Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.
The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests — and its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the changes certainly won’t ship before 2022.
The move, via the development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals, it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy.
Part of this move toward a more private default for Chromium is depreciating support for third-party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting cohorts of users (aka FLoCs).
Cleaning up exploitable surface areas like finger printable user-agent strings is another component — and should be understood as part of the more comprehensive ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox.
The latter remains a massive, tanker-turning effort, though. And while there have been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines it’s allowing for origin tests of the changes to user-agent strings — a seven phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)
Indeed, back in 2019, Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. In January 2020, it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third-party cookies within two years.
Still, Google can’t realistically depreciate tracking cookies without shipping changes in browser standards needed to provide publishers and advertisers with alternative means to do ad targeting, measurement, and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third-party cookies. (And 2022 may well be the very earliest the shift could happen.)
There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users; most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web.
Unsurprisingly, it has faced a lot of pushback from those sectors. Its plan to end support for third-party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third parties’ access to user data while continuing to help itself to masses of first-party user data (given its dominance of essential Internet services). So depending on how regulators respond to ecosystem concerns, Google may not keep complete control of the timeline, either.
Nonetheless, from a privacy perspective, Chrome paring back user-agent strings is welcome — if overdue — move.
Indeed Google’s blog post notes that it’s the laggard vs. similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox.
“As noted in the User-Agent Client Hints explainer, the User-Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rationale for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”
Commenting on the development, Dr. Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”.
“The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”
“If your site, service, library, or application relies on certain bits of information being present in the User-Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required, and things should continue to operate as they have to date.”
Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t make necessary updates to their code in time.
“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.