Security

Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...

Chocolate Factory clarifies its header for monitoring browser field trials following The Register report


Updated Google has seemingly stopped claiming an identifier it uses internally to track experimental features and variations in its Chrome browser contains no personally identifiable information.

In February, Arnaud Granal, a software developer who works on a Chromium-based browser called Kiwi, claimed the X-client-data header, which Chrome sends to Google when a Google webpage has been requested, represents a unique identifier that can be used to track people across the web. As such, it could run afoul of Europe's tough privacy regulations.

When The Register reported these claims, Google insisted the X-client-data header only includes information about the variation of Chrome being used, rather than a unique fingerprint. "It is not used to identify or track individual users," the ad giant said.

The Register has no reason to believe the X-client-data header was ever used to track and identify people across websites – Google has better ways of doing that. Concern about the identifier has more to do with insufficient disclosure, inaccurate description, legal compliance, and the possibility that it might be abused for identifiable tracking.

The specific language appeared in the Google Chrome Privacy Whitepaper, a document the company maintains to explain the data Chrome provides to Google and third-parties.

Last month, Google's paper said, "This Chrome-Variations header (X-client-data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation."

That language is no longer present in the latest version of the paper, published March 5, 2020.

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

READ MORE

Asked why the change was made, a Google spokesperson said only, "The Chrome white paper is regularly updated as part of the Chrome stable release process."

In place of the old language, seen in this diff image, is a slightly more detailed explanation of the X-client-data header, which comes in two variations, a low-entropy (13-bit) version that ranges from 0-7999 and a high-entropy version, which is what most Chrome users will send if they have not disabled usage statistic reporting.

The Register asked whether the change was made to avoid liability under Europe's GDPR for claiming incorrectly that the X-client-data header contained no information that could be used to personally identify the associated Chrome user. But Google's spokesperson didn't address that question.

In an email to The Register, Granal said, "Knowing a bit the inner-workings on both sides (including Google's lawyers), this is certainly a sensitive issue and it can be costly to Google if the issue is not addressed properly.

"As a user, in the current state, it's important to understand that no matter if you use a proxy, a VPN, or even Tor (with Google Chrome), Google (including DoubleClick) may be able to identify you using this X-Client-Data. Do you want Google to be able to recognize you even if you are not logged-in to your account or behind a proxy? Personally, I am not comfortable with that, but each person has a different sensitivity with regards to privacy.

"I'm sure if you explain in simple words, to national data protection offices that Google can track your computer with a 'permanent cookie' they wouldn't be happy with that at all." ®

Updated to add

After this story was published, a Google spokesperson pointed out the Chrome privacy paper still says the X-client data header doesn't include personally identifiable information, but in different words. The relevant paragraph, we're told, is:

Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value

Also, we're told our claim that Chrome sends high-entropy variations in the header is incorrect: only low-entropy variations are sent.

Send us news
78 Comments

Salesforce fell over so hard today, it took out its own server status page

It’s not DNS. There is no way it’s DNS. It was DNS

Salesforce is digging itself out of a multi-hour outage right now that it has blamed on a DNS issue.

At one point today, the IT breakdown was so severe that its status page was pretty much inaccessible for netizens, and staff resorted to posting updates on their help and training sub-site.

"Salesforce is experiencing a major disruption due to what we believe is a DNS issue causing our service to be inaccessible," CTO Parker Harris said in a statement. "We recognize the significant impact on our customers and are actively working on resolution.

Continue reading

Tech industry quietly patches FragAttacks Wi-Fi flaws that leak data, weaken security

Dozen design, implementation blunders date back 24 years

A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef.

On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF].

Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws.

Continue reading

Microsoft says Outlook hit by 'email visibility issues' – as in, they're blank

Here's an unofficial fix for those who need their messages now

Microsoft says its Outlook desktop client is suffering serious “email visibility issues” today, with a fix yet to be rolled out. Users have reported either whole emails missing, chunks of data gone, or just seeing the first line of messages.

Folks can use the web or mobile client of Outlook, or the Windows desktop client in "safe mode." Otherwise, you're out of luck for the next few hours.

"We’re investigating an issue with email message visibility in Outlook. Outlook on the web appears to be unaffected," the Windows giant said a couple of hours ago.

Continue reading

WhatsApp: Share your data with Facebook, or we'll make our own app useless to you

Zuck gets tough just as Germany blocks privacy policy roll-out

WhatsApp users who refuse to accept its new privacy policy will slowly but surely be cut off from the chat app, the social network has confirmed.

In January, WhatsApp users were told if they wanted to keep using the software, they must agree to an updated fine print that, among other things, allows their data to be passed onto not only WhatsApp's parent Facebook but also its subsidiaries as and when decided by the tech giant.

This information includes names, profile pictures, status updates, phone numbers, contacts lists, and details about mobile devices and connections, though not the contents of encrypted messages and calls. Those who did not accept the terms and conditions would not be allowed to use the application from February.

Continue reading

SolarWinds CEO describes overhauled Orion build system after that 'very small, unique' security breach

'This can happen to anybody. There's always learning in any crisis. And we were no exception'

CyberUK 21 SolarWinds’ chief exec has described the 18,000 customers who downloaded backdoored versions of its Orion software as a “very small” number while giving a speech to an infosec event.

Sudhakar Ramakrishna, who joined the biz in January, made the comparison while giving the opening keynote at the CyberUK conference, organised by Britain’s National Cyber Security Centre (NCSC). He'll also be giving a talk on the topic at this month's RSA Conference in the US, presumably part of an extended apology tour.

“Although the number of affected customers is very small, that we eventually discovered, it is still a very important thing to discover, because this is a unique and very novel attack on the supply chain of a company,” said Ramakrishna in his opening remarks – adding that “none of our source code control systems were tampered with.”

Continue reading

Microsoft emits more fixes for Exchange Server plus patches for remote-code exec holes in HTTP stack, Visual Studio

Plus: Grab your updates for Adobe, SAP, Android, Intel

Patch Tuesday Microsoft's May Patch Tuesday brought a lighter-than-usual load of 55 fixes for 32 of the Windows giant's applications and services, which is about half what was served up in April.

The Redmond-based firm's Office and Windows flagships house many of the identified vulnerabilities, alongside Internet Explorer, Visual Studio, Visual Studio Code, Skype, and other software.

Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate.

Continue reading

IBM wheels out AutoSQL, Watson Orchestrate in bid to fend off cloud irrelevance

AI here, there and everywhere

Think IBM's latest attempt at relevance in the cloud world continued at its Think conference by giving its Cloud Pak for Data another beating with the AI stick and unleashing Watson on IT pros.

Continue reading

Rude awakening for O2 customers after network runs surprise test of emergency mobile alert system

Sorry, there's no nuclear missile inbound. You have to go to work

Birds chirping, the gentle burbling of coffee brewing – these are the sounds we typically associate with the dawn hours.

Everyone, that is, except customers of O2, who arose this morning to a noise described as akin to a "nuclear siren" after the network performed an unannounced test of the UK's emergency alert system.

The two alerts, sent around 0745 and 0800, were accompanied by a forebodingly shrill beep, the kind of which you'd expect to hear if a cruise missile was heading to your house. Meanwhile, a disembodied computerised voice read out the alert's message, which said as follows:

Continue reading

UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs

Priti Patel doesn't say a word about encryption, though

CyberUK 21 Priti Patel has promised a government review of the UK's 30-year-old Computer Misuse Act "this year" as well as condemning companies that buy off ransomware criminals.

The Home Secretary pledged the legal review in a speech at the CyberUK conference this afternoon, organised by the National Cyber Security Centre (NCSC).

"As part of ensuring that we have the right tools and mechanisms to detect, disrupt and deter our adversaries, I believe now is the right time to undertake a formal review of the Computer Misuse Act," said Patel.

Continue reading

NHS App gets go-ahead for vaccine passport use despite protest from privacy groups

Big Brother Watch warns app contains too much sensitive medical information

Folks in England can from next week use the NHS App to confer their vaccination status, in the face of warnings that the technology could lead to identifiable medical information being exposed.

The British government has announced that from 17 May, people will be able to demonstrate their COVID-19 vaccination status – a so-called vaccine passport or certificate – using the NHS App, which began its public rollout in January 2019, well before the pandemic. Connected to a GP's practice systems, it is designed to help users book appointments, order repeat prescriptions, and view medical records. This feature is so far available to people registered with a GP in England only.

"You can access the app through mobile devices such as a smartphone or by tablet. Proof of your COVID-19 vaccination status will be shown within the NHS App," the government said this week.

Continue reading

Copper load of this: Openreach outlines 77 new locations where it'll stop selling legacy phone and broadband products

You can't buy this kind of service. No, literally

BT-owned infrastructure provider Openreach has confirmed plans to stop sales of copper-based phone and broadband services in 77 exchange locations across the UK, affecting roughly 700,000 premises.

The “stop-sell” order will come into effect on April 29, 2022. Included in the 77 locations are Ellesmere Port in Cheshire, Hayes in Greater London, Kelso in Scotland, and Coleraine in Northern Ireland.

Those clinging to their legacy-based copper phone lines won’t necessarily see any immediate changes to service. However, the “stop sell” order means that anyone who switches broadband or landline providers will only be able to choose from products delivered over fibre.

Continue reading