This week, the web and browser development community voiced concerns over “X-Client-Data,” an alleged “tracking ID” sent by Chrome to all Google sites. Google has denied the tracking allegation and pointed to the actual, more benign purpose for this special ID.
Last month, Google proposed a plan to move the web away from using the “User-Agent” string, which freely gives every site you browse or even connect to information about your browser and computer. As part of this proposal, Chrome would begin to “freeze” and eventually “unify” the User-Agent string to keep the more in-depth info away from prying eyes without asking for explicit permission.
Without a doubt, this would be a major privacy win, as the User-Agent is one of the many tools used to uniquely identify (or “fingerprint”) you and track your browsing habits for the purposes of things like ads. Considering Google makes over $100B per year from ads, this may even seem like a shocking move from them, but some believe there’s more to the story.
In a longer discussion about the potential merits and drawbacks of freezing the User-Agent, some have spoken out about the consequences of this change for smaller ad networks that try to compete with Google’s multi-billion dollar ads business. Google Chrome currently has dominance in the web browser market, which means this move would have an immediate damaging impact on any ad company that relies on the User-Agent as a factor for fingerprinting.
Meanwhile, Arnaud Granal, the developer of Kiwi Browser, a Chromium-based alternative browser for Android — and thus someone who has a deep understanding of Chrome and Chromium — has pointed out that Chrome creates its own special bit of data called “X-Client-Data.” Granal claims this could be used by Google to bypass any fingerprinting restrictions that Google Chrome would add.
What is X-Client-Data?
Google Chrome’s privacy whitepaper explains that X-Client-Data is used to describe the various experiments and Chrome Flags that are enabled in your browser.
We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
To decide which automatic experiments you’ll see on your device — things like early tests of upcoming features and redesigns — Chrome generates a randomized “seed” the first time that you run it. Chrome then sends Google’s servers your seed to determine which experiments should be enabled automatically and enables them.
Finally, Chrome will convert those enabled experiments into a string of letters and numbers (Base64 to be precise) that it calls the X-Client-Data header.
Because of the randomized seed, X-Client-Data is, by default, theoretically more than enough to uniquely identify you from other people who use Chrome.
To an extent, you can control how randomized this seed is, as disabling Chrome’s sharing of usage statistics and crash reports limits the number of potential seeds down to 8000. By limiting the possibilities, you greatly increase the chance of using the same seed and therefore X-Client-Data as someone else.
The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy).
However, any server you connect to is given your IP address. Because of that, the X-Client-Data would still be unique enough to potentially identify your device as different from any other device in your home or office.
Who can see my X-Client-Data?
The X-Client-Data header is only sent by Chrome when connecting to a Google-owned domain. As a significant part of Chrome is open source as Chromium, we can actually see precisely which domains are given your X-Client-Data header. Among those, you’ll see “doubleclick.com” and “doubleclick.net,” both of which are domains used by the Google Marketing Platform, which was previously known as DoubleClick. That means any ad served up by Google’s ad platform will receive your X-Client-Data header.
In fact, this same ID is sent to those Google servers regardless of whether you’re logged in with your Google Account or not, which could theoretically tie your logged-out browsing back to your Google Account. The only time X-Client-Data is not sent to Google’s servers is when you’re browsing in Incognito mode.
Why does it matter?
Putting it all together, the accusation being leveled against Google by the tech community is that the company is making it harder for competing ad networks and other third-parties to track your browsing while their own purported tracking method is able to continue uninhibited.
However, a Google spokesperson speaking fully denied those claims, explicitly stating that the X-Client-Data header “is not used to identify or track individual users.”
The X-Client-Data header is used to help Chrome test new features before rolling them out to all users. The information included in this header reflects the variations, or new feature trials, in which an installation of Chrome is currently enrolled. This information helps us measure server-side metrics for large groups of installations; it is not used to identify or track individual users.
How does Google use X-Client-Data?
Instead, X-Client-Data serves two main purposes, according to Google, first as part of many metrics and analytics tools used to improve Google Chrome. The effects of certain Chrome experiments, such as the recent addition of HTTP/3 or QUIC, need to be measured from both Chrome and the server side, not just one or the other, to gain a complete understanding. Sending the X-Client-Data lets the server measure how quickly those with and without certain experiments can load any given page.
The second purpose X-Client-Data fulfills is allowing Google’s websites to respond to various experiments. For example, a Google website may need to send you a version that’s compatible with the experiments enabled on your device.
Most recently, Chrome’s privacy-forward changes to internet cookies actually broke a number of Google apps to the point of needing to display a warning when signing in from Chrome Beta. Having the X-Client-Data, a web app could potentially know to send you an early testing version of the app, designed to work with the new rules for cookies.
What can I do about it?
That said, if you’d like to change your X-Client-Data header every time you open Chrome, you can add the command flag “–reset-variation-state” to your Chrome shortcut, which is relatively easy to do on Windows and macOS. This tells Google Chrome to delete your old “seed” and generate a new one — in turn giving you a new X-Client-Data header — every time Chrome restarts.
If you do this, just know that Chrome’s many ongoing experiments will be randomly enabled and disabled each time you reopen Chrome.
Alternatively, you can switch browsers to Mozilla Firefox or the new Chromium-based Microsoft Edge, neither of which sends any kind of X-Client-Data header to Google servers.
FTC: We use income earning auto affiliate links. More.
Comments