Google does not need a user agent header to track people

Sebastian Greger

There has been quite some discussion (e.g. here) around the plan by browser vendors, led by the Google Chrome team, to essentially abandon the User-agent header they send with every request to identify version and make of the browser it is coming from.

Not all that surprising, considering their surveillance-based business model: when Google loudly announces to take these and other measures in order to make fingerprinting web users more difficult, it appears they might refer primarily to identification by others. An article on The Register points out:

[…] the existence of the X-client-data identifier, even if it’s only readable by Google, makes it clear that Google is focused on privacy with respect to third-parties, rather than a defense against itself.

So Google themselves appear to have their tracking needs covered, potentially including the X-client-data header, which essentially can be considered to be a high entropy fingerprint/cookie. And with the Chrome browser’s dominant market share, and almost every website in some ways connecting to a Google service, these are all parts in a giant surveillance ecosystem.

The Register quotes cybersecurity and ad fraud researcher Augustine Fou:

“So you can see having User-Agent strings on a damn browser is less than irrelevant to Google, because it can still ID everyone it wants (and it has Google Analytics, DoubleClick, Adsense, reCaptcha and other code on pretty much every site that matters),” he said. “So anyone who visits any site, Google can set its own first-party cookie to identify them.”

Apart from the obvious ethical questions, the existence of and lacking user control over such header should raise more than a few eyebrows in regards to GDPR (and e-Privacy?) compliance; yet, most importantly this should be another reminder why it is so important to not use Google Chrome, and to build websites that are free of Google services.