Comment by sildur
6 years ago
I care. I care that I even if I log off, even if I use a vpn, even if I go into incognito mode, they still can associate my requests with the account I initially logged in.
6 years ago
I care. I care that I even if I log off, even if I use a vpn, even if I go into incognito mode, they still can associate my requests with the account I initially logged in.
The problem is any website can do that. Incognito-bypassing fingerprinting is difficult to prevent, unless you use something like uMatrix to disallow JavaScript from everything but a few select domains.
This is a collection of random-ish unique-ish attributes. Any collection of such things can be used to track you, like installed fonts, installed extensions, etc. If this were just a set of meaningless encoded random numbers, then it's essentially a kind of cookie, but that's not what it is. This is (claimed to be) a collection of information that's useful and possibly needed by some backends when testing new Chrome features. It tells servers what your Chrome browser supports. The information is probably similar to "optimizeytvids=1,betajsparser=1".
So, the only question is if Google is actually using this to help fingerprint users in addition to the pragmatic use case. It certainly could be used that way, and it's possible they are, but they have so many other ways of doing that with much higher fidelity / entropy if they want to. If this were intended as a sneaky undisclosed fingerprinting technique, I think they would've ensured it was actually 100% unique per installation, with a state space in the trillions, rather than 8000.
Yes, this could be so sneaky that they took this into consideration and made it low-entropy to create plausible deniability while still being able to increase entropy when doing composite fingerprinting, but I think it's pretty unlikely. Also, 99% of the time they could probably just use use Google Analytics and Google login cookies to do this anyway.
Maybe one actually useful non-advertising usage could be reCAPTCHA ? If you read carefully, it says nowhere than there is the limit to 8000. There is this limit of 8000 only if you disable usage statistics / crash reports.
Sorry about that, too late to edit it now. That is an important detail. If there are 32 or more different feature flags, then that's 4 billion unique states, which would be an effective fingerprint.
I still think it's pretty unlikely they're using it in that way or would in the future, and I think Google fuzzing this for those who opt out of telemetry is probably a signal of good faith in this instance. They realize the privacy implications and provide a way to disengage, even if they don't intend to abuse the information.
But of course the potential for abuse always remains. And the potential for (arguably) non-abusive tracking, like the possibility of it being used for bot detection by reCAPTCHA, as you say.
3 replies →
I mean, if you don't want Google to track you, then you probably shouldn't use their browser...
I believe someone else in the thread stated it's cleared for incognito, don't remember if they meant it's not sent or that it's a new value.