Google: Did you know that the Chrome tracker has no mysterious personal information?
In February, Arnaud Granal, a software developer working on a Chromium-based browser called Kiwi, searched for the head of X-client-data, which Chrome sent to Google when a Google web page was requested, representing a unique identifier that could be used to track people on the web across. As such, it may invade Europe’s privacy regulations.
When the Register reported these claims, Google was emphasizing the X-client-data theme only including information about the Chrome variants being used, instead of a different finger. “It is not used to trace users” the ad official stated.
The registry has no reason to believe that an X-client data header has been used to track and identify people across websites – Google has better ways of doing that. Concerns about identifiers are closely linked to inadequate disclosure, inaccurate description, compliance with the law, and the potential for abuse of material traceability.
A specific language appeared in the Google Chrome Privacy Whitepaper, a document the company stores to explain Chrome information that Google offers to third parties.
Last month, a Google paper said, “Chrome-variations header (X-client-data) will not include personally identifiable information and will describe the status of Chrome’s own installation which includes operating variants and server-side tests that may affect installation. “
Asked why this change was made, a Google spokeswoman only said, “Chrome white paper is regularly renewed as part of the Chrome stabilization process.”
Instead of the old language, seen in this contrasting image, it’s a more detailed description of the X-client-data header, which comes in two variants, a low-entropy (13-bit) version from 0-7999 and a higher version, which is what most users Chrome will send you if they have not disabled usage statistics reporting.
The Register questioned whether changes were made to protect credit under the European GDPR by falsely claiming that the X-client-data head had no information that could be used to identify a related Chrome user. But a Google spokeswoman did not answer that question.
In an email to The Register, Granal said, knowing a little of internal operations on both sides, this is indeed a serious problem and can be very costly for Google if that problem is not properly resolved.
“As a user, in the present case, it is important to understand that whether if you are using a proxy, VPN, or Tor, Google can show you using this X-Client Data. Do you want Google to recognize you even if you are not logged in to your account or behind a proxy? Personally, I disagree with this but each person has a different view of privacy.
After the story was published, a Google spokeswoman pointed to the Chrome Privacy Page and said that the X-Client data header does not include personally identifiable information, but in different words. The relevant section is told:
In addition, a set of low flexibility features are included in the network requests sent to Google. The aggregated nature of these differences is not significant, since it is based on a low entropy value of 13 Also, we are told by our claim that Chrome sends high variance to the head is not true: only the sub-variant is sent.