Google is resuming work on lowering the granularity of information introduced in user-agent strings on its Chrome browser, it said today — choosing up an effort it placed on pause final 12 months, throughout the early days of the COVID-19 pandemic, when it mentioned it wished to keep away from piling additional migration burden on the net ecosystem in the midst of a public well being emergency.
The resumption of the transfer has implications for internet builders because the changes to user-agent strings might break some present infrastructure with out updates to code. Although Google has laid out a reasonably generous-looking timeline of origin checks — and its weblog put up emphasizes that “no User-Agent string changes shall be coming to the steady channel of Chrome in 2021“. So the changes definitely gained’t ship earlier than 2022.
The transfer, by way of growth of its Chromium engine, to pare again user-agent strings to cut back their skill to be used to observe customers is expounded to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it mentioned it wished to evolve internet structure by creating a set of open requirements to “fundamentally enhance” internet privateness.
Part of this transfer towards a extra non-public default for Chromium is depreciating assist for third occasion monitoring cookies. Another half is Google’s proposed technological various for on-device ad-targeting of cohorts of customers (aka FLoCs).
Cleaning up exploitable floor areas like fingerprintable user-agent strings is one other element — and needs to be understood as a part of the broader ‘hygiene’ drive required to ship on the objectives of Privacy Sandbox.
The latter stays a large, tanker-turning effort, although.
And whereas there was some solutions Google may very well be prepared to ship Privacy Sandbox in early 2022, given the timelines it’s permitting for origin checks of the changes to user-agent strings — a seven section rollout, with two origin trials lasting at the least six months apiece — that appears unlikely. (At least not for all of the constituent elements of the Sandbox to ship.)
Indeed, again in 2019 Google was upfront that the changes it had in thoughts wouldn’t come in a single day, saying then: “It’s going to be a multi-year journey”. Albeit in January 2020 it appeared to dial up at the least a part of the timeline, saying it wished to section out assist for third occasion cookies inside two years.
Still, Google can’t realistically depreciate monitoring cookies with out additionally delivery changes in browser requirements which might be wanted to present publishers and advertisers with various means to do advert focusing on, measurement and fraud prevention. So any delay to components of the Privacy Sandbox might have a knock-on affect on its ‘two-year’ timeline to finish assist for third occasion cookies. (And 2022 could be the very earliest the shift might occur.)
There’s push and pull occurring right here, as Google’s effort to retool internet infrastructure — and, extra particularly, to change how internet customers and exercise can and may’t be tracked — has large implications for a lot of different internet customers; most notably the adtech gamers and publishers whose companies are deeply embedded on this monitoring internet.
Unsurprisingly, it has confronted plenty of pushback from these sectors.
Its plan to finish assist for third occasion monitoring cookies can also be under regulatory scrutiny in Europe — the place advertisers complained it’s an anti-competitive energy transfer to block third events’ entry to person knowledge whereas persevering with to assist itself to lots of first occasion person knowledge (given its dominance of key Internet providers). So relying on how regulators reply to ecosystem issues Google is probably not in a position to maintain full management of the timeline, both.
Nonetheless, from a privateness perspective, Chrome paring again user-agent strings is a welcome — if overdue — transfer.
Indeed Google’s weblog put up notes that it’s the laggard vs related efforts already undertaken by the net engines underlying Apple’s Safari browser and Mozilla’s Firefox.
“As noted in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rational for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”
Commenting on the event, Dr Lukasz Olejnik, an impartial guide and safety and privateness researcher who has suggested the W3C on technical structure and requirements, describes the incoming change as “a great privacy improvement”.
“The user-agent change will reduce entropy and so reduce identifiability,” he instructed TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”
Google’s weblog put up notes that its UA plan was “designed with backwards compatibility in mind”, and seeks to reassure builders — including that: “While any changes to the User Agent string want to be managed rigorously, we count on minimal friction for builders as we roll this out (i.e., present parsers ought to proceed to function as anticipated).
“If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.”
Despite Google’s reassurances, Olejnik recommended some internet builders might nonetheless be caught on the hop — in the event that they fail to pay attention to the event and don’t made mandatory updates to their code in time.
“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he famous, including: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”