ChatGPT Tracking Throughout Different AppVMs?

Hey everyone,

I’ve been experimenting with ChatGPT in a few different AppVMs — mostly for writing assistance, coding help, and casual research. It’s been incredibly useful, but it’s also gotten me thinking about how much tracking or cross-VM fingerprinting might actually be possible through usage patterns.

Let me explain.

Each time I use ChatGPT, I open it in a separate disposable or AppVM — depending on what I’m doing. My assumption was that since Qubes OS separates everything so strictly, OpenAI (or any web service, really) shouldn’t be able to link sessions across VMs… unless there’s some subtle browser fingerprinting or API-level behavior that links them anyway.

I’m not logged in to an OpenAI account in any of these sessions, and I’m using Tor in some cases. But in other cases, it’s just a regular Firefox-based AppVM with basic hardening. Still, I’ve noticed similar styles of follow-up responses or suggestions — which could just be coincidence, but it got me thinking:

  • Could fingerprinting techniques (canvas, font metrics, extension detection, etc.) be enough to correlate use across AppVMs, even when cookies and logins are not present?
  • Are there known mechanisms ChatGPT (or any AI web interface) might use that could persist across Qubes OS isolation layers?
  • Would using different templates (Debian vs Fedora) give any additional protection in terms of entropy?
  • Anyone gone deeper into network-level behavior for this kind of service?

Not trying to spread paranoia here — just genuinely curious. With how powerful these models are getting, and how much we’re using them across different workflows, it feels like a timely question for the Qubes community.

Looking forward to hearing if anyone else has thought about this — or done more rigorous testing. Thanks in advance!

1 Like

Hi harrycmary

Can you do a simple test, from the browsers where you try to access CahtGPT:

Open the URL:

and look at their response – do you see a pattern across the AppVMs/Templates?

:slight_smile:

1 Like

and look at their response – do you see a pattern across the AppVMs/Templates?

I do not think they are using IPs to track. There is NAT or DS-Lite.

@harrycmary

QubesOS is aimed at security, not privacy and anonymity. Nevertheless, there should be no context leak, especially between two whonix workstations.

Could you maybe elaborate on your indicators of doubt? Maybe with anonymized examples?

Could fingerprinting techniques (canvas, font metrics, extension detection, etc.) be enough to correlate use across AppVMs, even when cookies and logins are not present?

Yes. On non whonix-workstations there might be clock skew fingerprinting (and other methods) to learn that those are running on the same machine.

Also between fedora-42 disposables, the canvas and webgl fingerprint stays the same, as well es display dimensions and color depth.

Are there known mechanisms ChatGPT (or any AI web interface) might use that could persist across Qubes OS isolation layers?

Not that i know of.

Would using different templates (Debian vs Fedora) give any additional protection in terms of entropy?

You clock skew should remain unique and similar across different templates. Also you only get as much different fingerprints as templates you use. I would recommend using a fingerprint resistent browser for this, rather than many different templates. Something like the whonix-workstation should be the best.

  • Anyone gone deeper into network-level behavior for this kind of service?

I did not notice this so far, but i am using a wrapper around ChatGPT in whonix-workstations.

Regarding your system: Have you modified any of the VM’s browsers, for example installed plugins?

1 Like

You are probably right – my aim was to give a simple example of something that stays the same across different AppVMs/Templates.*

:slight_smile:

*: The non-whonix - as you explained so well.

1 Like

You can use Duck.ai:

Otherwise, self-host your own.

Some relevant links:

3 Likes