14 votes

Google sends a unique Chrome browser identifier through Chrome when you visit their websites

10 comments

  1. [5]
    skybrian
    (edited )
    Link
    I don't see any technical info at that link, but the X-Client-Data header is briefly described here: It doesn't appear that that it's intended to be a unique ID. It looks to me more like they are...

    I don't see any technical info at that link, but the X-Client-Data header is briefly described here:

    We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.

    The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.

    It doesn't appear that that it's intended to be a unique ID. It looks to me more like they are enabling UI tests for a small, randomly selected subset of visiting Chrome browsers. The idea is that you have a range of randomly assigned numbers from 0 to 7999 and you can select a subset of that range to vary the population size, with a minimum experiment size of 1/8000 == 0.0125% of the population. This also lets you run multiple experiments at the same time, so if you have two experiments you can see what happens with either one turned on or both.

    14 votes
    1. [4]
      feigneddork
      Link Parent
      The x-client-data header itself may not be a privacy issue, but with everything Google collects about you (including IP address) then it's trivial to figure out who is running this instance of...

      The x-client-data header itself may not be a privacy issue, but with everything Google collects about you (including IP address) then it's trivial to figure out who is running this instance of Chrome.

      And the limited range is only when the user has usage stats/crash reports disabled. There is little information about when the user has had it enabled, what kind of range we have.

      What bothers me the most is the fact I have to read through a whitepaper to finally understand what this thing is doing rather than something in the browser having it off by default, letting me know what it's doing and the benefits of enabling it, and letting me decide. And why do I have to run a command line flag to reset this number? Why not have a button that allows me to easily reset this number?

      For something that is talked about as a casual feature to allow Google to run experimentations, it seems difficult to opt out or to even request a different ID. And for a company like Google that has many issues with privacy, it really doesn't paint the best picture.

      8 votes
      1. [3]
        skybrian
        Link Parent
        Uniquely identifying browsers has been absolutely trivial for any website since cookies were invented. One of the first things websites started doing with cookies is setting a unique random ID so...

        Uniquely identifying browsers has been absolutely trivial for any website since cookies were invented. One of the first things websites started doing with cookies is setting a unique random ID so they can tell how many new visitors they are getting, versus repeat visits. This wasn't originally considered nefarious, because it was used just to get basic statistics rather than being combined with other information.

        It has only been in the last few years that, due to widespread abuse, people started assuming that if they think of a way that tracking is possible, that is what companies like Google are probably doing. This inference is so common in some circles that people don't even notice anymore that they are doing it.

        But the standard of "never do anything that could possibly be misused if you were evil and combined it with everything else you've ever seen" is extremely high and I doubt the people at Google building these things hold themselves to that standard.

        8 votes
        1. [2]
          feigneddork
          Link Parent
          I do see your point, but I'm not saying "never do anything that could possibly be misused if you were evil etc", all I'm saying is inform the end user and let them opt in. For what it's worth, I...

          I do see your point, but I'm not saying "never do anything that could possibly be misused if you were evil etc", all I'm saying is inform the end user and let them opt in.

          For what it's worth, I intentionally opt into Mozilla's telemetry because I want Firefox to be better. For some pieces of software like IntelliJ IDEA, I opt into their telemetry because I want the software to be better. As much as I love Visual Studio Code and I want to see it grow, I opt out of it because of how it is opt-in first and the lack of any clear way to see telemetry data.

          I remember when Google Chrome came out and I absolutely loved it. I was aware of the privacy concerns then, but I loved how fast Chrome was and I intentionally opted into their usage stats/crash reporting because I wanted the software to be better. I know there are people like me who, once details are explained, I can come up with my own decision.

          For example, Jetbrains sends some pretty invasive stuff including the public SSH Key, IP address, and physical address. That is quite concerning levels of private details being passed alng, but I gave it some thought a while back and decided that I prefer Jetbrains products to become better as a result.

          That was my decision, and it was an informed one - I knew what I was getting myself into, and I said OK. I can still revoke that decision if I feel uncertain with the way things are going, or I can keep carrying on like I'm doing now. This is where I want Google to be, not making things obscure and having whitepaper privacy documents I have to Google to understand this feature exists and this is how it exists.

          This is actually the philosophy Apple have on privacy (still has?) and the more I think about it, the more it makes sense. And this is coming from someone who used to love Google and still has an Android phone (although I've been wanting to transition for quite some time).

          6 votes
          1. skybrian
            Link Parent
            Yep, I agree that they could have done a better job of announcing this. I do see things happening at Google that I don't like much. Sometimes it's hard tell the signal from the noise, though....

            Yep, I agree that they could have done a better job of announcing this. I do see things happening at Google that I don't like much. Sometimes it's hard tell the signal from the noise, though.

            Informed consent seems really tricky in practice. People mostly don't read privacy agreements. I'm reminded of all the paperwork you have to sign when you do financial stuff, including checkboxes for specific things that they want to call out. I think most of the time we don't really want to be informed of stuff, we just want it to work the way we expect.

            Over Christmas I bought Mom a Google Nest Hub Max (terrible name) so we could video chat more easily. We talk every day and it works great, now that it's set up. But getting it set up was difficult to do and was scary for her, and it was so unnecessary.

            5 votes
  2. [4]
    feigneddork
    Link
    Technical details are in the URL, but the breakdown is that Chrome has a way of uniquly identifying different Chrome users across devices, and Chrome sends this information to it's own websites...

    Technical details are in the URL, but the breakdown is that Chrome has a way of uniquly identifying different Chrome users across devices, and Chrome sends this information to it's own websites (including ad servers). As people have noticed in the URL, this is a blatant violation of GDPR.

    I've tried this in Firefox and Microsoft Edge browser and both do not exhibit this behaviour. I would personally recommend Firefox due to the fact that Mozilla are less motivated to track you or your behaviour (Microsoft are in the data game like Google, but far less aggressively).

    3 votes
    1. [3]
      DanBC
      Link Parent
      Which bit of GDPR is being broken here please?

      As people have noticed in the URL, this is a blatant violation of GDPR.

      Which bit of GDPR is being broken here please?

      4 votes
      1. [2]
        feigneddork
        Link Parent
        The article about Consent. Most specifically Article 7 and Article 22 (if IP address or any other data collected by Google is combined with the x-client-data header, which is easy to do since...

        The article about Consent. Most specifically Article 7 and Article 22 (if IP address or any other data collected by Google is combined with the x-client-data header, which is easy to do since Google collects so much of it)

        6 votes
        1. DanBC
          Link Parent
          Consent is one of the lawful reasons to collect data, but it's not required. There are other lawful reasons to collect data. Google will be relying on legitimate interest. From your link:

          Consent is one of the lawful reasons to collect data, but it's not required. There are other lawful reasons to collect data. Google will be relying on legitimate interest.

          From your link:

          While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.

          5 votes
  3. balooga
    Link
    It doesn't appear to be present in incognito mode, at least.

    It doesn't appear to be present in incognito mode, at least.

    2 votes