GPU fingerprinting can be used to track users online
DrawnApart technique can distinguish between machines with identical hardware and software configurations
A team of researchers from French, Israeli and Australian universities have conducted a series of experiments that demonstrate that people on the web can be tracked using the unique fingerprints created by their graphical processing units (GPUs).
Device fingerprinting, generally conducted through the browser, is an intrusive practice used by marketers to track peroples' online activities, using a set of data collection techniques that help identify users based on their device's unique attributes.
Just as a fingerprint reveals the unique biological identity of a person, a machine fingerprint can disclose unique traits about a person's online behaviour.
A user's browser version, device model, operating system, browser extensions, screen size and resolution, user time zone, preferred language settings, and all the specs of the CPU are among the details that are usually collected gathered through device fingerprinting.
According to experts, tracking done through device fingerprinting is more invasive than cookie-based tracking.
Since device fingerprinting takes place quietly in the background as users surf the internet, it is not possible for users to trace fingerprinting or to delete their fingerprints - like how they can in the case of third-party cookies.
Many advertisers and adtech companies use device fingerprinting to trace visitors' internet history to learn more about their interests, and then serve them with more personalised ads.
In the current study, researchers from an international academic environment carried out a large-scale experiment to explore the idea of creating unique fingerprints based on the unique properties of the GPU stack of the tracked systems, using the Web Graphics Library (WebGL) - a cross-platform API for rendering 3D graphics in the web browser.
The technique, called DrawnApart, was tested on a total of 2,550 devices with 1,605 different GPU configurations.
According to researchers, DrawnApart technique basically works by giving the GPU a task when loading the page and then monitoring how the hardware handles the assignment (for example, the time it takes to process it).
This process generates a unique digital fingerprint, an identifier of a specific GPU, based on 176 measurements taken from 16 different points.
According to researchers, all integrated circuit (even in identical GPUs) are different from others due to normal manufacturing variability.
So even if a set of integrated circuits is created through an identical manufacturing process, has the same number of processing units, computational power, and the exact same cores and architecture, all individuals ICs are different from others.
While these minute differences are indistinguishable in day-to-day operations, they can be useful in the context of a complex tracking system such as DrawnApart.
According to the researchers, this is the first study [pdf] that explores the manufacturing differences between identical GPUs and also the first to exploit these differences in a privacy context.
'On the practical front, it demonstrates a robust technique for distinguishing between machines with identical hardware and software configurations.'
The new technique "can boost the median tracking duration to 67 per cent compared to current state-of-the-art methods", according to the researchers.
As pointed out by Bleeping Computer, there are only a few ways to ward off DrawnApart surveillance. They include parallel execution prevention, attribute value changes, script blocking, API blocking, and time measurement prevention.
The non-profit organisation Khronos, which develops the WebGL library, has formed a technical study group which is currently exploring potential solutions with various stakeholders in response to researchers' findings.