9 hours ago
Google's Secret Tracking Warning For All 3 Billion Chrome Users
You are being tracked — how to stop it.
getty
It's hard to know where Chrome is going at the moment when it comes to tracking its 3 billion users. The promise to kill cookies is essentially dead, with even regulators reportedly assuming that's the case. Meanwhile, Google and the ad industry continue their slow two-step routine, with nothing likely to change anytime soon.
There are some footnotes to all this. Google has unbanned digital fingerprinting, widening its remit beyond browsers to a raft of smart devices including TVs and gaming consoles. While the company's stock Android apps have been caught tracking users, even when the apps themselves are not being used or even opened.
Now we have another secretive tracking warning for all those users. This time, Google is playing gamekeeper rather than data poacher, warning users that there are 'known, prevalent techniques for browser re-identification used in third-party contexts.' What this means is abusing third-party APIs working within Chrome to harvest fingerprints that can then be searched to identify the specific browser and user.
Google has a plan to 'block the execution of these techniques' within Chrome's Incognito mode, which it says 'generally involve the use of existing browser APIs in ways that do not match the API's intended purpose and are designed to extract additional information about the user's browser or device characteristics.'
Blocking this browser fingerprinting in Incognito mode would at least allay the risk that users are being tracked when they have specifically opted to browse privately without any such secret tracking operating behind the scenes.
Google confirms its Chrome team 'has developed a methodology to identify widely used JavaScript functions that provide consistent outputs from stable and high-entropy web APIs and can therefore be used to construct probabilistically high-entropy identifiers.' In short, a blacklist of workarounds and websites it can automatically block.
Users will be able to opt in (or likely out) of this protection. 'When the feature is enabled, Chrome will check network requests against the blocklist, including detecting CNAME aliases. When there is a match, active content from those domains will be blocked (e.g., scripts, iframes), but not static resources (e.g., images, stylesheets).'
Google also says it will introduce mechanisms to 'prevent simple evasion tactics such as renaming or slightly modifying the script.'
With tracking cookies seemingly here to stay and fingerprinting back, Incognito mode is fast becoming more critical for users tied to Chrome but interested in privacy protections as well, better matching the defaults in Safari and Firefox. This includes IP address protection, which is also being designated as just for Incognito mode.
Google says 'the feature will be available for users in Chrome's Incognito Mode only, on Android and Desktop platforms. It will be on by default in Incognito. Users will have the ability to disable it. For enterprise-managed versions of Chrome, the feature can be enabled in Incognito, but it will be off by default to ensure that enterprise site compatibility and their user workflows are not impacted.'
