Another Big Win for Privacy: Death of Chrome’s User Agent String Signals Alarm For Publishers

While we were all busy lamenting the death of the third-party cookie, we just might have missed another privacy initiative that Google is about to implement.

It’s a measure to deprecate Chrome’s User-Agent string.

The User-Agent string is a string of metadata sent out by your browser when you visit a website, including your browser’s name and version, your operating system, and the rendering engine used. Together, all of the information enables fingerprinting you as a user by building a profile of you based on your computer (or mobile phone) that can be used for tracking your web browsing behavior for ad targeting. For instance that you’re an Android or iPhone user.

While phasing out the User-Agent string may hinder the ability to personalize a user’s advertising experience, the move also blocks bad behaviors, like blocking some browsers from being able to access a service and forcing them to use a specific browser.

But it could also limit IVT detection.

AdMonsters caught up with Aram Zucker-Scharff, Ad Engineering Director, RED, The Washington Post, to learn why this news is such a big deal.



Lynne d Johnson: Why do you feel the phasing out of the User-Agent string is a bigger deal than the death of the third-party cookie?

Aram Zucker-Scharff: The cookie news is interesting, and I’m excited to see progress towards rolling back a lot of the bad behaviors cookies can do. It’s vital for privacy and is something we are working towards as well with Zeus, to move away from cookie-based targeting. The current set of changes, while they could cause trouble for publishers or ad tech caught unaware, are pretty easy to comply with. Cookies are changing, but not going away yet. The client header news is more interesting, especially when considering advertising fraud.

LdJ: What role does the User-Agent string play in ad fraud detection and prevention?

AZS:  Many of the ad tech companies that provide security against fake traffic, some types of DDoS-style spam attacks, and similar situations use User-Agent data as part of a set of tools (browser-based and otherwise) for recognizing types of users. The User Agent is often part of fingerprinting. Some publishers use the data in the User Agent, along with other information, to avoid serving bad impressions and determine when traffic is invalid. This is because the User Agent leaks a lot of data about the system the page request is coming from and can contain information that makes it easy to identify as fraud.

There are other tools that have become part of the fingerprinting toolkit for some ad tech that detects user information, like feature detection, but the User Agent is a useful piece of that system.

The loss of that user data for both good and bad actors will have a more significant impact than the current set of cookie changes The ad fraud prevention industry continues to face challenges and this won’t help. The slow rollout of this change could push forward alternative, privacy-friendly, approaches for when sites have a legitimate need to know more about the user than the baseline of information (cases that include preventing ad fraud, along with a whole number of other activities, like keeping people signed on to their accounts).

LdJ: Are there any alternatives?

There are a number of helpful proposals around browser signals which require users’ consent, though few are at a point where they can be tested yet. Some proposals that examine logging-in as a potential signal on the browser level which would incentivize the use of first-party data, especially contextual and session-level.

This follows The Washington Post’s privacy-first targeting approach which centers around contextual data. Browser changes will often inspire negative inspiration, people attempting to maintain the status quo. The proposed functionality of Client Hints seems to cut off that type of behavior around user agents pretty well, and I am looking forward to seeing more of the industry join us at The Post in some positive innovation.

Editor’s Note:
In Chrome 83, the browser and OS versions of the User-Agent string will be frozen. When Google rolls out Chrome 85, all desktop and mobile browsers will be required to use a similar string. There will be a replacement API, known as ‘User-Agent Client Hints,’ that will provide similar information that the User-Agent string provides. This replacement API is intended to be more standardized and privacy-focused.