Google pre-pandemic: User-Agent strings are so 1990s. Time for a total makeover. Google mid-pandemic: Ah, we'll reschedule to 2021

Google's Chrome team has delayed its User-Agent Client Hints (UA-CH) makeover until at least 2021 due to the impact of the COVID-19 coronavirus on the web development ecosystem.

"While work on UA-CH continues, we don’t currently know in what ways or for how long COVID-19 will impact the web ecosystem’s ability to test and implement support for this change," said Yoav Weiss, Google developer advocate, in a forum post on Monday. "We will continue to monitor the situation and revisit this topic as the situation evolves."

Google is planning, in the name of privacy, to freeze the User-Agent string that browsers send to servers. The string contains details about the client's software and hardware and can be used legitimately, to tailor content to the capabilities of the receiving device. But Google is aware that it can be misused, so the plan is to make it so generic it doesn't say much.

"There’s quite a bit of information packed into those strings (along with a fair number of lies)," the W3C's User-Agent Client Hints draft explains. "Version numbers, platform details, model information, etc. are all broadcast along with every request, and form the basis for fingerprinting schemes of all sorts."

Browser fingerprinting – enumerating the settings and capabilities that can be read from browser APIs and then turning them into an identifier – provides a way to bypass browser privacy protections. So Google, like other browser makers, is concerned with reducing the variance (entropy) in browser fingerprints that allow them to be differentiated from one another.

The way to do that is to make less information available and that effort, which will make the string less specific, is what has been pushed back until next year.

As with other web tech changes backed by the ad biz, like its Manifest v3 extension platform revision and its SameSite cookie system, the info thinning aspect of the UA-CH project will be disruptive. So delaying the shift until a less hectic time makes sense.

Second time unlucky

This is, however, the second time this project has been pushed back. Initially, it was supposed to debut in Chrome 81 (itself delayed from mid-March until April 7), but after receiving feedback, Google wanted to hold off a bit longer.

The initial phase of the project isn't supposed to be disruptive. Expected to ship on July 14, when Chrome 84 is released, it involves the introduction of new Client Hints header fields as an alternative to the User-Agent header string (which will still be available in its traditional form). The intent of the initial release is to allow developers to experiment and provide feedback

Client Hints will involve a bit more back-and-forth between the browser client and the server. The idea is that the browser will be able to make decisions about whether to fulfill information requests returned in the server's initial response.

"Rather than broadcasting this data to everyone, all the time, user agents can make reasonable decisions about how to respond to given sites' requests for more granular data, reducing the passive fingerprinting surface area exposed to the network," the draft spec explains.

But the ad industry is not at all sold on the idea because programmatic ad systems rely on browser fingerprinting to fight ad fraud. Ad tech companies would be fine if Google delayed the project indefinitely.

"If this change is implemented, then advertisers will no longer be able to verify their adverts were served to humans when displayed in this manner by publishers," wrote James Rosewell, CEO of mobile detection biz 51Degrees last week in a GitHub issues post for the UA-CH spec. "Advertisers will direct their advertising spend directly to publishers and platforms that can provide that verification."

Augustine Fou, a cybersecurity and ad fraud researcher, told The Register earlier this year that the User-Agent string is "entirely useless" for detecting ad fraud since it can be spoofed.

And in response to Rosewell's protestation, Michael Catanzaro, a developer for Red Hat, expressed similar incredulity that "the advertising industry's security model for fraud detection depends on the attacker being nice and sending a truthful user agent header."

But ignoring the dubiousness of the ad industry's justification for fingerprinting, UA-CH could create problems for ad tech companies if it means marketers will be starved of the data they claim is necessary to compete with Google.

"Already the uncertainty that has been created is extremely disruptive and an advertising funded open web is under threat," Rosewell said. "It is for these reasons this [UA-CH] proposal, and it’s like, should be paused by W3C TAG [Technical Architecture Group] to allow proper consultation, justification and robust engineering options created, challenged against one another and the current situation, so that a way forward that considers the needs of all stakeholders can be adopted."

The concern is that Google will provide privacy protections that limit every ad biz except for itself, because it can identify users through its other services. ®