When a website wants to identify your browser and what sort of computer or device you’re browsing from, the first place they’ll turn to is the User Agent string. In a surprising move, Google’s Chromium team has submitted a new proposal that includes deprecating the User Agent string starting in Chrome 81.
User Agent privacy woes
While web browsers have slowly become more privacy considerate over the years, the User Agent string, a genuine relic of the internet as we once knew it, has become a primary target for fingerprinting a user. According to Google’s measurements, as many as 90% of websites read and use your browser’s User Agent in one way or another.
One look at a page that interprets your User Agent string is all you should need to understand the privacy implications. Your browser of choice, what version you’re on, what operating system you’re using, and in some cases what device you’re using are all revealed and readily shared with any website that asks for it.
The original intention behind giving out this information is for servers to make sure the page you receive is one that’s optimized for your specific browser’s needs. If you’re a long-time internet user, you may remember that some websites would look and act very differently depending on whether you used Internet Explorer, Firefox, or Opera, as each would have their own unique set of missing or supported features.
Nowadays, web browsers are far more competitive and actually do their best to maximize the number of features shared between them. Google, Apple, Mozilla, and other browser vendors work together on new web proposals to ensure cross-browser compatibility where possible. Now that there are fewer compatibility reasons for a site to care whether you’re browsing from Chrome or Firefox, the User Agent string has taken on unfortunate new purposes.
By default, most browsers, including Chrome, block many of the ways that some websites and ads use to “fingerprint” you to maliciously track your browsing and target advertising, even when browsing in Incognito. However, in many cases, your User Agent string can give more than enough information to uniquely identify your computer.
Worse yet, the User-Agent will sometimes be used to discriminate against one browser or another, regardless of whether that browser is actually compatible with that website. Google, in particular, has been seemingly guilty of this.
Just last month, Vivaldi, another browser based on the same Chromium source code as Google Chrome, began falsifying its User Agent string to appear as Chrome. The reason given for this was to work around seemingly inexplicable bugs that only occur when the browser announces itself as Vivaldi.
https://twitter.com/ruari/status/1205125779144740864?s=19
Deprecate and freeze the User Agent
So the question then is, what can be done? For the sake of keeping older, unmaintained websites working as expected, the User Agent string can’t just be removed from Chrome altogether. Today, as spotted by Owen Williams, Google has publicly unveiled an in-depth proposal to once and for all stop the misuse of the User Agent string both in Chrome and the web as a whole.
According to the proposal, the first step is to deprecate the “navigator.userAgent” method used to access the User Agent string, suggested to start in March with Chrome 81. This change won’t have any visible effect for most people, and websites will continue to work completely as normal. However, web developers will be given explicit warnings in the Chrome development console that retrieving the User Agent string is no longer a good idea.
Next, with the release of Chrome 83 in June, Google will begin to freeze, or stop updating, the User Agent string with each update to Chrome. At the same time, Chrome will also “unify” the information shared about your device’s operating system, for example meaning that two computers on slightly different Windows 10 updates should have the same User Agent. This will eliminate one more potential fingerprinting method.
Finally, beginning in September’s Chrome 85 release, every Chrome browser running on a desktop operating system, such as Windows, macOS, or Linux, will report the exact same User Agent string, eliminating all possible User Agent fingerprinting. Similarly, Chrome 85 will unify the User Agent on mobile devices, though devices will apparently be lumped into one of a few categories based on screen size.
Replacing the User Agent
What Google has laid out here is not necessarily a new idea. The proposal notes that back in 2017, Apple went down a similar road with Safari, attempting to altogether freeze the User Agent string. While being very privacy-forward, that proposal had no alternative way for developers to get the extra information they may need to deliver a consistent experience on various devices, and thus received pushback from web developers.
The second half of Google’s proposal is to introduce a healthy compromise to give web developers the information they may need, while still respecting a person’s privacy. Before the deprecation of the User Agent string, Chrome will introduce a new feature called User Agent Client Hints or UA-CH.
Simply put, UA-CH will provide all of the same information that the User Agent string provides today, but each portion of the data must be explicitly asked for and approved by the browser. At the start, there are no protections on this information, but it will be simple for a browser to detect and block any unnecessary UA-CH requests.
Putting it all together
Without a doubt, this is a pro-privacy move on Google’s part, which should lead websites to obtain less of your browser’s fingerprint. Many sites should be able to suffice with just the unified User Agent string, while more complex websites can get just the information they need without necessarily exposing that same information to the world.
If the proposals to deprecate the User Agent string and introduce UA-CH are accepted as-is, we should see the first fruits of them soon, as Chrome 81 is already in Canary and is scheduled to be released in March of this year.
More on Google Chrome:
- Google Chrome to ‘phase out support’ for third-party cookies as part of Privacy Sandbox
- Google Chrome experiment will help you find more from your favorite web creators
- Sign In with Google shows a warning when using Chrome Beta, Dev, or Canary
FTC: We use income earning auto affiliate links. More.
Comments