GPUs and online user tracking
In a research paper titled “DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting”, researchers have presented a method of identifying users based on browser fingerprints generated by GPUs.
These days users can be tracked by cookies, browser user-agents, network IPs, mouse movements, and other techniques. User identification is required to prevent bot network attacks but also to track users and record their preferences to serve more accurate advertisement. Where law applies, publishers are required to take consent from users, however, there are plenty of malicious organizations who will ignore such requests from users and they constantly come up with new ways for tracking.
Researchers have now confirmed that there is a new high accuracy method of identifying users: GPU fingerprints. Their technique has been tested in large-scale experiments that involved 2500 devices and have seen 67% quicker tracking than other known methods. The current method relying on WebGL 2.0 APU requires at least 8 seconds to fingerprint the GPU, but there are already new web APIs that will limit this time to 150ms and increase accuracy up to 98%.
This fingerprint method relies on hardware identification, specifically GPUs. They exploit the possibility of measuring a vector containing various calculations that can later be used to verify the user. Researchers have even confirmed that removing and replacing some components will not affect the ‘classifier’ which is used to track the user.
To reinforce our claim that the classification results are due to differences in the behavior of the GPUs, and not due to some residual differences among the computers, we selected two GEN 3 computers, physically swapped their hard drives, and re-ran the fingerprinting classifier. As expected, the fingerprinting classifier was not misled by the hard disk transplant, and was still able to label each of the two computers according to their CPU. Next, we returned the hard drives to their original locations, and physically swapped the CPUs with integrated graphics of the two systems. As expected, the classifier followed the transplanted CPU, even though all other hardware was unmodified.
— Research Paper
This fingerprint method requires WebGL 2.0 API which is no longer actively supported as it has been succeeded by WebGPU, however, despite the latter being under active development there is no stable edition being supported by any browser. WebGL 2.0 is still used by some popular sites such as Google Maps or IKEA.
The research concludes that there are ways to prevent GPU fingerprints. In fact, the WebGL standard is required by only 1% of the top 10K websites ranked by Alexa, suggesting that this API could be disabled by browsers by default. The fingerprint creation would also be severely limited by introducing parallel execution, but this could have a big impact on WebGL API performance.
Khronos, the nonprofit organization responsible for WebGL is already looking into possible mitigation that would prevent this fingerprinting method.