Security

Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...

Chocolate Factory clarifies its header for monitoring browser field trials following The Register report


Updated Google has seemingly stopped claiming an identifier it uses internally to track experimental features and variations in its Chrome browser contains no personally identifiable information.

In February, Arnaud Granal, a software developer who works on a Chromium-based browser called Kiwi, claimed the X-client-data header, which Chrome sends to Google when a Google webpage has been requested, represents a unique identifier that can be used to track people across the web. As such, it could run afoul of Europe's tough privacy regulations.

When The Register reported these claims, Google insisted the X-client-data header only includes information about the variation of Chrome being used, rather than a unique fingerprint. "It is not used to identify or track individual users," the ad giant said.

The Register has no reason to believe the X-client-data header was ever used to track and identify people across websites – Google has better ways of doing that. Concern about the identifier has more to do with insufficient disclosure, inaccurate description, legal compliance, and the possibility that it might be abused for identifiable tracking.

The specific language appeared in the Google Chrome Privacy Whitepaper, a document the company maintains to explain the data Chrome provides to Google and third-parties.

Last month, Google's paper said, "This Chrome-Variations header (X-client-data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation."

That language is no longer present in the latest version of the paper, published March 5, 2020.

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

READ MORE

Asked why the change was made, a Google spokesperson said only, "The Chrome white paper is regularly updated as part of the Chrome stable release process."

In place of the old language, seen in this diff image, is a slightly more detailed explanation of the X-client-data header, which comes in two variations, a low-entropy (13-bit) version that ranges from 0-7999 and a high-entropy version, which is what most Chrome users will send if they have not disabled usage statistic reporting.

The Register asked whether the change was made to avoid liability under Europe's GDPR for claiming incorrectly that the X-client-data header contained no information that could be used to personally identify the associated Chrome user. But Google's spokesperson didn't address that question.

In an email to The Register, Granal said, "Knowing a bit the inner-workings on both sides (including Google's lawyers), this is certainly a sensitive issue and it can be costly to Google if the issue is not addressed properly.

"As a user, in the current state, it's important to understand that no matter if you use a proxy, a VPN, or even Tor (with Google Chrome), Google (including DoubleClick) may be able to identify you using this X-Client-Data. Do you want Google to be able to recognize you even if you are not logged-in to your account or behind a proxy? Personally, I am not comfortable with that, but each person has a different sensitivity with regards to privacy.

"I'm sure if you explain in simple words, to national data protection offices that Google can track your computer with a 'permanent cookie' they wouldn't be happy with that at all." ®

Updated to add

After this story was published, a Google spokesperson pointed out the Chrome privacy paper still says the X-client data header doesn't include personally identifiable information, but in different words. The relevant paragraph, we're told, is:

Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value

Also, we're told our claim that Chrome sends high-entropy variations in the header is incorrect: only low-entropy variations are sent.

Send us news
78 Comments

Kasten by Veeam adds ransomware detection to K10 data management platform

Catching compromise attempts before kicking off that recovery plan

Kubecon Veeam acquisition Kasten kicked off this year's Kubecon with an updated version of its K10 product, aimed at securing the Kubernetes container orchestration platform.

Now known as "Kasten by Veeam", the company told the Valencia-based conference that version 5 of the K10 Kubernetes backup and data protection suite includes extra ransomware defenses.

K10 has received a number of updates since Kasten's acquisition by Veeam. Version 4.5 added coverage for platforms including Kafka, Cassandra, and the K3s Kubernetes distribution.

Continue reading

Financial giant Santander: 80% of our IT infrastructure in cloud

'Most challenging element of migration likely remains' warns analyst

Spanish financial giant Santander has migrated 80 percent of its core banking IT infrastructure to the cloud as part of its $20.8 billion (€20 billion ) modernization programme, with the help of in-house software created by resident developers.

Readers hoping for a tale of disaster and woe may be sorely disappointed as the bank seems to have made steady progress in the past year compared to April 2021 when some 60 percent of its infrastructure was delivered off-premise.

The $48.3 billion (€46.4 billion) revenue financing giant has a presence across Europe, South America, Asia and North America. It made $3.17 billion (€3.053 billion) of its attributable profit of $8.44 billion (€8.124 billion) in the US last year, it said in its 2021 fy results.

Continue reading

Elon Musk 'violated' Twitter NDA over bot-check sample size

<5% figure was based on 100 accounts if you're wondering

Last week Elon Musk hit pause on his Twitter acquisition over the platform's "less than 5 percent" bot figure.

The Register asked the microblogging website how it made the estimate and was stonewalled, but in ensuing discussions over the weekend, Musk blurted out that the sample size was 100 accounts.

One Musk fan asked how the userbase might help uncover the "real percentage" of fake accounts and was told:

Continue reading

Python is getting faster: Major performance tweaks on horizon

Instagram, Microsoft responsible for lifts coming in version 3.11 and beyond

The next version of the standard Python interpreter, CPython, is expected in October. It will include significant performance improvements and support for running inside the browser.

Last week, the first Python language summit since 2019 took place in Salt Lake City. At the event, the language's development team announced various changes for the forthcoming version of the language, as well as its near future. The Reg has covered some future improvements before, and as they get closer, details are becoming clear, as well as what's coming in Python 3.12.

There are multiple editions of Python out there, including interpreters for the JVM and .NET CLR, as well as compilers, but the core implementation of the language is the CPython interpreter. This has some well-known limitations, including the Global Interpreter Lock or GIL, which prevents the language from taking full advantage of multicore processors.

Continue reading

EU-US Trade and Technology Council meets to coordinate on supply chains

Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

Continue reading

US cops kick back against facial recognition bans

Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

Continue reading

RISC-V needs more than an open architecture to compete

Arm shows us that even total domination doesn't always make stupid levels of money

Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

RISC-V may not be an existential risk to Intel, but Arm had better watch it.

Continue reading

You can keep your old ERP system, but you'll still need ServiceNow, CEO tells <em>The Reg</em>

Bill McDermott thinks companies need workflow on top of enterprise apps, whether they replace them or not

Interview In a month that has seen nearly a fifth wiped from his company's share price, Bill McDermott is remarkably cheerful.

"I see growth everywhere," ServiceNow's CEO tells The Register.

For context, it is not just ServiceNow that is getting a rocky ride. Some estimates suggest Big Tech stock has lost $1 trillion in value in the last week, with all the big players down.

Continue reading

How CXL may change the datacenter as we know it

Bye-bye bottlenecks. Hello composable infrastructure?

Interview Compute Express Link (CXL) has the potential to radically change the way systems and datacenters are built and operated. And after years of joint development spanning more than 190 companies, the open standard is nearly ready for prime time.

For those that aren’t familiar, CXL defines a common, cache-coherent interface for connecting CPUs, memory, accelerators, and other peripherals. And its implications for the datacenter are wide ranging, Jim Pappas, CXL chairman and Intel director of technology initiatives, tells The Register.

So with the first CXL-compatible systems expected to launch later this year alongside Intel’s Sapphire Rapids Xeon Scalables and AMD’s Genoa forth-gen Epycs, we ask Pappas how he expects CXL will change the industry in the near term.

Continue reading

San Francisco police use driverless cars for surveillance

Plus: Tech giants commit $30m to open-source security, miscreants breach DEA portal, and US signs cybercrime treaty

In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.

According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."

It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."

Continue reading

Lawyers say changes to UK data law will make life harder for international businesses

Concerns raised over government drive to implement distinct post-Brexit policy

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.

Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.

Continue reading