A few days ago we presented you the European Data Protection Day, which took place at the end of January this year and aimed to raise public awareness of the major threats they can face on the Internet. And recently, a new study has unearthed a new risk that could bode well for the future.
Track your online activity…
As reported by the website BleedingComputer, a team of researchers from French, Australian and Israeli universities has been studying the possibility of using the graphic processors or GPUs of internet users to create a kind of unique fingerprint and thus monitor their activities on the internet.
The experiment was run on more than 2,500 devices with around 1,600 different CPU (Central Processing Unit) configurations. This new technique, called DrawnApart, appears to be very effective, with a 67% increase in median follow-up time compared to the current best algorithms.
This is a real concern for user privacy, which is currently protected by EU data protection regulations, including cookie consent on websites. But these so-called laws have already led to unscrupulous websites collecting information such as hardware configuration, operating system, time zones, screen resolution, language, etc.
This unethical approach remains limited for now as these elements change frequently and even if they are stable it only helps to place users in a broad category rather than create a unique fingerprint. Good so far.
…thanks to your graphics card!
The researchers therefore considered the possibility of using the GPU of the devices tracked via WebGL (Web Graphics Library) to create unique fingerprints. The latter is an API (i.e. an application programming interface) that allows the display of 3D elements present in all modern web browsers.
Using this API, the DrawnApart tracking system can count the number and speed of execution units in the GPU, measure the time it takes to complete a task, and more. For the somewhat technical part, DrawnApart uses short GLSL programs executed by the target GPU as part of the “vertex shader” to overcome the challenge of managing calculations by random execution units. Thus, workload assignment is predictable and standardized.
This procedure then makes it possible to generate traces from 176 measurements at 16 points, thus creating a kind of fingerprint. Even with the visual evaluation of the individual raw traces, clear differences and temporal fluctuations between the devices can be determined.
When DrawnApart is used with cutting-edge tracking algorithms, a target user’s average follow time increases by 67%, from an average follow time of 17.5 days to 28 days using l GPU footprint. The research paper then concludes the study as follows:
We believe a similar method can also be found for the WebGPU API once it becomes available. The impact of accelerated computing APIs on user privacy should be considered before enabling them globally.
The developer of the WebGL API, the Khronos Group, received the researchers’ findings on the topic and formed a technical study group to discuss possible solutions with browser vendors and other stakeholders.