Thoughts & Articles
Upcoming changes to Google Chrome's User Agent String handling
Google recently announced plans to change a longstanding component of their Chrome web browser, the User Agent String, which is a fundamental feature of the browser used to announce to visited websites various information about the end user's browser and device configuration. Present in every major web browser, if not in every single web browser available as well as in non-browser software which connects to the internet, the User Agent String has been a persistent characteristic of internet enabled devices for most of Internet History. So, what is a User Agent String, and why does Google want to change it?
What Is a User Agent String (UAS)?
At its most fundamental, the UAS is a piece of text sent from the browser to an internet server in conjunction with a request for content. The UAS announces various information about the site visitor so that receiving computer can most effectively serve the request. Here is an example of a UAS:
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
As you can see, various information about the type of device connecting to the server is sent in the UAS, including, according to Wikipedia, "Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]."
For servers automatically reviewing the UAS, the information in these announcements has become very valuable. For example, when a server is able to recognize that a visitor is browsing from a Windows computer, it can supress messages related to Mac computers, to, say, show only software downloads that are compatible with the visitor's computer. Likewise, if a UAS indicates an older or non-compatible browser version, the server can display an error page or other upgrade instructions for the end user.
Why does Google want to change the UAS? In a word, privacy.
Google's plan is to freeze the UAS around September of 2020, such all Chrome browsers show the same UAS regardless of the device on which they're running. (With the exception that desktop and mobile browsers will still be differentiated). All other information will be standardized in the UAS such that further identification of browser version, operating system, and other details will be uniform. Why would they want to do this?
The move to essentially deprecate the UAS comes as part of Google's "Privacy Sandbox" initative. As you can already see, the existing UAS automatically gives the receiving server *lots* of information about the end user's browser and device configuration, and this information is being exploited to fingerprint individual end users and groups of users to track their web usage for advertising purposes. Google intends to replace the UAS with a new feature set called User Agent Client Hints, which yields much the same information as the traditional UAS but will allow for user customizations to the amount of data chosen to be shared. In essence, the new standard will allow for end users to block components of the UAS which are otherwise unblockable under the current scheme.
The proposed change would appear to be a win for end user privacy. Given that Google is an advertising company, there's an open question as to why it would want to limit user fingerprinting, which presumably would be useful for it to generate more targeted advertising. However, migrating the information provided by the UAS to a user-configurable set of options is a move in the right direction for privacy, regardless.