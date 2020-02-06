This week, the web and browser developer community expressed concern about “X-Client Data”, an alleged “tracking ID” sent by Chrome to all Google websites. Google rejected the tracking allegation and pointed out the actual, more harmless purpose for this special ID.

Last month, Google proposed a plan to remove the Internet from the use of the “user agent” string, which makes any website that you browse or that you connect to with information about your browser and computer freely accessible. As part of this proposal, Chrome would begin to freeze and eventually unify the user agent string to protect the deeper information from prying eyes without asking for explicit permission.

Without a doubt, this would be a huge asset to privacy, as the user agent is one of the many tools that uniquely identify you (or create a “fingerprint”) and track your browsing habits for purposes such as ads. Given the fact that Google makes over $ 100 billion a year from ads, this even seems to be a shocking move.

In a lengthy discussion of the potential pros and cons of freezing the user agent, some have spoken about the implications of this change for smaller ad networks that are trying to compete with Google’s multi-billion dollar advertising business. Google Chrome currently holds a dominant position in the web browser market, which means that this step will immediately have an adverse effect on any advertising company that relies on the user agent as a factor for the fingerprint.

In the meantime, Arnaud Granal, developer of Kiwi Browser, a chrome-based alternative browser for Android – and someone who is familiar with Chrome and Chrome – has indicated that Chrome creates its own special data element called “X-Client” -Data. “Granal claims this could be used by Google to circumvent any fingerprint restrictions that Google Chrome would add.

What is X client data?

The Google Chrome privacy white paper explains that X-Client data is used to describe the various experiments and Chrome flags that are enabled in your browser.

We want to create features that users want so that a subset of users get a brief glimpse of the new features that are being tested before they become available to the world. A list of field trials that are currently active for your Chrome installation is included in all requests sent to Google. This Chrome Variations header (X client data) does not contain any personally identifiable information and only describes the installation status of Chrome itself, including active variations, as well as server-side experiments that can affect the installation.

To decide which automatic experiments are displayed on your device – e.g. For example, early testing of upcoming functions and redesigns – Chrome generates a random starting value the first time it is run. Chrome then sends your starting value to Google’s servers to determine which tests should be activated automatically and activates them.

Finally, Chrome converts these enabled experiments into a sequence of letters and numbers (Base64 to be exact) that the X client data header calls.

Due to the random output, X-Client data is theoretically more than sufficient by default to be clearly identified by other users of Chrome.

To a certain extent, you can control how random this seed is because disabling Chrome’s usage statistics and crash reporting limits the number of potential seeds to 8,000. By limiting the options, you significantly increase the likelihood of using the same seed, X-Client data, as someone else.

The variations that are active for a particular installation are determined by a start number that is selected randomly during the first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bit entropy).

However, each server you connect to is assigned your IP address. Because of this, the X-Client data would still be unique enough to possibly identify your device as another device in your home or office.

Who can see my X client data?

The X-Client data header is only sent by Chrome when connecting to a Google-owned domain. Since much of Chrome is open source as Chromium, we can actually see exactly which domains your X-Client data header has been assigned to. Below that are “doubleclick.com” and “doubleclick.net”. Both domains are used by the Google Marketing Platform, previously known as DoubleClick. This means that every ad delivered by Google’s advertising platform receives your X-Client data header.

In fact, the same ID is sent to these Google servers regardless of whether you are signed in with your Google account or not. Theoretically, this could result in you no longer being logged into your Google account while surfing. X-Client data is only sent to Google’s servers when you are surfing in incognito mode.

Why does it matter?

In summary, the tech community has accused Google of making it difficult for competing ad networks and other third parties to track your surfing while allowing their own alleged tracking method to continue unchecked.

However, a Google spokesman has fully rejected these claims and specifically advised that the X-Client data header “is not used to identify or track individual users.”

The X-Client data header is used to help Chrome test new features before they are made available to all users. The information contained in this header reflects the variations or new functionality attempts in which an installation of Chrome is currently registered. With this information, we can measure server-side metrics for large groups of installations. It is not used to identify or track individual users.

How does Google use X client data?

Instead, according to Google, X-Client data serves two purposes: First, as part of many measurement and analysis tools that are used to improve Google Chrome. The effects of certain Chrome experiments, e.g. For example, the recent addition of HTTP / 3 or QUIC must be measured both from Chrome and from the server side, and not just from one side or the other, in order to gain complete understanding. By sending the X-Client data, the server can measure how quickly people with and without certain experiments can load a certain page.

The second purpose that X-Client-Data serves is to give Google’s websites the ability to respond to various experiments. For example, a Google website may have to send you a version that is compatible with the tests enabled on your device.

In recent times, Chrome’s changes to forward privacy to Internet cookies have actually corrupted a number of Google apps, so you’ve had to see a warning when you sign in to Chrome Beta. With the X client data, a web app could possibly know that you are getting an early trial version of the app that is compatible with the new rules for cookies.

What can I do?

That said, if you want to change your X-Client data header every time you open Chrome, you can add the “-reset-vary-state” command flag to your Chrome shortcut, which is relatively easy on Windows and macOS. This instructs Google Chrome to delete your old “starting value” and generate a new one each time Chrome is restarted. This in turn gives you a new X client data header.

If you do this, you just need to know that the numerous ongoing Chrome tests are randomly activated and deactivated each time you open Chrome.

Alternatively, you can switch the browser to Mozilla Firefox or the new Chromium-based Microsoft Edge, which does not send any X client data headers to Google servers.

