Protecting the privacy of your data is an increasingly complicated task. Just as there are better tools to prevent online tracking, more and more sophisticated methods are also being developed to obtain identifiable information and create a fingerprint of our activity on the web. That’s what it’s about fingerprinting, after all. But the peculiar thing about this story is that it can track people on the internet due to small differences in the GPU of your devices.
According BleepingComputer, the work corresponds to a group of researchers from universities in Australia, Israel and France. They have created a technique —DrawnApart— that not only can identify computers and mobiles through their graphics; too increases the average length of follow-up to 67%compared to existing online tracking methods.
An interesting point that emerges from the research is that 2,550 devices and 1,605 different CPU configurations have been used. This speaks clearly that the fingerprinting through the GPU is a very harmful process for people’s privacy. It is certainly not a simple procedure; however, the very fact that any individual can be tracked online based on information from the graphics processing unit of their preferred device is highly concerning.
According to the aforementioned medium, the researchers have relied on WebGL to achieve fingerprinting through the GPU. As this API – which is used to render 2D and 3D graphics – is cross-platform and compatible with all current web browsers, it has been the perfect way to advance in the creation of a fingerprint of the internet activity of each device. .
Creating a device’s GPU-based fingerprint
DrawnApart is an online tracking method that can get super specific information from a GPU and turn it into an identifiable profile. Among the data collected are “the number of execution units of the graphics processing unit, and the measurement of the time necessary to complete the rendering of vertices”, among others, he explains. BleepingComputer.
Two methods were developed, one on-screen and one off-screen, which subject the GPU to more or less intensive operations for the fingerprinting. It mentions the taking of 176 measurements at 16 different points that allow the fingerprint to be created, even when the equipment has undergone changes to other pieces of hardware.
This means that no matter how minute the differences between one GPU and another, DrawnApart is able to surface them for identification. It does not matter that they are of the same brand, or that they are installed on identical devices. Among the equipment used for the tests were computers with Intel i5 processors and different graphic configurations, Mac Mini with M1 chip and Android smartphones from the Samsung Galaxy S lines.
The fingerprinting has increasingly sophisticated methods
The fingerprinting It’s not new, but it’s amazing how new methods are being developed to track people’s online activity. In the mobile realm, let’s remember that Apple introduced a long-awaited measure called App Tracking Transparency in iOS 14.5; it allows you to block online tracking of apps, but that hasn’t stopped developers from adopting ever more stealthy techniques to create a fingerprint of each device.
Thus, for example, it has been detected that some have managed to escape their limits to collect very specific information from iPhones. At first it seems harmless data, but by connecting the dots it is possible to put together an image of the smartphone and the person who uses it. We are talking about the name of the device, the country in which it is registered, the telephone company used, the level of available battery, the total storage space and how much is free, and even the language configured on the keyboard, among many others.
But if we go back to DrawnApart, the researchers say that the fingerprinting via GPU can drastically extend the tracking period online. It is specifically mentioned that an algorithm can track just over 17 days on average; but when adding the fingerprint that is generated with the graphic processing unit, it is capable of reaching 28 days. In this way, someone who combines the techniques obtains reliable information for practically a month. This is much more than enough time to generate a profile of our activity on the web with a frequently used device.
But this is not all. Although DrawnApart has been tested under essentially ideal temperature and voltage conditions, the method has not suffered from other variations. This means that changes to workloads or system reboots are not an issue.
WebGPU could suffer from the same problem
As we mentioned earlier, the creators of DrawnApart have relied on WebGL for their GPU fingerprinting system. However, they consider that the problem would also exist in WebGPU, the future API for high-performance 3D graphics on the web. “The effects of accelerated computing APIs on user privacy should be considered before they are enabled globally,” the researchers say.