Researchers use GPU fingerprinting to track users online

I don't really get how can this work. There are only a few dozen different types of GPUs, wouldn't the same make and model get the same result within the error of measurement? Thus making them indistinguishable from each other?
 
Doesn't surprise me too much, they've been using the canvas feature of browsers to track graphics rendering since the feature was implemented. Sadly, most people just don't care, hell some people actually like this stuff, like my wife for instance, who says it helps her find "new things to buy".
 
Doesn't surprise me too much, they've been using the canvas feature of browsers to track graphics rendering since the feature was implemented. Sadly, most people just don't care, hell some people actually like this stuff, like my wife for instance, who says it helps her find "new things to buy".
I'm still more bothered by direct surveillance by phones. It is really disturbing when you get ads for things you talked about (not on the phone, just in earshot of it)
 
The next-gen GPU APIs currently in development, most notably WebGPU, features compute shaders which come in addition to the existing graphics pipeline.

As such, the upcoming API may introduce even more ways to fingerprint internet users, and quite likely faster and far more accurate too.

Appreciate the link. Turning the backend of the browser against the user, against the user's will and completely hidden - devious. Very devious.

As an professional software dev by role: if my work history attributes involve building those capabilities into whatever project at the time (as opposed to 'saying no') - will my future developer career prospects be 'cancelled' from the corporate perspective ?
 
I don't really get how can this work. There are only a few dozen different types of GPUs, wouldn't the same make and model get the same result within the error of measurement? Thus making them indistinguishable from each other?
The article explains that there are variances between even identical GPU's that allow two GPU's of the same model to be distinguished from one another.
 
As an professional software dev by role: if my work history attributes involve building those capabilities into whatever project at the time (as opposed to 'saying no') - will my future developer career prospects be 'cancelled' from the corporate perspective ?

You'd be fired
 
I'm looking through "about:config" in my Firefox right now to see if I can disable WebGL (because I can't remember the last time I needed 3d rendering in a browser anyway)

That said, having it disabled would probably put me in a small enough unusual category as well, allowing for some level of tracking...
 
I'm looking through "about:config" in my Firefox right now to see if I can disable WebGL (because I can't remember the last time I needed 3d rendering in a browser anyway)

That said, having it disabled would probably put me in a small enough unusual category as well, allowing for some level of tracking...

looks like there is a setting in about:config named "webgl.disabled".

I switched it from false to true. Let's see what happens.
 
The article explains that there are variances between even identical GPU's that allow two GPU's of the same model to be distinguished from one another.
Iit doesn't explain how it differentiates between measurement variance and actual minuscule differences between identical gpus. The latter should be a magnitude smaller than the former. They just say they eliminated measurement variance even when you are running background tasks, well I have to press extra doubt on that. Futurmark, or whatever they are called now would give anything to get the benchmarking tool that can reliably detect performance differences down to silicone variance, no matter the bloatware running. That's some space magic.
 
Iit doesn't explain how it differentiates between measurement variance and actual minuscule differences between identical gpus. The latter should be a magnitude smaller than the former. They just say they eliminated measurement variance even when you are running background tasks, well I have to press extra doubt on that. Futurmark, or whatever they are called now would give anything to get the benchmarking tool that can reliably detect performance differences down to silicone variance, no matter the bloatware running. That's some space magic.
They render the same image multiple times, diff them to find the parts that don't change, exclude or ignore parts that are the same between gpus... fingerprint. With that and other browser data, you can generate a fairly unique user profile, especially if you have a few different render profiles which behave better on different gpus.
 
This has been going on for many years, but the authors of "DrawnApart" claim that their particular technique improves the current state-of-the-art in browser-based fingerprinting (spying). The page referenced in the OP already contains a link to the original source, but here it is again (a bit ironic that my "paranoid" browser security settings caused me to miss it along with 90% of the content initially), because the full paper is interesting and definitely worth a skim:

DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting
https://arxiv.org/abs/2201.09956
https://arxiv.org/pdf/2201.09956.pdf (direct link to PDF)

This is yet another good reason to choose a web browser that provides the means to disable as much tracking as possible — preferably not one maintained by the largest advertising company in the world.
 
I'm looking through "about:config" in my Firefox right now to see if I can disable WebGL (because I can't remember the last time I needed 3d rendering in a browser anyway)

That said, having it disabled would probably put me in a small enough unusual category as well, allowing for some level of tracking...
Do you have privacy.resistFingerprinting set to true? There's also a privacy.resistFingerprinting.block_mozAddonManager, but I can't even remember offhand what that one is supposed to do.

https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
 
I don't really get how can this work. There are only a few dozen different types of GPUs, wouldn't the same make and model get the same result within the error of measurement? Thus making them indistinguishable from each other?
No two GPU’s are alike, as google discovered a few years back there are certain calculations that will give varying results depending on which specific transistors are or aren’t functional in your silicon. No GPU or CPU is 100% perfect each will have 3 or 4 that aren’t working correctly and the likelihood that 2 GPU’s have the same few faulty transistors in the same places are incredibly small.
 
There are already much easier ways to track us.... MAC numbers on your cable modem/router and NICs, for starters
 
There are already much easier ways to track us.... MAC numbers on your cable modem/router and NICs, for starters
Well, ad providers and their customers don't have or need access to those, because (except google) they don't own that part of the internet backbone, and they don't need to know where you are...just "who" you are.
 
There are already much easier ways to track us.... MAC numbers on your cable modem/router and NICs, for starters
Really, for your average website it is easier to track the MAC numbers on my cable modem, by switch and my NIC ? Or your smartphone wifi MAC (which I imagine is a lot of the tracking) ?

That sound strange that it would be easy, why would an IPhone device/browser tell that to a website ? It does not need that to talk back to you, your public IP suffice no ?

Iit doesn't explain how it differentiates between measurement variance and actual minuscule differences between identical gpus. The latter should be a magnitude smaller than the former. They just say they eliminated measurement variance even when you are running background tasks, well I have to press extra doubt on that. Futurmark, or whatever they are called now would give anything to get the benchmarking tool that can reliably detect performance differences down to silicone variance, no matter the bloatware running. That's some space magic.
For some really common GPU (HD 4600) their method went from an accuracy of less of 5% in the past to 15%, under lab condition, Apple M1 goes from 25 to 73, a GTX 1650 get close to 100% (just 10 device) if I understand that graph, it is far from perfect.

I imagine it is used with a array of tracking method (IP, device, comportment) and most of all it just need to be good, there no necessity in being perfect.

From my understanding of the paper the signature is not much this device is faster than the other, the trick is to change over time which subset of shader core does a compute intensive function and in a similar device each core would be different and how different they are on the same device will serve has this device signature, the device bloatware in the background if it slow the GPU for some reason it will slow all the core in a similar ways and their individual difference could still be expressed. GPU have so many cores that you can create I imagine an interesting sample size. But which make the code needing to know in advance the GPUs

They did actual test on actual device that it "works" (i.e. augment tracing capability), it is not theoric.
 
Do you have privacy.resistFingerprinting set to true? There's also a privacy.resistFingerprinting.block_mozAddonManager, but I can't even remember offhand what that one is supposed to do.

https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting


Good grief, another setting I didn't know about.

Just to capture it somewhere if I need to find my running list of settings changes for privacy again, I figured I'd re-post it here:

- Install
- Go to about:config and search for pocket and double click on extensions.pocket.enabled to disable it.
- Go to settings
- Disable all telemetry data collection
- Disable offering to remember passwords
- Disable asking about site notifications
- Disable asking about camera/microphone use
- Disable asking about location
- Set Content Blocking under Privacy and Security to "strict". It warns about potentially breaking sites, but in 65 I have yet to have this happen to any site I have visited. (as mentioned above, it did in 64 though)
- Open new tab.
- Click settings wheel
- Uncheck "Recommended by Pocket", "Highlights" and "Snippets"
- Go to about:config search for peerconnection and set media.peerconnection.enabled to false
- Go to about:config, search for WebGL and set webgl.disabled to true.
- Go to about:config, search for "fingerprinting" and set "privacy.resistFingerprinting" to true.

Please add any I may have missed!
 
It says my Canvas fingerprint is "Unique", despite having a canvas blocker and using FF (which is supposed to help with that as well). The Canvas blocker also messes with ebay, forcing me to use Chrome on that site. Damn.

Same. With all of this garbage disabled in the browser, I'm still "unique".

It's bullshit.

There really needs to be some regulation to require that all online technologies, HTML included be designed with complete anonymity as their primary goal, and then a stick that punishes anyone or any organization with draconian fines if they try to circumvent the anonymity. By all means, make an exception for law enforcement if and only if they have a warrant.

No one else should be allowed to collect this shit. It has gone too damn far.

I know armies of lobbyists would be opposed to it, but I feel like this is one of those things that should have near universal support across the political spectrum. We just need to make it part of the conversation.
 
It says my Canvas fingerprint is "Unique", despite having a canvas blocker and using FF (which is supposed to help with that as well). The Canvas blocker also messes with ebay, forcing me to use Chrome on that site. Damn.
Yeah, it will say that even when it's working, but the image and resulting fingerprint will be different each time you reload the page when canvas access is restricted. What did the canvas image look like? It may change in the future, but if you saw a rectangle with colored bands or similar, then you can safely ignore it. When you reload the page, it will also tell you if it has previously encountered your device.

Edit: with the built-in preference setting, you can toggle canvas access on a per-site basis, either temporarily or permanently. Don't worry too much about uniqueness per se. What matters is whether your browser produces a persistent fingerprint that can be used to track you. The significance of each value requires its own interpretation. Be sure to clear your cookies and cache from the site after changing settings.
 
Last edited:
To get all this regulated and prohibited, first you have to find someone who will make money on this going into effect. Otherwise all that is at stake is loss of money for data sales. There is nothing of concern lost with the collection and sale of this data. (me saying from the eyes of the ones making money off it).
 
Because "we" dont make the rules, the companies with lots of money to buy or stop laws from happening do

No amount of lobbying in the world can stop something if there is near universal voter buy-in and we all make it a priority to our elected officials.

We have to make it a priority, and let our officials know that if they don't support regulation around privacy they will be primaried and lose.

It's up to us.

The only reason they get away with this shit is because far too many people just don't care or don't think they can do anything about it.
 
Because "we" dont make the rules, the companies with lots of money to buy or stop laws from happening do
Look at the list of Euros law in that regard, I am not so sure and I am not so sure people prefer being ask about their cookie options everytime they go on a website than simply having them, I feel "we" don't mind at all to be tracking online and have "better" adverstising for it, thus no pressure for laws.
 
The only reason they get away with this shit is because far too many people just don't care or don't think they can do anything about it.

You're talking about a population that buys "smart" televisions, "smart" refrigerators, and "smart" phones, and doesn't think for a second about spamming all the personal details of their life to facebook and google, so I will go with the former. The reality is that the overwhelming majority of our population only care about something if the talking heads make it an issue, and the same entities who own the media conglomerates are the same entities making money from monetizing information. We live in a nation of sheep, all to willing to be regularly shorn so long as they have a sufficient amount of bread to eat and circuses to watch.
 
Do you have privacy.resistFingerprinting set to true? There's also a privacy.resistFingerprinting.block_mozAddonManager, but I can't even remember offhand what that one is supposed to do.

https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting

Well, I enabled this, and disabled WebGL, and between the two changes, the only ill effect I've seen has been pretty random.

The notification number on the bell icon in the top right of the forum screen no longer works, both here and on other boards that use the same software...

Weird..
 
Last edited:
  • Like
Reactions: Nobu
like this
You're talking about a population that buys "smart" televisions, "smart" refrigerators, and "smart" phones, and doesn't think for a second about spamming all the personal details of their life to facebook and google, so I will go with the former. The reality is that the overwhelming majority of our population only care about something if the talking heads make it an issue, and the same entities who own the media conglomerates are the same entities making money from monetizing information. We live in a nation of sheep, all to willing to be regularly shorn so long as they have a sufficient amount of bread to eat and circuses to watch.

Pretty much, the majority of the population will give up privacy for more convenience.

However, a very small number of consumers advocated for the right to repair. The majority of consumers couldn't careless if they couldn't repair their own device, as FOMO rules the world. So it is possible for a small amount of people to create change.
 
Appreciate the link. Turning the backend of the browser against the user, against the user's will and completely hidden - devious. Very devious.

As an professional software dev by role: if my work history attributes involve building those capabilities into whatever project at the time (as opposed to 'saying no') - will my future developer career prospects be 'cancelled' from the corporate perspective ?
I wouldn't think future work would be impacted unless potentially it was your idea to implement the idea in the first place. If you're just the implementer, I don't think that really reflects negatively on you. A lot of companies want workers that won't raise a stink about what they've been asked to do and just do it.
 
I don't really get how can this work. There are only a few dozen different types of GPUs, wouldn't the same make and model get the same result within the error of measurement? Thus making them indistinguishable from each other?
Even among the same production batch, there will be manufacturing variances that can alter performance in various aspects.

That’s what they’re fingerprinting. Using complex calculations and thus very easy to see variances when present.
 
Even among the same production batch, there will be manufacturing variances that can alter performance in various aspects.

That’s what they’re fingerprinting. Using complex calculations and thus very easy to see variances when present.

So maybe someone could execute a script to slightly change the clock offset in afterburner every 24 hours.
 
So maybe someone could execute a script to slightly change the clock offset in afterburner every 24 hours.
If I was going to do something like that, I'd do it every 10-20s. But honestly, they'd probably see that less than 1% of their data changed, and calculate that the probability of you being the same person is very high.
 
Back
Top