When a website wants to identify your browser and to which computer or device you are browsing, you first go to the User Agent string. In a surprising step, the Google Chromium team has submitted a new proposal that includes the abolition of the User Agent series from Chrome 81.

User Agent privacy misery

Although web browsers have gradually gained more privacy over the years, the User Agent series, a real remnant of the internet as we once knew it, has become a primary target for a user’s fingerprints. According to the measurements of Google, no less than 90% of the websites read and use the User Agent of your browser in one way or another.

A glance at a page interpreting your set of User Agent is all you need to understand the implications for privacy. The browser you choose, which version you use, which operating system you use and in some cases which device you use are all revealed and easily shared with any website that requests it.

The original intention behind providing this information is that servers ensure that the page you receive is optimized for the needs of your specific browser. If you have been an Internet user for a long time, you may remember that some websites would look and behave very differently depending on whether you were using Internet Explorer, Firefox or Opera, because each would have their own unique set of missing or supported functions.

Nowadays, web browsers are much more competitive and actually do their best to maximize the number of functions that they share with each other. Google, Apple, Mozilla and other browser suppliers work together on new web proposals to ensure cross-browser compatibility where possible. Now that there are fewer compatibility reasons for a site to ensure whether you are browsing from Chrome or Firefox, the range of User Agent has taken on unfortunate new purposes.

By default, most browsers, including Chrome, block many of the ways that some websites and ads use to “fingerprint” you to maliciously track your browsing and target ads, even while browsing Incognito. In many cases, however, your User Agent string can provide more than enough information to uniquely identify your computer.

Even worse, the User-Agent is sometimes used to discriminate between one browser or the other, regardless of whether that browser is actually compatible with that website. Google in particular apparently was guilty of this.

Last month, Vivaldi, another browser based on the same Chromium source code as Google Chrome, started forging its range of User Agent to appear as Chrome. The reason for this was to bypass seemingly inexplicable bugs that only occur when the browser announces itself as Vivaldi.

Abolish and freeze the User Agent

So the question is, what can be done? In order for older, non-maintained websites to work as expected, the User Agent series cannot simply be completely removed from Chrome. Today, as noted by Owen Williams, Google publicly unveiled an in-depth proposal to put an end to the misuse of the User Agent series in both Chrome and the web as a whole.

According to the proposal, the first step is to abolish the “navigator.userAgent” method used to access the User Agent string, which is proposed to begin with Chrome 81 in March. This change has no visible effect for most people and websites and continues to work normally. However, web developers receive explicit warnings in the Chrome development console that retrieving the User Agent string is no longer a good idea.

Next, Google will either start releasing Chrome 83 in June, or stop updating the User Agent series with every update to Chrome. At the same time, Chrome also “links” the information that is shared about your device’s operating system, which means, for example, that two computers with slightly different Windows 10 updates must have the same User Agent. This eliminates another potential fingerprint method.

Finally, since the release of Chrome 85 in September, every Chrome browser running on a desktop operating system, such as Windows, macOS or Linux, will report exactly the same User Agent series, eliminating all possible User Agent fingerprints. Similarly, Chrome 85 will unify the User Agent on mobile devices, although apparently devices will be merged into one of a few categories based on the screen size.

Replace the User Agent

What Google has outlined here is not necessarily a new idea. The proposal notes that Apple took a similar path in 2017 with Safari, in an effort to completely freeze the User Agent series. Although it is very privacy-forward, that proposal did not provide an alternative way for developers to get the extra information they need to provide a consistent experience across different devices, and thus received pushback from web developers.

The second half of Google’s proposal is to introduce a healthy compromise to give web developers the information they may need, while respecting a person’s privacy. Before the User Agent series is abolished, Chrome introduces a new feature called User Agent Client Hints or UA-CH.

Simply put, UA-CH will provide all the same information that the User Agent string offers today, but each part of the data must be explicitly requested and approved by the browser. Initially, this information does not contain any protection, but a browser can easily detect and block unnecessary UA-CH requests.

Put everything together

Without a doubt, this is a pro-privacy movement from Google, which means that websites should receive less of your browser’s fingerprint. Many sites should suffice with only the unified User Agent string, while more complex websites can only get the information they need without exposing the same information to the world.

If the proposals to abolish the User Agent series and introduce UA-CH are accepted as such, we should see the first fruits of this soon, as Chrome 81 is already in the Canarian state and scheduled to be released in March this year released.

