work on reducing the granularity of information presented in user-agent strings on its Chrome browser; it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.
The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests, its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the certainly won’t ship before 2022.
The move, via the development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open.
Part of this move toward a more private default for Chromium is depreciating required to deliver on the goals of Privacy Sandbox.. Another part is Google’s proposed technological alternative for on-device ad-targeting cohorts of users (aka FLoCs). Cleaning up exploitable surface areas like finger printable user-agent strings is another component — and should be understood as part of the more comprehensive ‘hygiene’ drive
The latter remains a massive, tanker-turning effort, though. And while there have been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines, it’s allowing for origin tests of the changes to user-agent strings — a seven-phase rollout, with two origin trials lasting at least sixthat looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)
Indeed, back in 2019, Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. In January 2020, it seemed to dial up at least part of the timeline, saying it wanted to phase out support forwithin two years.
Still, end support for third-party cookies. (And 2022 may be the very earliest the shift could happen.)without shipping changes in browser standards needed to provide publishers and advertisers with alternative means for ad targeting, measurement, and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to
There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and— has massive implications for many other web users, most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web. Unsurprisingly, it has faced a lot of pushback from those sectors.
Its plan to end support for third-party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitiveto block third parties access to user data while continuing to help itself to masses of first-party user data (given its dominance of essential Internet services). So depending on how regulators respond to ecosystem concerns, Google may not keep complete control of the timeline, either.
Nonetheless, Chrome paring back user-agent strings is a welcome — if overdue — move from a privacy perspective. Indeed Google’s blog post notes that it’s the laggard vs. similar efforts already undertaken by the and Mozilla’s Firefox.
“As noted in the User-Agent Client Hints explainer, the User-Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rationale for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints APIin a more developer- and user-friendly manner.”
Commenting on the development, Dr. Lukasz Olejnik, an independent consultant andwho has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”. “The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great because considering the IP address and the UA string simultaneously is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests.”
Google’s blog post notes that its UA plan was “designed within mind”. It seeks to reassure developers — adding that: “While any changes to the User-Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).
“If your site, service, library, or application relies on certain bits of information being present in the User-Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required, and things should continue to operate as they have to date.”
Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t make necessary updates to their code in time. “Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”