Google is working to make it harder for websites to 'fingerprint' you
The change will make it harder for ad companies to track individuals online.
What you need to know
- Google is planning on phasing out user-string agents in the Chrome browser.
- The change would improve individuals’ privacy by making it harder for ad peddlers to ‘fingerprint’ users online.
- It would also help solve a variety of compatibility issues experienced by other browsers.
Privacy is all the rage at the Chrome labs these days. Amidst its efforts to do away with notification spam on Chrome and adding electronic privacy screen support to its Chrome-powered notebooks, Google this week announced its desire to eventually phase out and deprecate user-agent (UA) strings on its browser.
For those not familiar with the term, this is a string of metadata sent out by your browser every time you visit a website. The information includes your browser’s name and version, the operating system, and the rendering engine used. The last two, in particular, can be far more revealing than you might assume. Take a look at the following example on Google’s documentation for UA strings in Chrome:
Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36
As can be seen, the UA String not only shows that the individual is using Android 5.1.1, it also indicates the specific Android build for the device in use, a Nexus 5. The rendering engine information, for example, can tell an ad company if a person is an iPhone user, since most third-party browsers on iOS still use Safari’s rendering engine behind the scenes.
The combination of such information can allow ad companies to ‘fingerprint’ — or indirectly identify — individuals on the web for targeted ads, even if you’re trying to ensure you’re not being tracked across the web. To circumvent this potential privacy snag, Google has decided it wants to end the era of user-agent strings entirely.
In addition, as the company’s Yoav Weiss explains, ending the practice would also help avoid a number of compatibility issues between browsers:
On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason.
Case in point, Vivaldi recently decided to stop announcing itself across the web, instead opting to present itself as Google Chrome in order to fix a number of rendering issues it was experiencing.
What Google hopes to achieve is to anonymize the information sent out by the browser to only what is absolutely necessary. As such, it will eventually unify UA strings based on desktop and mobile versions by late 2020. This means that while a website may be able to detect which browser a visitor is using and whether they’re on the desktop or a mobile device, that’s about all they’ll be able to initially determine.
However, as many online advertisers do depend on this information, Google is creating a new standard called User Agent Client Hints to replace the deprecated UA Strings. The difference between the two is that the former is far more privacy-conscious, and only provides the necessary bits of information when explicitly requested by the website.
As a result, even though a lot of the same information will still be accessible to websites, the fact that they have to ask for it actively (rather than allowing passive trackers to simply glean the information wholesale) would enable the browser to track precisely what a website knows about you. In the future, Google could then penalize sites for being too nosy about your information with initiatives such as a Privacy Budget — i.e. limits on how much information a particular party can access over time. Think carbon budgets, but for user data.
This approach, Google hopes, will also improve interoperability between browsers and eliminate some of the aforementioned compatibility issues that arise from the incorrect parsing of a UA string by a website. Weiss explains the potential benefits as follows:
Since it provides the information via dedicated fields, it enables better ergonomics and makes it less likely for servers to get it wrong and cause compatibility issues.
And finally, starting fresh will enable us to drop a lot of the legacy baggage that the UA string carries (“Mozilla/5.0”, “like Gecko”, “like KHTML”, etc) going forward.
The complete deprecation of UA Strings will occur in late 2020, with the release of Chrome 85. In the meantime, Google will start notifying websites that use the current UA strings paradigm of the impending change starting in March and begin anonymizing UA string information by June of 2020.