Google Feat 1 scaled 1

Google unpauses privacy-focused changes to Chrome UA strings – TechCrunch

Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency. The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests, its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021 “. So, the changes certainly won’t ship before 2022.

The move, via the development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy. Part of this move toward a more private default for Chromium is depreciating support for third-party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting cohorts of users (aka FLoCs).

Google

Cleaning up exploitable surface areas like fingerprintable user-agent strings is another component — and should be understood as part of the more comprehensive ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox. The latter remains a massive, tanker-turning effort, though. And while there have been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines, it’s allowing for origin tests of the changes to user-agent strings — a seven-phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)

Indeed, back in 2019, Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. In January 2020, it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third-party cookies within two years. Still, Google can’t realistically depreciate tracking cookies without shipping changes in browser standards needed to provide publishers and advertisers with alternative means for ad targeting, measurement, and fraud prevention. So, any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third-party cookies. (And 2022 may be the very earliest the shift could happen.)

There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users, most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web. Unsurprisingly, it has faced a lot of pushback from those sectors. Its plan to end support for third-party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third-party parties’ access to user data while continuing to help itself to masses of first-party user data (given its dominance of essential Internet services). So, depending on how regulators respond to ecosystem concerns, Google may not be able to keep complete control of the timeline, either.

Nonetheless, Chrome paring back user-agent strings is a welcome — if overdue — move from a privacy perspective. Indeed, Google’s blog post notes that it’s the laggard vs. similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox. “As pointed out in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rationale for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”

Commenting on the development, Dr. Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”. “The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering the IP address and the UA string simultaneously is highly identifying. UAs are not exactly simplified in Firefox/Safari as Chrome suggests.” Google’s blog post notes that its UA plan was “designed with backward compatibility in mind”. It seeks to reassure developers — adding that: “While any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).

“If your site, service, library, or application relies on certain bits of information being present in the User Agents string, such as Chrome minor versionOS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required, and things should continue to operate as they have to date.” Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t make necessary updates to their code in time. “Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”

Share

I have always enjoyed writing and reading other people's blogs. I started writing a journal as a teenager and have since written numerous books and articles. My blog is a place where I can write freely about my personal interests and those of others.

Leave a Reply

Your email address will not be published. Required fields are marked *