Experts have revealed that a computer’s Graphics Processing Unit (GPU) can be used to track users across the web. A group of 10 researchers from universities in France, Israel, and Australia have published a report on a new “remote GPU fingerprinting” technique dubbed DrawnApart.
Explained as plainly as possible, this uses a cross-platform API for rendering 3D graphics in the browser, called WebGL. When combined with the GPU’s operations, it creates a unique fingerprint of the device.
Violation of privacy
The researchers tested the method on 2,550 devices, carrying a total of 1,605 unique CPU configurations. The results have shown that the median tracking duration of current, state-of-the-art methods can be extended, from the current, 17.5 days, to 28 days. That’s a 67% increase.
This is a “severe problem” for user privacy, a news report on BleepingComputer reads. Consumer privacy has been in the spotlight for the past couple of years, ever since Google’s and Facebook’s tracking practices were scrutinized (other large tech companies, as well as some nation-states, aren’t faring much better, either).
Current laws and regulations, such as the European Union’s General Data Protection Regulation, focus on making sure the users give explicit consent before accepting cookies onto their devices.
As a result, various businesses and “unscrupulous websites” have turned to other tracking methods, collecting “potential fingerprinting elements” such as hardware configuration, the visitor’s operating system, their timezone, screen resolution, etc.
However, none of these methods are as successful as cookie placement, as the elements regularly change. Even if they’re stable, they only allow the websites to broadly categorize their customers, rather than create a unique fingerprint.
The next version of WebGPU, which is currently being developed, will feature additional compute shaders, which may introduce even more ways to fingerprint internet users, the report concludes.
People looking to remain anonymous when browsing the web will usually install a VPN, access the internet via a proxy server, and deploy a whole swathe of other privacy tools.