Computer scientists have discovered an experimental new way to track you on the internet using information extracted from your computergraphics processing unit.
In a recent paperthe researchers, from universities in Israel, Australia and France, unveiled a unique device “fingerprinting” strategy that uses the properties of each user’s GPU stack to create distinct, traceable profiles.
For those who don’t know, fingerprinting is a form of web tracking– the pervasive practice of companies and third parties monitoring consumers in an effort to mitigate fraud, improve the “customer experience” and, oh yes, sell you stuff.
Historically speaking, most companies have tracked users via cookies—tiny identifying text files stored in your browser. But cookies have had a tough time lately, as recent privacy regulations, such as California CCPA Where The European GDPR– forced them to be consensual rather than mandatory.
As a result, companies have sought other tracking methods, including browser and device fingerprintingwhich uses data collected from a user’s browser, phone or PC, such as browser configurations or device specifications, to create a trackable fingerprint.
However, fingerprinting has a functional drawback, namely that it does not work for very long. “Browser fingerprints evolve over time, and these evolutions eventually confuse a fingerprint with those of other devices that share similar hardware and software,” the researchers write.
However, the researchers’ new GPU fingerprinting technique has largely overcome this limitation. According to the study, the tracking system allowed the researchers to create “up to a 67% increase in the median duration of follow-up,” meaning it allowed for more consistent tracking over longer periods of time than traditional methods such as cookies.
The details of how it all works are a bit convoluted but basically the strategy is to collect information about how long it takes a device’s GPU to resolve certain visual elements using WebGL, a Graphics rendering API present in all modern web browsers. The researchers say there are slight manufacturing differences between identical GPUs, which can be seen by observing how it interacts with WebGL. The researchers ultimately feed this GPU information and other device data into an algorithm, which then allows them to create a “reliable and robust device signature”, which they claim can be used to track the device user on the web.
The researchers tested their tracking system on 2,550 devices with 1,605 distinct processor configurations and found that it could reliably produce the chilling results they were looking for. “Our technique works well on both PCs and mobile devices, has convenient offline and online execution, and requires no access to additional sensors such as microphone, camera, or gyroscope,” the researchers write. .
The researchers disclosed their findings to a number of affected companies in 2020, including Google, Brave, and Mozilla, and they continued to update them on their research. Similarly, the researchers report that Khronos Group, the software consortium that is “responsible for the WebGL specification” responded to their findings by creating a “technical study group to discuss the disclosure with browser and software vendors.” other stakeholders”.