Researchers have uncovered a new way to track you across the internet using your computer or phone’s graphics processing unit (GPU). It’s part of growing concerns among security professionals about the trail of information users are leaving that could impact privacy. “As it is unrealistic for a user to open their system and change their GPU each time they go online, this potential new method for tracking individuals may prove a significant hurdle to overcome for privacy advocates and may require legal mechanisms, such as new laws, to protect the privacy of users who wish to remain anonymous online,” Frank Downs, the senior director of proactive services at cybersecurity company BlueVoyant, told Lifewire in an email interview.
Chipping Away at Privacy
The graphics processing unit is a circuit in computers and smartphones designed to create images, and it’s a potential source of privacy concerns. An international team of researchers wrote in the new paper that they’ve found a fingerprinting strategy that uses the properties of each user’s GPU stack to create trackable profiles. Browser fingerprinting is a common way to track people across the internet, but it doesn’t last long. On the other hand, the GPU fingerprinting allowed researchers to create “a boost of up to 67% to the median tracking duration,” according to the paper. “Previously, traditional methods of tracking user activity online, such as cookies, provided extensive information to tracking organizations,” Downs said. “However, as consumers became savvy and started to block some of these methods, companies have increasingly targeted signatures that are hardware-based and more difficult for system users to change, such as battery charge level and now, potentially, GPU information.” The new technique works well both on PCs and mobile devices. It “has a practical offline and online runtime and does not require access to any extra sensors such as the microphone, camera, or gyroscope,” the authors wrote in the paper. The research could potentially spell trouble for users, Danka Delic, a technical writer at ProPrivacy, said in an email interview. The moment you visit any website that supports WebGL (a JavaScript API for rendering interactive 2D and 3D graphics), you could instantly become a target for tracking, she added. Nearly all major websites support it. “Not to mention, the next-generation GPU APIs are under development as we speak, which could have even more advanced methods to fingerprint internet users, probably faster and more accurate, too,” Delic said.
Don’t Panic, Yet
Some experts say GPU tracking isn’t yet much of a threat to the average user. “Keep in mind that, as the research article stated, browser “fingerprinting” is as much an art as a science—and is far from 100% effective,” Allen Gwinn, a professor in the Information Technology and Operations Management department at Cox School of Business, Southern Methodist University, told Lifewire via email. “Now that the GPU issue is known, the expected events will happen: Firefox, Brave, TORbrowser, etc., will mitigate,” Gwinn said. “Chrome (Google), Edge (MS), will probably do nothing. Third-party plugins will also likely take on this issue and provide protection.” To protect himself from the GPU issue, Gwinn uses DuckDuckGo as a primary search engine and only searches Google as a backup. He uses Firefox and Brave as his primary browser, along with the Facebook Container plugin for security. He also uninstalled the Facebook app from his mobile device and only accesses it through a browser with most permissions denied. “These are common-sense things that can reduce your ‘internet footprint,’” Gwinn said. “I tell my students to log off of (and delete the apps of) all social media about eight months before you go job hunting. Plus, be careful what you post because those “cute” little pictures of you on the beach at Spring Break with a beer can be misclassified by a social media company’s artificial neural networks—and ultimately end up in the hands of a headhunting firm.”
