Telling a website to stick its cookies someplace else might not be enough to keep it from tracking you across the web—there are other identifiers that can help narrow down who you are and what you’re doing as you travel the silicon superhighway. These techniques rely on tracking the exact configuration of hardware you’re running inside your PC, though researchers suggest this form of hardware tracking could be done with even greater accuracy through something known as GPU fingerprinting.
Outlined in a research paper [PDF warning] from co-first authors Tomer Laor of Ben-Gurion University and Naif Mehanna from University Lille, CNRS, and their respective teams (via Bleeping Computer), the technique nicknamed DrawnApart takes advantage of minor differences in a user’s GPU behavior to uniquely identify them across the web.
That could lead to persistent tracking by, what the researchers call, “less scrupulous websites” that potentially jeopardises existing privacy protections on the web, such as cookie consent.
The DrawnApart technique works by not only noting the GPU and other hardware in use by a PC, but actually honing in on a given GPU’s specific characteristics. In the researchers’ own words, “we harness the statistical speed variations of individual EUs in the GPU to uniquely identify a complete system.”
To do that, the researchers use WebGL to target the GPU’s shaders with a sequence of drawing operations that are designed to be sensitive to differences across individual EUs. The resulting vector, called a trace, contains a sequence of timing measurements that the team have generated.
The differences in the resulting trace information is then able to identify, or fingerprint, different GPUs, even if they’re the same make and model.
You can even watch a video of the researchers swapping the CPU of its test machines and the algorithm’s tracking accurately maintaining which is which based on integrated graphics alone.
These are raw traces from the study for two different Intel Gen 3 computers. (Image credit: Tomer Laor, Naif Mehanna)
The researchers say they’re able to do this with high accuracy: noting a 67% improvement when used in conjunction with existing fingerprinting algorithms, in a test of over 2,500 unique devices and 371,000 fingerprints. That’s an improvement in successfully tracking a user from 18 days with the existing FP-STALKER fingerprinting algorithm to 30 days when using the DrawnApart algorithm with it.
“This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method, without making any changes to the permission model or runtime assumptions of the browser fingerprinting adversary,” the researchers say. “We believe it raises practical concerns about the privacy of users being subjected to fingerprinting.”
The average tracking time increases significantly once DrawnApart is used. (Image credit: Tomer Laor, Naif Mehanna)
Thus DrawnApart could be used to circumvent cookie legislation and protections for user privacy online. That’s not lost on the researchers, either, who clearly from the paper believe online privacy is a fundamental right, and who outline how to combat a potential tracking algorithm based on its findings.
Essentially, you’re going to lose access to a lot of websites used by millions of people daily if you disable WebGL outright. Though it is an option.
The researchers also note that the Tor browser runs WebGL in a “minimum compatibility mode”, which does prevent access to the ANGLE_instanced_arrays API used by DrawnApart.
Another option to counter DrawnApart, or techniques like it, could be to use a blocking script that prevents access to at-risk resources. Though the researchers don’t find these lists to be sufficient in maintaining privacy in all regards.
Then there’s the option of altering the values required to track a user, to sort of create a fuzziness in the results that lowers the accuracy of any tracking. That could work, the researchers note, though existing countermeasures to this end from another study by Wu et al. wouldn’t be sufficient.
The key to DrawnApart is in measuring the use of the actual shader cores within the GPU by an API. (Image credit: Nvidia)
There are options there to mitigate the threat from DrawnApart, but none better than what the researchers outline in the following section: preventing parallel execution, preventing deterministic dispatching, and preventing time measurements.
All three of these combined would do away with DrawnApart’s potential threat to online privacy, though it would be in the hands of WebGL and even browser developers to implement each of them in such a way to make them practical and effective. That first bit is important, too, as the researchers note that preventing time measures, for example, is a “futile” task online.
There are also some limitations that should be noted. Mainly that variation in GPU voltage could alter the results, though this wasn’t tested.
Yet DrawnApart, and fingerprinting techniques like it, is still a frightful concept to champions of privacy and your average web user alike. Privacy is not to be trifled with, yet the very hardware we’re accessing the web with can be used against us to keep track of where we’re going and what we’re doing. Clearly it’s an ongoing battle to keep ahead of the curve with efficient mitigations for privacy-abating techniques such as this, and as researchers point out the holes in the digital battlements, developers rush out to patch them.
“Our fingerprinting technique can tell apart devices that are completely indistinguishable by current state-of-the-art methods, while remaining robust to changing environmental conditions. Our technique works well both on PCs and mobile devices, has a practical offline and online runtime, and does not require access to any extra sensors such as the microphone, camera, or gyroscope,” the researchers conclude.
As ever, my advice is to make sure to keep your PC up-to-date. Though if you’re majorly worried about tracking across the web, perhaps you might want to consider more drastic measures in this instance, such as doing away with WebGL altogether. Though that could be quite a sacrifice.
In the long-run, more permanent and less intrusive techniques to prevent such tracking could be put in place. The Khronos Group responsible for the WebGL specification has setup a technical study group to discuss the disclosure with browser vendors, while Intel, Arm, Google, Mozilla, and Brave were all shared in on the paper back in 2020.