LOGO

google unpauses privacy-focused changes to chrome ua strings

May 19, 2021
Topics:chromiumFLoCsGoogleGoogle ChromePrivacy SandboxsafariTCthird party cookiesWeb browsersweb developersweb infrastructure
google unpauses privacy-focused changes to chrome ua strings

Google Resumes User-Agent String Reduction Efforts in Chrome

Google has announced the continuation of its work to lessen the detail within user-agent strings in the Chrome browser. This initiative, initially paused in early 2020 due to the COVID-19 pandemic, aims to avoid adding further challenges to the web development community during a period of public health crisis.

Implications for Web Developers

The resumption of this change carries implications for developers, as modifications to user-agent strings could potentially disrupt existing systems without corresponding code updates. However, Google has established a phased timeline involving origin tests, and explicitly states that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021”. Therefore, implementation is not anticipated before 2022.

Privacy Sandbox and User-Agent Reduction

This move, developed through the Chromium engine, to simplify user-agent strings is connected to Google’s broader Privacy Sandbox initiative. This plan, unveiled in 2019, seeks to enhance web privacy by evolving web architecture through open standards.

Key Components of the Privacy Sandbox

The Privacy Sandbox includes the deprecation of third-party tracking cookies and the introduction of Federated Learning of Cohorts (FLoC), a technology for on-device ad-targeting. Reducing the exploitable surface area of fingerprintable user-agent strings is another crucial aspect of this privacy-focused overhaul.

A Multi-Year Journey

The Privacy Sandbox remains a complex undertaking. While some speculated an early 2022 launch, the seven-phase rollout, including origin trials lasting at least six months each, suggests a more protracted timeline. Google initially acknowledged in 2019 that these changes would unfold over “a multi-year journey”.

Dependencies and Potential Delays

Google cannot realistically deprecate tracking cookies without simultaneously delivering alternative solutions for ad targeting, measurement, and fraud prevention. Consequently, any delays in the Privacy Sandbox components could impact the two-year timeline for phasing out third-party cookies, potentially pushing the shift to 2022 or beyond.

Balancing Innovation and Industry Concerns

Google’s efforts to reshape web infrastructure, specifically regarding user tracking, have significant ramifications for various stakeholders, particularly adtech companies and publishers reliant on tracking mechanisms. This has resulted in considerable resistance from these sectors.

Regulatory Scrutiny

The plan to end third-party cookie support is also facing regulatory review in Europe. Advertisers argue it represents an anti-competitive practice, potentially limiting third-party data access while Google maintains control over first-party user data. Regulatory responses could further influence the project’s timeline.

A Positive Step Towards Privacy

Despite these challenges, reducing user-agent string granularity is considered a positive step towards enhanced privacy. Google acknowledges being behind similar initiatives already implemented by Apple’s Safari and Mozilla’s Firefox.

Rationale for the Change

“The User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google explains. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”

Expert Commentary

Dr. Lukasz Olejnik, a security and privacy researcher, describes the change as “a great privacy improvement”. He notes that reducing entropy will lessen user identifiability, emphasizing that combining IP addresses with user-agent strings creates a highly identifying profile. He also points out that Firefox and Safari have already taken similar steps.

Backwards Compatibility and Migration

Google emphasizes that the changes are “designed with backwards compatibility in mind”, expecting minimal disruption for developers. Existing parsers should continue functioning as expected. However, developers relying on specific information like Chrome minor version, OS version number, or Android device model will need to migrate to the User Agent Client Hints API.

Potential for Unexpected Issues

Despite Google’s assurances, Olejnik suggests some developers might be unprepared. Libraries or backend systems dependent on the current user-agent string format could experience unexpected failures if updates aren’t implemented promptly. The scale of this impact remains uncertain.