How the new Google Chrome is tracking users across the web
Now it’s not a revelation that Google is able to track people browsing the web with the existing technology (3rd-party cookies, fingerprinting, IP etc.). Recently, however, they decided to add one more piece of tracking tech directly into their Chrome browser.
X-CLIENT-DATA
The latest version of Google Chrome (80), adds a new request parameter
— x-client-data — to each http request directed, wait for it… yes, to Google’s own domains only. This means that whenever you open the search engine or Youtube or any other page that uses Google Ads or Google Analytics (although, at the moment, I haven’t seen it being sent to the Analytics server), Chrome will add a short identifier to the http request header, which basically identifies your browser installation.
According to Google:
We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
Source: https://www.google.com/chrome/privacy/whitepaper.html#variations
What does it really mean? Whenever you start the browser and do a Google search, the “de-facto” browser-ID is sent to Google. Later you open Youtube and the same ID is sent to Youtube’s server. Next, you visit some shopping site and, if they use Google’s Ads, the requests to the ad server will contain the same ID.
Now, according to Google, the new request parameter does not pose a privacy issue, as it doesn’t contain any PII (personally identifiable information) — the ID is a randomly generated number (0–7999) during installation, and thus it is not unique (millions of users worldwide will have the same number assigned to their browser). What they conveniently fail to acknowledge is that the “browser-ID”, combined with other information available to the website (e.g. IP address, browser’s user-agent-string and other browser features e.g. screen size), will make it much easier to uniquely identify the user (and especially those who logged into one of the Google services before, thereby basically linking their “browser-ID” to their Google account).
Why does it matter?
Well, first of all, if you browse the internet while being logged into a Google account, it doesn’t change much — you are being tracked anyway. If you are a bit more privacy concerned, however, and log out of your online accounts after using them, or even if you delete your cookies regularly, Google will now still be able to identify you when you open one of their websites (or websites that use their ads), because the browser installation ID is still the same.
Another reason why this new request header parameter is quite worrisome is the fact that it is only sent to Google’s own domains. If, as Google claims, it is meant to enable A/B testing, why not include it in all requests (to all domains) so that everyone can benefit from it? Could it be that they have had concerns about the potential abuse of the new “feature” by other website providers…?
So what now?
Is there anything we can do to regain our privacy?
For now it seems that the x-client-data parameter is not added to the requests made in Incognito mode (but who knows what the next version will bring). Additionally, according to Google, you can run Chrome with the command line flag “ --reset-variation-state” to assign the browser a new random number. If all that sounds ridiculous to you (as it should), you can simply switch to a different, more privacy oriented browser e.g. Brave , Opera or even Firefox (luckily none of the other Chromium-based browsers includes this new “feature”).
