Most people are going to be familiar with user tracking due to advertising or site analytics from places like Google. The scripts used to collect information on a person viewing or visiting a site are well known and documented. This is a mostly benign use of the technology as it just allows for an understanding of the traffic in place and optimizing content and/or ads presented to the people visiting. The other side of this might be in terms of law enforcement and tracking suspects during an investigation (probably though the inaccurate lens of TV and Movies). However, this is just the tip of the iceberg.

The tagging and tracking of people or devices as they move through the internet can and has been used by state level and criminal threat actor groups. Identifying and collecting the habits of someone in a target organization can give the attacker a wealth of information and help identify potential avenues of attack especially when the target is a high-profile one. This type of tracking is typically part of the lead up to a targeted attack if it is not found and stopped.

The dangers of this level of detail in tracking have been known about for years and there are finally some steps in the right direction to help offset the risks involved with protecting a person’s privacy. These steps also help in making it harder to track a target using the common cookie and browser fingerprinting methods.

Now a group of researchers have found a way to leverage the information collected about a device’s GPU to create a reliable hardware fingerprint. The method uses unique properties of the GPU to compile the signature. The collection method can be through a JavaScript (much like current methods) and does not require any privileges to run.

Using the WebGL API the new tracking method is able to clock the time that it takes to render different graphics primitives. By running different primitives through different GPU execution units, the method can develop a very accurate picture of the GPU in question. It is sophisticated enough that it can differentiate between devices with the exact same hardware and software. It is an impressive technology, and all brought to you by the people that want to load web pages faster with GPU based rendering of code. Tracking using this type of identification is only going to get batter as more and more objects are pushed into the highly parallel processing on the GPU.

There are ways to stop this including JavaScript blocking and disabling GPU rendering (along with associated technologies). However, these each have their own impacts to web performance and visibility. It would be nice, if instead of needing to disable all this stuff the people that push for these new standards look at the potential effects to security and privacy before they release them. That is not likely to happen though as technologies like this are like a drug to the big data groups like Facebook, Google, and others.