Browsers, web sites, and user tracking
Browser tracking across different sites is certainly a major privacy concern and one that is more acute when the boundaries between sites and browsers blur—or disappear altogether. That seems to be the underlying tension in a "discussion" of an only tangentially related proposal being made by Google to the W3C Technical Architecture Group (TAG). The proposal would change the handling of the User-Agent headers sent by browsers, but the discussion turned to the unrelated X-Client-Data header that Chrome sends to Google-owned sites. The connection is that in both cases some feel that the web-search giant is misusing its position to the detriment of its users and its competitors in the web ecosystem.
The original review request was made on TAG's GitHub repository by Chrome developer Yoav Weiss. The change being proposed is an attempt to reduce the abuse of the User-Agent header, both as a way to fingerprint individual users and as a mechanism to limit which browsers can view a site. The "User-Agent Client Hints" draft describes a new mechanism for clients to identify themselves to web servers. If adopted, it would get rid of User-Agent entirely and replace it with the Sec-CH-UA header that would, at least initially, provide much less information for web servers to (ab)use. Servers could request more detailed information about the browser and platform in the response, which the browser could respond to. The name of the header puts it in the Sec- namespace, which means that it cannot be changed by JavaScript running on the page; the rest of the name is abbreviations for "client hints" and "user agent".
There is lots more to it than that, but that is the high-level gist. The review request gathered a few comments, several of which were skeptical of the need for the feature as well as concerned about its impact—especially on niche browsers or those that are just starting to get a foothold in the marketplace. There is, at minimum, a perception that Google may be trying to use its dominance in browsing, ad serving, web search, and other web services to undercut existing or future competitors.
A comment
on the review request raised the issue of the X-Client-Data header; a user
named "kiwibrowser" (presumably Arnaud Granal, who is the founder of the
Chromium-based Kiwi Browser) asked Weiss about the
header. "Did you consider removing the installation and
Google-specific tracking headers (x-client-data) that Google Chrome is
sending to Google properties ?
"
A pointer
to that comment was subsequently posted on Hacker
News, which set off a sizable stream of comments.
According to a Google privacy
white paper linked in both places, X-Client-Data is meant to
facilitate A/B
testing in the browser and on various Google sites, but the concern
is that it helps Google associate
an ID with a browser. As kiwibrowser put it: "it doesn't make sense
to anonymise user-agent if you have such backdoor
"
How unique the X-Client-Data actually is was one area that was
discussed in a sub-thread on Hacker News. In the best case (or worst case
from the perspective of those trying to identify and track users), the
white paper says that values from zero to 7999 are chosen for a seed, which results in
13 bits of entropy. But that is only true if usage statistics and
crash reports are turned off, which is not the default; the entropy for the default
installation is not specified, but it is sure to be higher, which means
that it is more likely to be unique to a specific user's browser. Beyond
that, more information will be used: "Experiments may be further
limited by country (determined by your IP address), operating system,
Chrome version and other parameters.
"
The active "variations" can be seen in the "chrome://version" screen in Chrome, but it is difficult to get any real sense for how they are used—and what they might be revealing. In addition, the X-Client-Data header is only sent to a select group of Google sites, which can be seen in the Chromium source code. That list contains various ad services, such as DoubleClick, which probably helps fuel the impression that the header can be used for tracking. Some were also concerned that only sending the header to Google sites is intended to provide a competitive advantage; any tracking ability that it provides is not shared with other sites.
These days, lots of browsers are based on Chromium, as are frameworks like Electron. Several Hacker News posters checked some of these derivative browsers and reported that they did not send X-Client-Data. An Electron maintainer said that the JavaScript framework has also dropped that code. The ungoogled-chromium repository was also mentioned as a fork that removes the code to send the header among other de-Googling changes.
But the truth of the matter is that people using Google's services (and browser) open themselves up to plenty of easy ways to be tracked. While the white paper tries to present the tracking in a positive, or at least neutral, light, it is clearly the case that the search giant has an enormous trove of data that it can use for ad targeting—or nearly anything else it chooses. Even switching away from Chrome entirely does not change much in terms of tracking for those signing into the Google mothership. And that data can be shared with other entities that wish to track the browsing habits of individual users, for advertising or even more malodorous activities.The Google privacy policy talks about sharing its data with its partners and allowing them to collect browser information, but it is not entirely clear how much protection that actually provides.
Browser fingerprinting is nothing new, of course, nor is the role played by Google and other online services. So, to a certain extent, the threads were used as an opportunity to vent about Google: its dominant position, its privacy practices, and how it can or does use that position to lock out competitors and potential future competitors. Topics like the wording of the white paper and the Google privacy policy, the collection of personally identifiable information (PII) on the web and how that relates to the EU General Data Protection Regulation (GDPR), the Sec-CH-UA proposal, as well as other real or perceived misdeeds by various players in the web ecosystem all came up along the way.
It is not at all clear that those kinds of concerns are actually reaching the audience that needs to hear them—if they are, they are apparently not particularly compelling to, seemingly, the vast majority of users. There may well be good reasons for questioning the reasoning behind moving away from User-Agent—and Google's motivation to make that change—but a W3C TAG review request hardly seems like the right forum to make a wider point about the behavior of Chrome. A Hacker News thread is not a place where these kinds of activities are going to be curtailed either; it is going to be up to users to recognize that there are problems to be solved and to try to find ways to do so.
That said, the web ecosystem has become a privacy wasteland, so it is not all that surprising that technically savvy folks get up in arms and vent from time to time. But those of a technical bent already have most of the tools they need to combat these problems for themselves; simply giving up the convenience of the various services provided by motherships of all stripes would largely obviate this particular problem. Other tools can be used to minimize tracking while still trying to extract some value from the online resources of the web.
But "we" (including myself as an (over)user of Google services) often choose not to stop using those services and may not protect our privacy using the other tools all that much either—our family members and neighbors without those technical skills effectively lack the choice. There is plenty of lip service to the idea that people can opt out of certain kinds of tracking and such but, without understanding the underlying problems and consequences, few will—and few do. In the end, it is a societal problem that will require some kind of collective action, either via governmental action (e.g. the GDPR) or through changes to people's attitudes and behavior—or both.
| Index entries for this article | |
|---|---|
| Security | Privacy |
| Security | Web browsers |
Posted Feb 5, 2020 21:25 UTC (Wed)
by jkingweb (subscriber, #113039)
[Link] (2 responses)
Does Edge also patch this stuff out, I wonder?
Posted Feb 5, 2020 21:56 UTC (Wed)
by Ranguvar (subscriber, #56734)
[Link]
Posted Feb 5, 2020 22:37 UTC (Wed)
by jafd (subscriber, #129642)
[Link]
Posted Feb 6, 2020 2:04 UTC (Thu)
by kenmoffat (subscriber, #4807)
[Link] (1 responses)
This sounds somewhat like the blocking of falkon and other qt browsers by gmail which hit me in December on a machine where I had not previously used falkon or gmail. See e.g. I say tthat because "use a mandated browser" invites me to install chrome or similar. Strangely, gmail in falkon continues to work in the other machines where I had previously used it, and even works in fresh installs on those machines.
Posted Feb 6, 2020 2:07 UTC (Thu)
by kenmoffat (subscriber, #4807)
[Link]
Damn, forgotten how to write html. Link is https://news.softpedia.com/news/several-linux-browsers-blocked-from-accessing-google-services-528591.shtml
Posted Feb 6, 2020 20:59 UTC (Thu)
by flussence (guest, #85566)
[Link] (3 responses)
So we should start throwing their trash back at them instead. How can we make sites that work for everyone else, but subtly suck on Chrome and derivatives?
Posted Feb 6, 2020 21:15 UTC (Thu)
by mpr22 (subscriber, #60784)
[Link]
Posted Feb 7, 2020 8:54 UTC (Fri)
by dgm (subscriber, #49227)
[Link] (1 responses)
Posted Feb 7, 2020 21:08 UTC (Fri)
by flussence (guest, #85566)
[Link]
Did you not live through the IE6 dark ages?
Posted Feb 7, 2020 5:55 UTC (Fri)
by eru (subscriber, #2753)
[Link] (2 responses)
Posted Feb 8, 2020 0:32 UTC (Sat)
by chutzpah (subscriber, #39595)
[Link] (1 responses)
I am currently a happy Firefox user, they have a lot of nice features via extensions that Chrome based browsers lack (like Firefox containers).
Posted Feb 10, 2020 7:53 UTC (Mon)
by eru (subscriber, #2753)
[Link]
I mean news like this https://www.theregister.co.uk/2020/01/16/mozilla_job_cuts/
Posted Feb 14, 2020 21:30 UTC (Fri)
by poruid (guest, #15924)
[Link] (1 responses)
Endless privacy statements that nobody comprehends, not even lawyers, as lawful title, is fictitious. These text are materially nothing but a bunch of letters and people treat those rightfully as such. Laws, e.g. international treaties, that put an end to these practises are truly needed as no individual is really able to personally defend his privacy on his/her own.
Besides the above off-topic political comment, putting the UA data in a header in the Sec- namespace seams a good idea. (as in do no evil).
Posted Feb 15, 2020 11:49 UTC (Sat)
by james (subscriber, #1325)
[Link]
For workgroup printers. Intended to be used by, and so have the driver on, multiple clients.
No-one at HP, in all that time, read that license and realised how stupid that was. Or if they did, no-one cared enough to get it fixed.
The idea that anyone at HP actually meant the contents of that document and intended it to be applied to workgroup printers just does not tally with reality. I am not a lawyer, but I wouldn't be surprised if a good one managed to get it invalidated and replaced with the "real" agreement: obviously HP invite and expect their users to install those drivers, and that is enough to license the users to do so.
Posted May 9, 2020 19:03 UTC (Sat)
by boog (subscriber, #30882)
[Link]
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Browsers, web sites, and user tracking
Avoid monoculture
Else we are soon in the same situation as in the 1990's with IE. But recent news from Mozilla have not been encouraging.
Avoid monoculture
Avoid monoculture
Browsers, web sites, and user tracking
My favourite example of companies treating their own license as line noise is this: for decades, HP workgroup printers came with a Windows driver, with a license that said "HP grants you a license to Use one copy of the HP Software." (My emphasis.)
Even companies treat their legalese as noise
Browsers, web sites, and user tracking