Google's proposal to W3C sparks controversy about Chrome's profiling feature

News ¦ February 4th, 2020, 9:00 pm

Longstanding Chrome feature faces scrutiny amidst discussion of a recently proposed privacy-enhancing browser standard.

Hacker News was buzzing this morning after a GitHub user pointed out an ostensibly hypocritical move by Google.

On one hand, as a member of the internet standards organization, the World Wide Web Consortium (W3C), Google proposed a new standard that would make browser fingerprinting more difficult, thereby improving general user privacy. Something Google has been vocal about recently.

And on the other hand, for more than seven years, Google has had a proprietary feature within their Chrome browser that allows them to profile users on any Google-run site, or any site that uses Google (Doubleclick) to display ads.

As it may not be clear why people call this hypocritical, here’s a quick explanation.

Browser fingerprinting is a way of identifying you via the characteristics of your browser and your device, including your browser version, your screen size, your browser window size and placement, device-specific hardware, and dozens of additional attributes. These techniques work even if you block cookies and other trackers.

So while Google is working with the W3C to make it harder for you to be tracked online, Chrome browsers have built-in profiling metadata that is sent to Google for every visit you make to a website that Google owns or powers with its advertisement services.The built-in metadata is based on the state of the Chrome version you have, including specific details such as feature tests that Google chose to activate for your Chrome installation. According to Google, this is to help them analyze the various features they are testing; but in practice this data could contain an identifier that helps Google to track you, even after you’ve logged out of your Google account or deleted your cookies.

We believe it's important to consider the practical implications of these capabilities for two reasons. One, no one outside of Google has clear visibility into what this metadata is used for. Two, when Chrome users opt-out of the purported purpose—internal analytics and crash reports—Google could’ve chosen to omit that metadata field, but instead that field is populated with a pseudorandom number on first startup, a technique commonly used in apps to identify users and profile their behavior.

This metadata is not sent to Google when you’re in Incognito mode, but you should know that DuckDuckGo has a report that shows that Google can still profile Incognito users.

We’d like to point out that Google’s proposal, in and of itself, would be good for general internet user privacy, and we do not see a reason for it to be stopped. However, the proposal would only benefit a minority of internet users, as Chrome has 64% of the browser market share and Google is one of the biggest players in online advertising. And ultimately, the proposal would only impede the ad-targeting capabilities of Google’s competitors, thereby increasing the value of Google’s own products.

We encourage privacy-concerned readers to familiarize themselves with Google alternatives, such as Firefox or Brave for your browser, and DuckDuckGo for your search engine.

Get the Data Digest in your inbox