hardware configurations, operating systems, screen resolutions, timezones, language, type fonts, and much more. Privacy on the Internet is currently protected by several laws focusing on obtaining consent to trigger website cookies.
This new approach by the foreign universities' recent study is relatively limited. This is due to graphics processors' factors that constantly change, even at stable levels, and can only give a slight categorization than a complete fingerprint of the users. The process is still crossing unethical territories.
Researchers plan to use the users' graphics card with the assistance of the Web Graphics Library, or WebGL. WebGL is an API used on several platforms to render 3D graphics to the users' browsers. The technology is present on all current web browsers available.
DrawnApart will then access the WebGL, tabulate the current value and speed of execution units on the graphics processor, estimate the amount of time required to conduct vertex renders control stall functions, along with other tasks.
DrawnApart uses short GLSL programs executed by the target GPU as part of the vertex shader to overcome the challenge of having random execution units handling the computations. Hence, the workload allocation is predictable and standardized.
— Bill Toulas, Bleeping Computer
The research team produced an on-screen estimation method that processes a minuscule amount of "computationally intensive operations, and offer an offscreen technique that causes the graphics processing unit to process several longer but less strenuous tests. The procedure creates traces that consist of 176 different measurements accessed and up to 16 points that combine to make the user's specific digital fingerprint. However, a user will notice a difference in performance and timing of their graphics card about their other devices.
Researchers also attempted to swap different computer hardware devices to evaluate if the unique traces remained noticeable. They found that the user's digital fingerprint relied solely on the graphics unit.
Toulas notes that no matter if the integrated circuits are designed and manufactured through an identical building process, the individual course will vary from standard variables. So, even if the distinctions are not recognized during normal usage, the information gathered will become helpful for tracking systems such as DrawnApart, which is created to activate functional aspects and utilize them. In fact, in tandem with next-gen tracking formulas, DrawnApart's median tracking time of a specific user will increase as much as 67 percent.
The researchers' testing conditions showed little effect on the GPU operational temperature range, maintaining between 26.4 °C and 37 °C, with no voltage deviations. Workload divergences, GPU payloads from other web browser tabs, repeated system restarts, and other runtime modifications do not affect the DrawnApart tracking formula.
The next-gen graphics card APIs are currently in production, such as WebGPU, which offers compute shaders that complement the existing graphics channel. The new APIs may introduce additional techniques to fingerprint users online more accurately and efficiently than we have seen before.
The universities' researchers tested compute shaders in the now-defunct WebGL 2.0, finding that DrawnApart produced 98% classification accuracy in a staggering 150 milliseconds. The technique is much more efficient than the original eight seconds to create the fingerprinting data through the original WebGL API.
We believe that a similar method can also be found for the WebGPU API once it becomes generally available. The effects of accelerated compute APIs on user privacy should be considered before they are enabled globally.
— a selection from the research study, "DRAWNAPART: A Device Identification Technique
based on Remote GPU Fingerprinting"
Conceivable countermeasures to this fingerprinting approach include parallel execution prevention, attribute value changes, API and script blocking, and time measurement prevention.
The original developer of the WebGL API, Khronos Group, has welcomed the researchers' disclosure on the new system and created a technical study group to examine possible resolutions with browser companies and several other potential stakeholders.