Comment by adriantam
6 years ago
> They are not including any PII... while creating a new identifier for each installation. 13 bits of entropy probably isn't a unique identifier iff you only look at that header in isolation. Combined with at least 24 additional bits[1] of entropy from the IPv4 Source Address field Google receives >=37 bits of entropy, which is almost certainly a unique ID for the browser. Linking that browser ID to a personal account is trivial as soon as someone logs in to any Google service.
Now this is interesting. If without that 13 bits of entropy, what will Google lost? Is it because of this 13 bits then Google suddenly able to track what they were not? If the IPv4 address, user-agent string, or some other behavior is sufficient to reveal a great deal of stuff, we have a more serious problem than that 13 bits. I agree that 13-bit seed is a concern. But I am wondering if it is a concern per se, or its orchestration with something else. Of course, how/whether Google keeps those data also matters.
One clarification:
- By default it's much more than 13 bits of entropy
- If you disable usage statistics then you are limited to 13 bits of entropy
Actually, the low entropy provider is used for any field trials that get included in the header.
See: https://cs.chromium.org/chromium/src/components/variations/v...
>Now this is interesting. If without that 13 bits of entropy, what will Google lost? Is it because of this 13 bits then Google suddenly able to track what they were not?
At the very least, having those 13 bits of entropy along with a /24 subnet allows you to have device-level granularity, whereas a /24 subnet may be shared by hundreds of households.
They have more than 13 bits of entropy
https://cs.chromium.org/chromium/src/components/metrics/entr...
Look how the function is called, high-entropy source :)
But if you disable telemetry, they'll only have 13?
1 reply →