Unknown Unknowns: Speculation Mounts About Freezing Chrome’s User-Agent String

Web developers are seriously concerned about the death of Chrome’s user-agent string and the ramifications it could have on the overall web (they fear it might break it), as well as the negative impact it could have on media and advertising.

It’s important to note that this update won’t only change the way metadata about a user’s browser name and version, operating system, and rendering engine used is sent out by the Chrome browser to site owners, but it will also touch Microsft Edge, Samsung’s Internet Browser, Brave and any other browser built on the Chromium Open Software Project.

The UA string is often used by publishers and ad tech vendors for targeting and personalization purposes, as well as detecting ad fraud.

A healthy debate about the pros and cons of the deprecation of the string recently surfaced in a long GitHub thread.

Some commenters doubt Google’s true motive for making these changes (stating that privacy is not enough justification).

Others question whether the tech juggernaut is engaging in anti-competitive practices that would provide it with an unfair advantage to access even more user data than it already has in its coffers.

These conversations point to the same “Privacy Budget” that is defined in Google’s Privacy Sandbox.

“Who sets the budget?” asks James Rosewell, Founder & CEO of device detection company 51degrees. “Who controls the “Privacy Budget” should be concerning to any company in competition with Google.”

“Should Google or the W3C be the decision-makers? Is Google able to be impartial when deciding on the changes that impact their competitors? How does a reduction in data for third parties increase the value of the first-party data Google holds?” he adds.

Rosewell sums up the entire brouhaha over Google freezing the UA string with these three main points.

  1. Justification – Is there sufficient justification to risk breaking the web for an unproven gain in privacy?
  2. Design – Is the design proposed the best solution? Has sufficient consultation taken place? Is the design clear and consistent with the accepted standard for engineering specifications?
  3. Alternatives – What alternatives were considered? Is there a simpler less impactful solution?

What really stands out from the conversation in the GitHub thread is that developers are really upset that Google did not open the upcoming change to public debate. Plus, many of the commenters felt that there hasn’t been enough clarity around how things will work with the new the replacement API, known as ‘User-Agent Client Hints,’ or how it will interplay with the ‘Privacy Sandbox.’

The Client Hints proposal outlines a standard for how servers send a request for information about a browser and how the browser will respond. The proposal is an Internet-Draft that is a working document of the Internet Engineering Task Force, with a discussion of the draft archived on the W3C mailing list, with working group information and issues list on GitHub.

For Google, the crackdown on the UA string is intended as a privacy-first initiative aimed at reducing fingerprinting. But some argue that the switch to Client Hints could expose an additional tracking method that could potentially be used maliciously.

As far as the advertising ecosystem is concerned, Rosewell notes that both the OpenRTB and AdCom specifications will have to be updated to add at least five new fields and the logic will also need to change.

“Then all the players in the ecosystem will need to adopt the new standard. If only one publisher, ad server exchange or SSP doesn’t then any party downstream of them will not receive accurate or complete data about the device, operating system, crawlers or browser. This will impact fraud, ad targeting, ad monitoring and the serving of creative,” says Rosewell.

There will be a major opportunity cost for publishers and ad tech vendors, given the amount of work and effort it will take to get up to speed on the changes and make certain that everything works as expected.

Rosewell wonders whether the IAB and AOP, among other similar organizations, are raising the issues presented in the GitHub thread on behalf of their memberships.

If all of the concerns raised in the GitHub thread have any real value to them, his question sounds like a really good one.