Computer researchers have discovered a new, experimental way to track you across the internet using information culled from your computer’s graphics processing unit.
In a recent paper, the researchers—who hail from universities in Israel, Australia, and France—unveiled a unique device “fingerprinting” strategy that uses the properties of each user’s GPU stack to create distinct, trackable profiles.
For those who don’t know, fingerprinting is a form of web tracking—the ubiquitous practice whereby companies and third-parties monitor consumers in an effort to mitigate fraud, improve “customer experience,” and, oh yeah, sell you stuff.
Historically speaking, most companies have tracked users via cookies—tiny, identifying text files stored in your browser. But cookies have fallen on hard times lately, as recent privacy regulations—such as California’s CCPA or Europe’s GDPR—have forced them to be consensual rather than mandatory.
As a result, companies have sought alternative tracking methods, including browser and device fingerprinting, which uses data collected from a users’ browser, phone, or PC—such as browser configurations or device specifications—to create a trackable imprint.
Yet fingerprinting has one functional drawback, which is that it doesn’t work for very long. “Browser fingerprints evolve over time, and these evolutions ultimately cause a fingerprint to be confused with those from other devices sharing similar hardware and software,” researchers write.
However, researchers’ new GPU fingerprinting technique has largely overcome this limitation. According to the study, the tracking system allowed researchers to create “a boost of up to 67% to the median tracking duration,” meaning that it allowed for more consistent tracking over longer periods of time than traditional methods like cookies.
The specifics of how all this works are a little complicated but, basically, the strategy involves collecting information on how long it takes for a device’s GPU to resolve certain visual elements using WebGL, a graphics rendering API that is present in all modern web browsers. Researchers say there are slight manufacturing differences between identical GPUs, the likes of which can be observed by watching how it interacts with WebGL. Researchers ultimately feed this GPU information and other device data into an algorithm, which then allows them to create a “reliable and robust device signature,” which they say can be used to track the device’s user around the web.
Researchers tested their tracking system on 2,550 devices with 1,605 distinct CPU configurations and found it could reliably produce the creepy results they were looking for. “Our technique works well both on PCs and mobile devices, has a practical offline and online runtime, and does not require access to any extra sensors such as the microphone, camera, or gyroscope,” researchers write.
The researchers disclosed their findings to a number of relevant companies in 2020, including Google, Brave, and Mozilla, and they have continued to keep them apprised of their research. Similarly, researchers report that the Khronos group, the software consortium that is “responsible for the WebGL specification” responded to their findings by establishing a “technical study group to discuss the disclosure with browser vendors and other stakeholders.”