Google unpauses privacy-focused changes to Chrome UA strings

Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic, when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.

The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests — and its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the changes certainly won’t ship before 2022.

The move, via development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy.

Part of this move toward a more private default for Chromium is depreciating support for third party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting of cohorts of users (aka FLoCs).

Cleaning up exploitable surface areas like fingerprintable user-agent strings is another component — and should be understood as part of the wider ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox.

The latter remains a massive, tanker-turning effort, though.

And while there has been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines it’s allowing for origin tests of the changes to user-agent strings — a seven phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)

Indeed, back in 2019 Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. Albeit in January 2020 it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third party cookies within two years.

Still, Google can’t realistically depreciate tracking cookies without also shipping changes in browser standards that are needed to provide publishers and advertisers with alternative means to do ad targeting, measurement and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third party cookies. (And 2022 may well be the very earliest the shift could happen.)

There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users; most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web.

Unsurprisingly, it has faced a lot of pushback from those sectors.

Its plan to end support for third party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third parties’ access to user data while continuing to help itself to masses of first party user data (given its dominance of key Internet services). So depending on how regulators respond to ecosystem concerns Google may not be able to keep full control of the timeline, either.

Nonetheless, from a privacy perspective, Chrome paring back user-agent strings is a welcome — if overdue — move.

Indeed Google’s blog post notes that it’s the laggard vs similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox.

“As noted in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rational for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”

Commenting on the development, Dr Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”.

“The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”

Google’s blog post notes that its UA plan was “designed with backwards compatibility in mind”, and seeks to reassure developers — adding that: “While any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).

“If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.”

Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t made necessary updates to their code in time.

“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”