Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
By now you should know about browser fingerprinting, the method that is being used to track people who aren’t using the proper privacy software. It works through VPNs and other tunneling methods, simply because scripts need to pass through parameters like screen size, drivers, and audio capabilities to let websites function properly.
But the next step in browser fingerprinting has been achieved: A research team figured out how governments and advertisers can use your specific graphics card (GPU) quirks to track who you are, uniquely. This disturbing discovery might have you wondering if these researchers were the first to figure it out, or if the technique is already in use somewhere in the world. We’re wondering the same thing.
So strap in, because we’re taking a quick dive into the study in question so that we can put the results in layman’s terms. Let’s learn more about the frightening world of graphics card fingerprinting.
The three-country research study used a method that they call ‘DRAWNAPART’ (DA) to test out certain aspects of a user’s GPU. They knew that Web Graphics Library (WebGL) was supported by all major browsers, and so devised a series of super short tests that they could run in the background, as the user was first accessing the website.
For example, one test might be on shader time for a specific, simple shape. Then they try it again with another shape and another. These parallel sets of shader tasks quickly form a profile, which is stored in a database. They also run things like wireframe drawing tests, vector graphics tests, and the like. That’s all added to the same profile.
The suite of tests that are used can be tailored for high variance. For example, let’s say there’s a task that is lightning quick on a 3070 GPU, but dirt slow on a 2080. Simply because of advances in the feature set or the driver. That test, as well as other tests that should give dramatically different results because of core feature differences, will be used specifically. The same selection method is used with mini-performance tests that are hugely different between AMD and Nvidia. Anything that is fast to execute in the background, but will produce hugely different results between brands and series, is a candidate test.
And those speed results can be very specific, even within the same GPU family. Because as we know, when you get any sort of processor - CPU, GPU, etc. - the speed that is advertised is a minimum speed. The actual speed will be slightly faster, and the amount of processing it can do in a millisecond will vary from chip to chip. No two cards are exactly the same.
It all happens in the blink of an eye. And whenever a user visits a site, even if they think they’re being anonymous, these same tests can be run again. And again. All of those little timing differences and idiosyncrasies between brands and chipsets are recorded, analyzed, and stored.
Soon a pattern is formed, and the results of these mini-speed tests become a fingerprint that can be used to ID the user. As long as scripting is turned on, this all happens without the user ever being aware that they’re being probed.
How Effective is GPU Fingerprinting?
Sadly, the answer is: Very effective.
The addition of these tests to a normal browser fingerprinting suite increased effectiveness by 47% to 67%! This is measured in effective tracking time. For example, after a week of data collection, researchers were able to effectively track the average user for 17.5 days without their new method. Incorporating the new GPU tracking method, which was extended 28 days; a flat 60% increase.
This wasn’t a low-budget study run out of someone’s garage either. Over 2,500 unique devices were used. The researchers were able to study which graphics cards were susceptible to various kinds of tests, how other factors like memory or CPU entered into the picture, and how efficiently different browser types executed the tests.
Details on the study’s setup and execution can be found here. As well as the frightening results.
What made this study so different from prior methods, and so effective? From the paper itself:
"We note that prior browser fingerprinting techniques extract deterministic fingerprints, which remain identical as long as the device’s software and configuration have not changed. Our technique, in contrast, is based on timing measurements and, as such, is non-deterministic - multiple measurements made on the same device will return different values due to the effects of measurement noise, quantization, and the impact of other tasks running at the same time."
This means simple changes to the user’s setup won’t fool this new method. Just swapping a driver's name or changing the spelling of a graphics card brand isn’t fooling anyone here. Labels mean nothing as far as the GPU fingerprinting method is concerned… only results.
We mentioned AMD and Nvidia, but that’s only scratching the surface. Many laptops use Intel-brand GPUs. Mobile devices might use Mali or Apple. This method can probe deeply into mobile device GPUs as well. Nobody is safe.
How To Stop Your Graphics Card From Identifying You
There are a few self-executed measures you can take to prevent this method from working, but there are consequences.
For example, you can go into your browser’s settings and turn off WebGL. Or you can block JavaScript, which is required to execute these kinds of tests. But either of those methods is likely to break functionality on the websites you visit.
The best solution is to use a privacy app like Hoody. Because Hoody uses a different mini-virtual machine and GPU for each tab of your web browser, it has absolutely nothing to do with your real graphics card! The results are simply streamed back to each tab, which is treated as its own independent process with no correlation between sessions.
That means the next time you open the table, you’ll get a different mini-virtual machine and GPU from one of Hoody’s private Cloud server farms. It makes GPU tracking an impossible task. The intricate table that is being kept to track GPU profiles gets filled with garbage data that can’t be correlated to anything or anyone.
No matter how you choose to mitigate this new attack on privacy, please understand: Q1 2022 is when researchers discovered this. It might already be in the field, thanks to private organizations or government agencies around the world doing similar research and not sharing the results. Be careful out there.
This is just the tip of the iceberg! If you want to deep dive into the topic of fingerprinting then check out our Full Device and Browser Fingerprinting Guide.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon