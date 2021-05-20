



Google announced today that it is resuming work to reduce the granularity of the information displayed in user agent strings in the Chrome browser. Last year, we covered an initiative that was suspended in the early days of the COVID-19 pandemic. We wanted to avoid the extra migration burden on the web ecosystem during a public health emergency.

Resuming the move impacts web developers because changes to the user agent string can destroy parts of the existing infrastructure without code updates. Google has laid out a timeline of origin tests that looks pretty generous, but its blog post emphasizes that “there will be no user agent string changes in Chrome’s stable channels in 2021.” Therefore, the changes will certainly not be shipped by 2022.

The move to reduce user agent strings and reduce their ability to track users through the development of the Chromium engine is related to Google’s Comprehensive Privacy Sandbox Plan (a stack of proposals announced in 2019). I am. We wanted to evolve our web architecture by developing a set of open standards to “fundamentally enhance” web privacy.

Part of this move towards a more private default for Chromium is to depreciate support for third-party tracking cookies. The other part is a technical alternative proposed by Google for ad targeting on devices in a cohort of users (also known as FLoC).

Cleaning up exploitable surface areas such as fingerprintable user agent strings is another component and understood as part of the broader “sanitary” drive needed to achieve the privacy sandbox goals. is needed.

The latter, however, remains an effort to turn large tankers.

And while there were some suggestions that Google might be ready to ship the privacy sandbox in early 2022, consider a timeline that allows origin testing of changes to user agent strings. And with a 7-step rollout, two origin trials last for at least 6 months, one — it looks unlikely. (At least not all sandbox components are shipped.)

In fact, in 2019, Google positively thought that the changes it had in mind wouldn’t happen overnight, saying, “It’s going to be a multi-year journey.” In January 2020, he seemed to dial up at least part of the timeline and said he would like to phase out support for third-party cookies within two years.

Still, Google can realistically depreciate tracking cookies without shipping the browser standard changes needed to provide publishers and advertisers with alternatives to targeting, measuring, and fraud-proofing their ads. You can not. Therefore, if the privacy sandbox element is delayed, the impact of knock-on on the “two-year” timeline to end support for third-party cookies. (And 2022 may be the earliest time a shift can occur.)

Google’s efforts to rebuild web infrastructure, more specifically to change how web users and activities can and cannot be tracked, will have a significant impact on many other web users. , Here are pushes and pulls. Most notable are ad tech players and publishers who have their business deeply embedded in this tracking web.

Not surprisingly, we are facing a lot of backlash from these sectors.

Plans to end support for third-party tracking cookies are also under regulatory scrutiny in Europe. Advertisers complain that it is an anti-competitive move to block access to third-party user data while continuing to support large amounts of first-party user data (major Internet service dominance). Considering sex). Therefore, depending on how regulators respond to ecosystem concerns, Google may not have complete control over the timeline.

Still, from a privacy perspective, Chrome is welcome to pair user agent strings — if it’s overdue — move.

In fact, Google’s blog post states that it lags behind similar efforts already undertaken by Apple’s Safari browser and Mozilla’s Firefox-based web engine.

“As mentioned in the User Agent Client Tips section, user agent strings are challenging for two reasons. First, there are so many browser issues for every HTTP request that could be used for fingerprinting. We will passively publish this information, “Google writes. “Second, it has increased in length and complexity over the years, facilitating error-prone string parsing. The User Agent Client Hints API makes both of these issues more developer-friendly. I believe it will be solved in a very user-friendly way. “

Dr. Lukasz Olejnik, an independent consultant and security and privacy researcher who commented on the development and advised the W3C on technology architecture and standards, describes future changes as “a significant improvement in privacy.”

“Changes in user agents will reduce entropy and reduce identifiability,” he told TechCrunch. “We think that considering the IP address and the UA string at the same time is very identifiable, so we think that privacy has been greatly improved. Firefox / Safari simplifies the UA exactly as recommended by Chrome. I’m not. “

A Google blog post states that the UA plan was “designed with backward compatibility in mind” to reassure developers. “Changes to user agent strings need to be carefully managed, but we expect to minimize developer friction. We roll out this (that is, existing parsers continue to be as expected). Must work).

To use the User Agent Client Tips when a site, service, library, or application relies on certain information present in the User Agent string, such as Chrome minor version, OS version number, Android device model, etc. , You need to start the migration. API instead. ” “If you don’t need any of these, you don’t need to make any changes and they should continue to work.”

Despite Google’s reassurance, Olejnik suggests that if you don’t pay attention to development and don’t make the necessary updates to your code, some web developers may still get caught up in hops. did.

“Web developers can be concerned because certain libraries and back-end systems rely on the strict UA strings that exist today,” he added. This may be a sudden and surprising break. However, the actual large-scale impact is unpredictable. “

