Google Is Removing an Insidious Tracking Tool From Its Browser
When you navigate to an article in a browser like Google Chrome, that browser automatically sends the site a string of text that looks something like this: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e Safari/602.1.
That gibberish tells the owner of the website a lot about your computer:
- Mozilla/5.0: The browser you’re using is “Mozilla-compatible.”
- (iPhone; CPU iPhone OS 10_3 like Mac OS X): The platform you’re using is an iPhone, running iOS 10.3, which is based on macOS.
- CriOS/56.0.2924.75 Mobile/14E5239e Safari/602.1: The renderer used by the browser is Chrome for iOS, version 56, which is using the Apple Safari browser technology.
This list of details about your computer, called the “user agent,” was conceived in the early 1990s as a way to identify browsers visiting a website, and it’s now a standard part of all web browsers. But last week, Google said that it plans to phase out this user agent feature in the technology that powers Chrome, called Blink (the same technology also powers a number of other browsers, including the new Microsoft Edge).
By freezing the feature, Google removes access to that data by competitors.
Google says its aims include protecting user privacy. Although the information transmitted to websites by the user agent may seem fairly innocuous, it is deeply specific about the technologies you’re using and your device. The Electronic Frontier Foundation’s Panopticlick project demonstrated that accessing the user agent is often more than enough to allow advertisers to build a profile that hones in on your computer’s identity. In other words, the user agent can act as a fingerprint for your computer that allows advertisers like Facebook and Google to track you around the web, even when you’re not logged into their service.
The user agent also encourages bad behaviors, like serving different websites to people depending on their browser, or blocking some browsers from accessing a service entirely. Google itself has used this strategy. For years, if you tried to access a Hangouts call while using some browsers other than Chrome, like some versions of Firefox, it wouldn’t load. Instead, it would surface a message stating that the tool requires Google Chrome (Google has since changed this so that Hangouts works with most major browsers). Similarly, Google was recently caught blocking access to its Stadia game streaming service for Microsoft Edge users, despite the browser being based on the same technology as the Chrome browser in the first place.
As popular developer blog CSS Tricks put it in 2009, “browser detection is bad” and “the whole reason web standards exist is so that we don’t have to write specific code [for specific browsers].”
Google will not remove the feature, but rather it will stop updating the user agent with new information as users change browsers and operating systems, which will make it less useful.
The company isn’t the first to try and retire the user agent — W3C, the standards body behind the internet, has suggested a similar move for quite some time but never arrived at a consensus about how to move forward. Apple, which markets its commitment to privacy, attempted to restrict access to the string by freezing it in a similar way (though it appears to have walked back the changes).
This policy change by Google is more consequential because the Chrome browser owns more than 63% of all web traffic. The company controls so much browsing traffic that it is able to dictate what an entire industry does. Killing the user agent should encourage developers to make sure their sites work in every browser, rather than selectively targeting them to Chrome or blocking browsers, like Firefox, that they might not want to support.
It’s also likely to make developers’ lives difficult, at least in the short term: These strings are useful for debugging problems on websites and help work around quirks found in specific browsers. A dizzying array of enterprise technologies, such as virtualization software VMware, rely on this string for security reasons.
There’s some truth to Google’s claim that phasing out the user agent will help protect privacy, but Google may not actually be giving up much by freezing the user agent. Because of its dominance in web browsing, Google already has access to the majority of web user’s data regardless of whether it includes a user agent. By freezing the feature, it removes access to that data by competitors.
If Google truly cared about improving privacy it would bake features like tracker blocking into Chrome directly, as other browsers have. That, of course, is unlikely to ever happen, given that the entire purpose of the search engine giant is to track you across the web.
Update: An earlier version of this article contained incorrect information about Google Hangouts’ compatibility with other browsers. The service has been updated to be compatible with most major browsers.