
Google tracks individual users per Chrome installation ID - rvnx
https://github.com/w3ctag/design-reviews/issues/467#issuecomment-581944600
======
janpot
Not endorsing this, but according to
[https://www.google.com/chrome/privacy/whitepaper.html#variat...](https://www.google.com/chrome/privacy/whitepaper.html#variations)

> We want to build features that users want, so a subset of users may get a
> sneak peek at new functionality being tested before it’s launched to the
> world at large. A list of field trials that are currently active on your
> installation of Chrome will be included in all requests sent to Google. This
> Chrome-Variations header (X-Client-Data) will not contain any personally
> identifiable information, and will only describe the state of the
> installation of Chrome itself, including active variations, as well as
> server-side experiments that may affect the installation.

> The variations active for a given installation are determined by a seed
> number which is randomly selected on first run. If usage statistics and
> crash reports are disabled, this number is chosen between 0 and 7999 (13
> bits of entropy). If you would like to reset your variations seed, run
> Chrome with the command line flag “--reset-variation-state”. Experiments may
> be further limited by country (determined by your IP address), operating
> system, Chrome version and other parameters.

~~~
pdkl95
This is impressive doublespeak.

> This ... header ... will not contain any personally identifiable information

> a seed number which is randomly selected on first run ... chosen between 0
> and 7999 (13 bits of entropy)

They are not including any PII... while creating a new identifier for each
installation. 13 bits of entropy _probably_ isn't a unique identifier iff you
only look at that header in isolation. Combined with _at least_ 24 additional
bits[1] of entropy from the IPv4 Source Address field Google receives >=37
bits of entropy, which is almost certainly a unique ID for the browser.
Linking that browser ID to a personal account is trivial as soon as someone
logs in to any Google service.

> Experiments may be further limited by country (determined by your IP
> address)

They even admit to inspecting the IP address...

> operating system, Chrome version and other parameters.

...and many additional sources of entropy.

[1] why 24 bits instead of 32? The LSB of the address might be zeroed if the
packet is affected by Googles faux-"anonymization" feature (
[https://news.ycombinator.com/item?id=15167059](https://news.ycombinator.com/item?id=15167059)
)

~~~
clSTophEjUdRanu
>Linking that browser ID to a personal account is trivial as soon as someone
logs in to any Google service.

Wat? You mean to tell me they can identify you if you log into their service?

Am I missing something here? Who cares?

~~~
sildur
I care. I care that I even if I log off, even if I use a vpn, even if I go
into incognito mode, they still can associate my requests with the account I
initially logged in.

~~~
meowface
The problem is any website can do that. Incognito-bypassing fingerprinting is
difficult to prevent, unless you use something like uMatrix to disallow
JavaScript from everything but a few select domains.

This is a collection of random-ish unique-ish attributes. Any collection of
such things can be used to track you, like installed fonts, installed
extensions, etc. If this were just a set of meaningless encoded random
numbers, then it's essentially a kind of cookie, but that's not what it is.
This is (claimed to be) a collection of information that's useful and possibly
needed by some backends when testing new Chrome features. It tells servers
what your Chrome browser supports. The information is probably similar to
"optimizeytvids=1,betajsparser=1".

So, the only question is if Google is actually using this to help fingerprint
users in addition to the pragmatic use case. It certainly could be used that
way, and it's possible they are, but they have so many other ways of doing
that with much higher fidelity / entropy if they want to. If this were
intended as a sneaky undisclosed fingerprinting technique, I think they
would've ensured it was actually 100% unique per installation, with a state
space in the trillions, rather than 8000.

Yes, this could be so sneaky that they took this into consideration and made
it low-entropy to create plausible deniability while still being able to
increase entropy when doing composite fingerprinting, but I think it's pretty
unlikely. Also, 99% of the time they could probably just use use Google
Analytics and Google login cookies to do this anyway.

~~~
rvnx
Maybe one actually useful non-advertising usage could be reCAPTCHA ? If you
read carefully, it says nowhere than there is the limit to 8000. There is this
limit of 8000 only if you disable usage statistics / crash reports.

~~~
meowface
Sorry about that, too late to edit it now. That is an important detail. If
there are 32 or more different feature flags, then that's 4 billion unique
states, which would be an effective fingerprint.

I still think it's pretty unlikely they're using it in that way or would in
the future, and I think Google fuzzing this for those who opt out of telemetry
is probably a signal of good faith in this instance. They realize the privacy
implications and provide a way to disengage, even if they don't intend to
abuse the information.

But of course the potential for abuse always remains. And the potential for
(arguably) non-abusive tracking, like the possibility of it being used for bot
detection by reCAPTCHA, as you say.

~~~
imtringued
reCAPTCHA is the most abusive type of tracking. Google simply denys you usage
of captcha if you do not give them enough personal information. It doesn't
matter if you enter the captcha correctly 20 times. It won't let you in.

~~~
meowface
This is part of the bot detection, though. It's probably not "not enough
personal information", it's "this truly seems like it is unlikely to be a
legitimate device/person", due to the huge datasets they're working with. Same
with Cloudflare and Tor. Once you operate a security service anywhere near
that scale, you start to understand there are inherent challenges and
tradeoffs like these,

------
bsharitt
Everybody imagine going back 15 years and tell yourself that you're using a
web browser made by the parent company of DoubleClick. Your 15 year ago self
would think you're a moron (assuming that 15 years ago you were old enough to
know what DoubleClick was).

~~~
rplnt
I always believed that tech-savvy people using Google Chrome are morons. It's
the perfect blend of Google being evil trying to force it to everyone, the
browser being dumbed down to masses so much it's missing the most basic
features, and I guess privacy concerns too when using browser from advertising
company.

------
d1zzy
TL;DR I think whoever posted that is trying to bury the UA anonymizing feature
by derailing the discussion.

What I'm seeing is an RFC for anonymizing parts of User-Agent in order to
reduce UA based fingerprinting, which improves everyone's privacy, that's a
good thing!

Then I see someone comments how that could negatively impact existing websites
or Chromium-derived browsers, comments which are totally fair and make an
argument that may not be a good idea doing this change because of that.

Then someone mentions the _existing_ x-client-data headers attached to
requests that uniquely identify a Chrome installation. Then a lot of comments
on that, including here on HN.

To me that's derailing the original issue. If we want to propose that Chrome
remove those headers we should do so as a separate issue and have people
comment/vote on that. By talking about it on the UA anonymizing proposal we
are polluting that discussion and effectively stalling that proposal which, if
approved, could improve privacy (especially since it will go into Chromium so
then any non-Chrome builds can get the feature without having to worry about
x-client-data that Chrome does).

~~~
mabbo
I think the concern is that this disarms Google's competitors while keeping
them fully-armed.

Ads are a business, and they are Google's business. They are how they make
money. And like all businesses, they are competitive. Tracking is a way to
make more money off online advertising. By removing tracking from their
competitors while keeping it for themselves, Google stand to make a lot of
money off this change.

Their motivations are not honest, but they're pushing them as if this is the
high road. It isn't. It's the dirty low road of dominating the online ad
business, made possible by their dominance in the browser market. And it's
always been the end-goal of Chrome browser.

~~~
aidos
While I agree with some of your comment, I feel like it’s harsh to paint the
whole chrome enterprise with that brush. Chrome was about freeing the world of
a truly terrible web browser and a lot of devoted devs have spent a lot of
time working on it. There’s an advertising aspect that it’s right to call out,
but I think on the whole it was done to make the internet better, because the
internet is google’s business too.

EDIT I just wanted to point out that a load of people have poured their lives
into making Google Chrome the amazing bit of software that it is and
suggesting that the end-goal has been entirely about supplying ads does a
great disservice to their personal contributions.

~~~
jariel
"Chrome was about freeing the world of a truly terrible web browser "

Chrome is about establishing more control over the web to further the business
objectives of Google and Alphabet.

The problem with this belief of Google as some kind of 'benevolent actor' is a
function of the new kind of branding they helped introduce, something that an
entire generation of particularly young people are being duped by.

'Brand' used to be the image that companies presented - it was a decision, a
marketing tactic, usually invented by agencies. Google was one of the first to
change that, to effectively 'internalize' the brand so that they (staff, even
leaders) really kind of believed their own kool-aid. There's an incredible
aura of 'authenticity' to this; when leaders really believe their own schtick,
it rings more powerfully. (This is an issue for another thread.)

But Google has proven that in the long run, they're just a regular company. I
don't think they are bad actors, and in the big picture, they're better than
most. But, they're just a self-interested entity: they will do whatever is in
their power and which is also legal, to leverage their incumbency and stymie
competition.

~~~
wuliwong
> The problem with this belief of Google as some kind of 'benevolent actor'

You put 'benevolent actor' in quotes as if the comment you are replying to
contained that. It didn't.

~~~
henriquemaia
Stress quotes. That is just one of the possible devices to achieve that.

I see a lot of that here, people misunderstanding basic speech/writing
conventions. Maybe giving the op the benefit of doubt, assuming s/he knows
what s/he is doing, can help avoid some of those.

------
userbinator
As long as web developers continue to create (app-)sites that only work in the
latest versions of Chrome(and Chromium-ish) browsers, giving users little
effective choice over what browsers they can use, this sort of abusive
behaviour will continue. The sort of "feature-racing" that Google engages in
is ultimately harmful for the open web. Mozilla struggles to keep up, Opera
surrendered a while ago, and more recently, Microsoft seems to have already
given up completely.

I feel like it's time we "hold the Web back" again. Leave behind the
increasingly-walled-garden of "modern" appsites and their reliance on hostile
browsers, and popularise simple HTML and CSS, with forms for interactivity,
maybe even just a little JavaScript where absolutely necessary. Something that
is usable with a browser like Dillo or Netsurf, or even one of the text-based
ones. Making sites that are usable in more browsers than the top 2 (or 1) will
weaken the amount of control that Google has, by allowing more browsers to
appear and gain userbases.

~~~
koheripbal
Are there really that many popular extensions not available on Firefox? I may
be just one anecdote, but I think I'm pretty typical, and I've found the
transition to Firefox to be quite pleasant, and uneventful.

~~~
Yizahi
Popular - no. Essential - yes. Case in point - my bank (top 5 in my country)
which uses Chrome plugin for security purposes, you need it to create digital
signature. So once a year I HAVE to install Chrome (key expires every year)
and then delete it. I've also found at least one payment processor not working
in Firefox, my city portal for public transport and several small sites. The
worrying thing is the trend - with Firefox share dropping below 10% recently
it will be abandoned more and more.

~~~
koheripbal
In those cases, have you tried IE instead rather than installing Chrome?

~~~
Yizahi
Installing Chrome was strictly needed only for banking plugin. Didn't have a
chance to check yet with a new Chrome-Edge but will definitely try it.

------
csagan5
Credits to the ungoogled-chromium project [0] for the patch [1] which is also
used in Bromite since 15 February 2018 to prevent this type of leaks; see also
my reply here: [2]

[0]: [https://github.com/Eloston/ungoogled-
chromium](https://github.com/Eloston/ungoogled-chromium)

[1]:
[https://github.com/bromite/bromite/blob/79.0.3945.139/build/...](https://github.com/bromite/bromite/blob/79.0.3945.139/build/patches/ungoogled-
chromium-Disable-Google-host-detection.patch)

[2]:
[https://github.com/bromite/bromite/issues/480#issuecomment-5...](https://github.com/bromite/bromite/issues/480#issuecomment-582070839)

------
ec109685
You can see all the domains they add the header to here:
[https://chromium.googlesource.com/chromium/src/+/master/comp...](https://chromium.googlesource.com/chromium/src/+/master/components/variations/net/variations_http_headers_unittest.cc)

Previous discussion:
[https://news.ycombinator.com/item?id=21034849](https://news.ycombinator.com/item?id=21034849)

~~~
tbodt
Actual list:
[https://cs.chromium.org/chromium/src/components/google/core/...](https://cs.chromium.org/chromium/src/components/google/core/common/google_util.cc?q=IsGoogleAssociatedDomainUrl)

~~~
chatmasta
This seems like a cut-and-dry case of getting caught in monopolistic behavior.
The code is right there. The Chrome codebase has special features for Google’s
own web properties.

I hope all these AGs suing google have some good tech advisors. It’s hard to
keep track of all the nefarious things google has been up to over the past
decade.

~~~
akersten
> This seems like a cut-and-dry case of getting caught in monopolistic
> behavior. The code is right there.

???

Is "Darn, their browser only gets to track me on their own websites; if Google
were playing fairly, they'd send the tracking header to _all_ websites so I
can be tracked more and have less privacy" the argument you're making here?

And it's debatable that this header is actually serving a tracking purpose at
all. Being limited to their own web properties cements it as a diagnostic to
me. What use is a tracking header that only gets sent to domains they already
know you're visiting?

~~~
randomdude402
You realize that whenever a user visits a page that uses AdWords, AdSense, or
login via Google, they download a script file from one of those domains,
right?

So a user can log into Google and then log out, tying that header data to
whatever PII Google has attached to them, and future visits to any sites using
those and probably other services can be attached to the individual, despite
them having intended to be logged out of Google services.

------
AlphaWeaver
According to this source code [0], it looks like this is in Chromium as well.
Does that mean this affects Electron applications?

[0]:
[https://chromium.googlesource.com/chromium/src/+/master/comp...](https://chromium.googlesource.com/chromium/src/+/master/components/variations/net/variations_http_headers.cc)

~~~
nornagon
Electron maintainer here. Electron does not send this header.

~~~
croh
Thanks for clarification.

------
carlsborg
If you strace chrome on linux it also picks up /etc/machine-id (or it did back
when I looked), which is a 32 byte randomly generated string which uniquely
identifies you and on some systems is used as the DHCP ID across reboots.

~~~
xfs
First I thought reading /etc/machine-id would be expected if Chrome uses D-bus
or pulseaudio libraries which depend on D-bus, and /etc/machine-id is part of
D-bus. But no, they really use it for tracking purposes.

And in a sick twist they have this comment for it:

    
    
      std::string BrowserDMTokenStorageLinux::InitClientId() {
        // The client ID is derived from /etc/machine-id
        // (https://www.freedesktop.org/software/systemd/man/machine-id.html). As per
        // guidelines, this ID must not be transmitted outside of the machine, which
        // is why we hash it first and then encode it in base64 before transmitting
        // it.

~~~
chias
In fairness, the guidelines they reference suggest you do exactly what the
comment says they're doing (assuming they're keying the hash). The guidelines
seem explicitly written with the idea that unique identifiers _derived from_
this value are not similarly quarantined, provided that you cannot take the
derived value and "reverse" it back to the original identifier.

Quoting from [https://www.freedesktop.org/software/systemd/man/machine-
id....](https://www.freedesktop.org/software/systemd/man/machine-id.html):

This ID uniquely identifies the host. It should be considered "confidential",
and must not be exposed in untrusted environments, in particular on the
network. If a stable unique identifier that is tied to the machine is needed
for some application, the machine ID or any part of it must not be used
directly. Instead the machine ID should be hashed with a cryptographic, keyed
hash function, using a fixed, application-specific key. That way the ID will
be properly unique, and derived in a constant way from the machine ID but
there will be no way to retrieve the original machine ID from the application-
specific one.

~~~
pbhjpbhj
What else is going to break if one randomises that ID (per boot or per hour,
say)?

~~~
mc3
What about running Chrome inside a container?

~~~
Tijdreiziger
What about not running Chrome?

------
om2
I'm surprised this hasn't gotten any mainstream tech press attention. Chrome's
Privacy Whitepaper describes a number of privacy-questionable nonstandard
headers which are only sent to Google services. Just try searching for X-
here:

[https://www.google.com/chrome/privacy/whitepaper.html](https://www.google.com/chrome/privacy/whitepaper.html)

And for ease of reading, a few others:

> On Android, your location will also be sent to Google via an X-Geo HTTP
> request header if Google is your default search engine, the Chrome app has
> the permission to use your geolocation, and you haven’t blocked geolocation
> for www.google.com (or country-specific origins such as www.google.de)

> To measure searches and Chrome usage driven by a particular campaign, Chrome
> inserts a promotional tag, not unique to you or your device, in the searches
> you perform on Google. This non-unique tag contains information about how
> Chrome was obtained, the week when Chrome was installed, and the week when
> the first search was performed. ... This non-unique promotional tag is
> included when performing searches via Google (the tag appears as a parameter
> beginning with "rlz=" when triggered from the Omnibox, or as an “x-rlz-
> string” HTTP header).

> On Android and desktop, Chrome signals to Google web services that you are
> signed into Chrome by attaching an X-Chrome-Connected and/or C-Chrome-ID-
> Consistency-Request header to any HTTPS requests to Google-owned domains. On
> iOS, the CHROME_CONNECTED cookie is used instead.

~~~
RonanTheGrey
Holy rotten metal batman... those are pretty bad. Why in the world isn't
everyone up in arms over this?....

------
scoutt
PII concept is not the same for everyone/everywhere. For GDPR we have:

> Article 4(1): ‘personal data’ means any information relating to an
> identified or identifiable natural person (‘data subject’); an identifiable
> natural person is one who can be identified, __directly or indirectly __, in
> particular by reference to an identifier such as a name, an identification
> number, location data, an online identifier or to one or more factors
> specific to the physical, physiological, genetic, mental, economic, cultural
> or social identity of that natural person;

If this chrome browser ID is matched against a (for example) google account,
then they can track every single person. And that is just a couple of IDs, let
alone all the quantity of data they have.

It's against GDPR to not be clear about this kind of ID. If my browser has an
unique ID that is transmitted, then this ID can be coupled with other
information to retrieve my identity and behavior, so it should be informed (in
the EU).

EDIT: TD;LR, hiding behind "there is no PII in that ID" is not enough.

~~~
Mirioron
Who's going to raise this issue though? And what if they put this in the
browser's T&C?

~~~
pbhjpbhj
I thought they needed explicit consent. T&Cs ain't that.

------
nojvek
Well why does Chrome send this special header to only Google properties like
YouTube and search and not the rest of the internet.

It really seems fishy and a lot of double speak. I really don’t trust Google
here.

~~~
bonestamp2
> and not the rest of the internet

Privacy issues aside, this might not help an antitrust case if one is brought
against them.

------
raxxorrax
This it outrageous. Browsers are user-agents, not advertising accelerators.
They should hide as much personal identifiable information as possible. This
is exactly why using a browser from an advertising company is not a good idea.
They use it to improve their service... The lie gets old...

This comment was sadly written in Chrome, since I need it for testing...

edit: pretty much exactly 10 years ago they already tried their shit with a
unique id. We should have learned from that experience.

~~~
jaywalk
Well when the browser is created by an advertising company...

------
Tepix
According to
[https://www.google.com/chrome/privacy/whitepaper.html](https://www.google.com/chrome/privacy/whitepaper.html)

" _We want to build features that users want, so a subset of users may get a
sneak peek at new functionality being tested before it’s launched to the world
at large. A list of field trials that are currently active on your
installation of Chrome will be included in all requests sent to Google. This
Chrome-Variations header (X-Client-Data) will not contain any personally
identifiable information, and will only describe the state of the installation
of Chrome itself, including active variations, as well as server-side
experiments that may affect the installation._ "

While this header may not contain personally identifiable information, its
presence will make every request by this user far more unique and thus easier
to track. I do not see Google saying they won't use it to improve their
tracking of people.

~~~
goatinaboat
One click while logged into any Google property will be enough for them to
permanently associate this GUID with your (shadow) account, they know it, and
they know you know it too

------
TheRealPomax
So, an extremely unique identifier for tracking purposes, that effectively no
one knows exists, and no one knows can be changed at all?

With an obscure white paper that allows Google to claim they comply with the
law because "they totally offer a way to change that and they even published
that information to the web for anyone to find"?

Gotcha.

~~~
winternett
Don't be evil...

Until we are deployed enough that users don't have a choice...

Now that Google has cornered the market for Internet browsing, they're using
that foothold to change how it works to suit their dominance. This is why they
are not concerned about per-site tracking that Google Analytics does, as long
as THEY as a company have direct browser-based tracking, they no longer need
to provide tracking services to other private companies to know what is
trending everywhere. This is also probably why they're trying to kill ad
blockers and certain browser privacy extensions.... But they won't really
matter to Google if everything is done at the browser level to begin with from
now on. :/

If they make moves to scale back [free] Google Analytics, which they probably
will at some point, it will only highlight this ideal... They may turn to
selling their privately collected metrics and qualitative studies to companies
after Google Analytics is rendered useless, and then that's unadulterated
monopolistic profit for them and shareholders...

Diabolical.

~~~
tigroferoce
True. But luckily you actually have a choice. Many opt for DuckDuckGo on
Firefox, for instance.

~~~
LinuxBender
You are right, but they also know most people won't switch. They have an
entire generation of folks that don't even think about privacy.

~~~
K0SM0S
There's also the subset of all of us who must use Chrome because <solution X>
needed for work requires said browser. Google's dominance through Chrome
extends to the whole ecosystem. Same thing with Apple inside their own (which
is nowhere near a monopoly at 10-15% market share worldwide, thus totally fair
game by comparison).

------
c16
Chrome explicitly having a line [1] of code to not send the `x-client-data`
header to Yahoo made me laugh.

[1]
[https://chromium.googlesource.com/chromium/src/+/master/comp...](https://chromium.googlesource.com/chromium/src/+/master/components/variations/net/variations_http_headers_unittest.cc#47)

~~~
jcl
FWIW, it looks like that's a test case -- it is not part of Chrome itself.
They most likely just wanted an example of a third-party website, and could
have used any non-Google site there.

~~~
c16
Yes, But they tested Yahoo of all websites to make sure they don't send
tracking data, and not an unrelated website like wikipedia or archive.org. The
only non-google test case too I might add.

~~~
gruez
It's a test case I wouldn't read too much into it. Maybe it's evidence of a
massive anti-trust conspiracy at google, but it could very well be because
it's the first domain that came to the programmer's mind at the time.

~~~
jmccorm
I wasn't aware of this, but it still seems like a thread worth pulling on.
You're assuming, right? The reason I ask is that using any third-party company
seems inappropriate. Even more so when Google has plenty of domains of its own
to test against. Even more so when it is against a media/advertising company.
And again, even more so against a company that changed from Google to Bing to
power their search function. It seems to be an inappropriate or poor choice,
doesn't it?

There's no smoking gun here, but I don't think that concern might be dismissed
out of hand. It might be good to see what Yahoo's take on this. This could
even evolve into participation by the US Attorney General. I'd like to know
more, either way. Like if Yahoo was independently added to the list at a later
date, or if it was there from the start?

~~~
zerocrates
The functionality is the functionality: it targets the header to Google sites.
If there's a legal issue it really stands or falls there, not on the presence
of another company's domain in the tests. There's nothing Yahoo-specific about
what Chrome is actually doing.

------
KenanSulayman
Don’t forget that even if the number is varying only in an interval of 0 and
7999, this means without cookies a unique chrome installation can be
identified if multiple users are using the same IP, like residential houses
with families, etc. — that way it is possible to determine the unique amount
of devices inside a house.

~~~
KCUOJJQJ
>that way it is possible to determine the unique amount of devices inside a
house.

There are exceptions I guess. Imagine 8000 households in which couples live.
Both partners own the same MacBook model. In 1/8000 cases Google would think
there is only one person.

------
mooreed
It seems like a reasonable time to bring up the reformer project 'ungoogled-
chrome' [1]. I have used it and new versions of Firefox for over 3 years and
have seldom had to jump back to `Googlified Chrome.` Do know that installing
via `brew` [2] means no - standard browser auto-update. Which in this case,
makes sense to me.

Aside: It seems to me the realist punk / anti-the-man software one can work on
is a user respecting browser. I don't work on these, but I am very grateful
for those out there who do.

\-------

\- [1]: [https://github.com/Eloston/ungoogled-
chromium#downloads](https://github.com/Eloston/ungoogled-chromium#downloads)

\- [2]: Brew install via: `brew cask fetch eloston-chromium && brew cask
install eloston-chromium`

Enjoy old school browsing with new school development benefits.

------
dmtroyer
I must be dense but I never see the `x-client-data` header in the request
headers of the network tab in developer tools.

~~~
throwawaylolx
I just tried it now on google.com, and it sent it in 6 requests. You can
ctrl+f in developer tools in Chrome.

~~~
dessant
I think extensions can filter out the x-client-data header, though Google
should definitely make this data collection opt-in.

GDPR is very clear about this data being personal information [1], since
Google has access to the IP address on the receiving end, which has been
repeatedly tested in courts as being personal data.

Google is engaging in personal data harvesting without user consent and
control, and no amount of mental gymnastics presented in their privacy
whitepaper [2] will save them in courts.

[1] [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/what-personal-data_en)

[2]
[https://www.google.com/chrome/privacy/whitepaper.html#variat...](https://www.google.com/chrome/privacy/whitepaper.html#variations)

~~~
dmtroyer
Oh interesting, it must be an extension that is filtering it out for me
(Ghostery, DDG Privacy Essentials or Adblock Plus in my case)

------
StevePerkins
Is this at the "Chrome" level, or baked in at the "Chromuim" level? And
therefore also an issue for Brave, Opera, Vivaldi, new-Edge, and anything else
jumping on the browser engine monoculture?

~~~
jakoblorz
Don't forget Electron! Like Atom, VS Code etc

~~~
nornagon
Electron maintainer here. Electron doesn't send this header.

~~~
NotSammyHagar
Thank you for that.

------
MrZongle2
I am Jack's complete lack of surprise.

Firefox and DuckDuckGo, folks. Today's Google is no more benevolent than
yesterday's Microsoft.

------
gunn
To give them some credit: it's not sent when in incognito mode.

~~~
macinjosh
How thoughtful of them!

------
ravedave5
It appears that chrome based Edge does not send this header. I've switched to
firefox for everything I can switch, perhaps it time to use Edgeium over
chrome for anything else.

~~~
pbhjpbhj
MS Windows probably used the Skype to fingerprint you already, and don't need
the browser to do it explicitly?

------
sutro
Bypassing CORS checks by "hiding" X-Client-Data:
[https://chromium.googlesource.com/chromium/src/+/f3ceca9d0fd...](https://chromium.googlesource.com/chromium/src/+/f3ceca9d0fd61ffd099daf24847e27562b7da933)

------
krick
Lol, is it news? I mean, it worked like this as long as I can remember,
privacy conscious users were complaining for years, helplessly watching as
Chrome market share grows, but nobody really cared, so... And now, suddenly,
people act like this is big news and they are outraged by such blatant and
unexpected(!) intrusion into their privacy.

Wow. I don't even know how I feel about it anymore.

------
chrshawkes
I noticed this when doing work with Puppeteer lately. I thought about
reporting it but didn't exactly know what I was looking at.

------
woho
I use (sometimes/often) mitmproxy and remove or change suspect headers. It is
also nice to remove all the fb, google and more crap from the html. And much
more. It is a lot of work not to break a website. I don't know whether I am
more trackable or not - this is the 'only browser' without x-client-data
header.

------
balls187
This is why I use firefox for personal browsing, and edge for work.

Now that Edge / Chromium is out of beta, even better.

------
mirimir
I've always assumed that everything I install tracks me through some unique
ID. That's arguably wrong for typical Linux packages, but being right just
once is enough to justify the assumption.

And for Google, it's arguably foolish to think that they don't.

------
pier25
Chromium too?

~~~
macinjosh
Doesn't look like it from my testing of version 81.0.4036.0. But in normal
Chrome I do see it.

~~~
olah_1
Can you test it in Microsoft's new Edge browser based on Chromium? I'm very
curious about that. (I don't know how to test such a thing myself, sorry :S)

~~~
ryneandal
I didn't see the x-client-header in the Edge insider browser when accessing
YouTube.

~~~
pier25
I don't see it in Brave either

------
sergiotapia
I dropped chrome a long time ago and switched to Brave. Does Brave have these
same issues, considering it uses webkit for it's rendering engine? Am I just
being paranoid?

What a tumor google has become.

~~~
pier25
Brave uses Chromium not Webkit.

------
BLO716
With that said, one can simply filter out these analytics with a
c:\Windows\Systems32\Drivers\etc\hosts -> pointing to 0.0.0.0 or PiHole
solution ([https://pi-hole.net/](https://pi-hole.net/)), yes?

I mean, this is probably not the holistic solution, but this is why we have a
firewall, vpn, antivirus, filters to just keep DNS in check, yes?

~~~
janvidar
Yes, you can if you are willing to block google.com, android.com and
youtube.com.

doubleclick.com might not be terrible for most, though.

Interesting enough, it does not add headers when accessing a country specific
google domain in the EU - such as google.de or google.fr. Is that GDPR kicking
in - with a nod the the brexiteers given that google.co.uk gets these
headers... ?

~~~
ins0
Not sure, but my chrome will send the additional `x-client-data` header even
when i'm on eg. `google.de`

------
hitpointdrew
Not shocking. I never trusted Chrome, and never switched over to it. I never
understood that Firefox hate. I never thought it was "slow" like so many
complaints I have seen. Apparently Firefox is fast and amazing again, I
certainly think it is better than it was a several years ago, but again even
several years ago I didn't ever think it was slow.

------
Havoc
I’ve taken to using FF for browsing With noscript etc and chrome for when I
need something to work well and can accept some tracking

------
troseph
No Facebook Firefox PiHole is my Live Love Laugh

------
nurettin
Please do not destroy vital testing apparatus.

------
sub7
The sad part is that most times Google violates your privacy, it's just some
PM who thinks having some data will be super important and in most cases
they're wrong.

Caveat here is that in 99.99999% cases it's also the case that nobody ever
looks at your individual file but the fact that they could is bad enough.

------
fnord77
Can browser plugins control what headers go out? If so then a simple browser
plugin could put a stop to this.

------
fnord77
Can scripts from non-google sites making XHR requests to google domains see
the outgoing request headers?

------
marco1
Analysis of the same tracking mechanisms from September 2018, and its
discussion on HN late last year:
[https://news.ycombinator.com/item?id=21034849](https://news.ycombinator.com/item?id=21034849)

------
outside1234
Does this apply to Edge installations? (If not, another great reason to move
to Edge.)

------
everdrive
Is this Chrome the browser, ChromeOS, or both? And if so, will it be in
Chromium?

------
codedokode
By the way, if you use Chrome and Google as a default search engine, Google
gets a signal from your browser (with cookies) every time you open a new tab.
You can check it with DevTools.

------
olliej
Am I getting this right?

Irrespective of whether you use any other google products, if you use chrome
google can now track you over any property that uses google ads, recaptcha,
etc.

The header is inserted by the browser after any extensions run, and google
pins google properties so you can have an intermediate proxy that strips the
header, so they gain persistent tracking of all users across most of the web?

If it wasn’t a tracking vector why do they limit it to just google ads, etc?
Why not other ad providers as well?

------
cft
Just in time for their announcement that they plan to abolish third party
cookies by 2021. Talk about monopoly.

------
dragonsh
This is another instance that google doesn’t care about users privacy and
track without their consent by using chrome installation Id. This probably
might be against GDPR, so Chrome installed base in Europe multiplied by per
day fine, hopefully runs into a years revenue of google.

Another lesson don’t trust for profit companies with privacy protection
especially advertising technology company like google with motto like don’t be
evil or organize world’s information designed to mislead.

~~~
mateo1
Honestly, it's 2020, even if your technical understanding is so low that you
have no idea what a "browser" is, you _know_ that Google will do anything in
it's impressive power to track down everything you do with legal or illegal
means. Thanks to Snowden, this is no longer a conspiracy theory. It's a fact.

Google should be fined for this but they probably won't be.

------
metastart
It's not in the Epic Privacy Browser (a chromium-based web browser) :-). Is it
in Chromium?

------
blfr
And, since it's per installation, it nicely ties all your profiles together
for Google.

------
bprasanna
Obviously! What else to expect from Google! In the user personalization...

------
jacobwilliamroy
Is this also true for all the standalone binaries that embed chromium?

------
_pmf_
Just ask: why does an advertising company make a browser?

~~~
Keloo
so that you don't have to pay royalties to other browsers for being the main
search engine. I mean you have to pay one less. And if you have the most used
browser, you save a lot.

~~~
josefx
In the good old days everyone and their grandmother just sideloaded their
malware toolbars with freeware crap like picasa or maps or outright bundled
their bloatware with the system like Google still does for Android.

------
haecceity
What does freezing mean here?

------
masterfooo
How about Electron apps?

------
swiley
Google consumer software is almost universally an active full frontal attack
on you. Stop using it.

~~~
a_wild_dandan
This sounded harder to do than it was in my experience. I figured the
alternatives to their products would be less polished. But I switched to
Firefox and honestly prefer it to Chrome. (They allow extensions on Android,
meaning adblock, which is a game changer for me.) DDG for search is great.
Protonmail for email is fine, etc. There isn't much in the Google ecosystem
that I miss tbh.

~~~
Scarbutt
For me is google docs and maps.

~~~
dleslie
If you need online office and maps then there's Microsoft Office and Bing
Maps. Office is an excellent product, well worth the few bucks a month.

AFAIK, Office is fairly good about privacy.

------
altitudinous
IP address inspection has been getting a large amount of attention recently.
It is considered a privacy violation, yet it is required to determine
location, so devs know which privacy laws apply.

GDPR only applies in Europe, and CCPA only applies in California. How is one
meant to determine which set of laws applies inside a piece of software
without being able to determine location?

A waste of time (don't bother) answer is : Just apply maximum privacy
everywhere and you won't have to worry about it... The response is always
going to be - Many free tools you use are funded by advertising etc and
advertising depends on being able to know where someone is, at least to the
country level. Cutting off location and therefore revenue is not going to give
people the software they want.

Other facts that usually matter - only 1-2% of people want to pay for private
software. Everyone else wants the free option. Source : my apps.

How is software meant to determine location?

------
drderidder
New motto: "Don't get caught being evil".

------
EastSmith
Downvote me how many times you want, but Mozilla needs to fork Chromium,
degoogle it and fix the web.

Mozilla is the only internet entity I can say I trust, I am donating to it,
and yet I am using Chrome and Brave on both Desktop and mobile.

Just follow the users and fork it!

~~~
jrockway
Mozilla makes a web browser called Firefox. You should try it!

~~~
EastSmith
I've used it for many years, then switched to chrome and since then I've tried
it more times that I want to admit. I am also donating to it.

~~~
lucasverra
Switch to Edgium then - FF user

------
jkepler
Am I correct to understand that this backdoor tracking of individual users
applies to the standard Chromium browser (i.e., the non Eloston ungoogled-
chromium) as well as the Chrome browser?

If so, its incredibly consistent with Google's surveillance capitalist
business model.[1] Wow. I'm thankful for Firefox.

\--

[1] "The Age of Surveillance Capitalism", by Shoshana Zuboff, reviewed here:
[https://www.theguardian.com/books/2019/feb/02/age-of-
surveil...](https://www.theguardian.com/books/2019/feb/02/age-of-surveillance-
capitalism-shoshana-zuboff-review)

------
kick
"Backdoor" this, "backdoor" that. Proprietary software company releases
proprietary software that allows them to spy on you, how shocking.

In which they sacrifice privacy to allow their ad network to target you
better. [https://www.blog.google/products/chrome/building-a-more-
priv...](https://www.blog.google/products/chrome/building-a-more-private-web/)

In which they explicitly track you more under the guise of protecting your
privacy. [https://github.com/jkarlin/floc](https://github.com/jkarlin/floc)

For every single claim Google makes about being pro-privacy, their definition
of privacy ("data shared between you and Google and no one more") is implicit.

It's a surveillance company that makes proprietary software to sell you ads.
As soon as you get that into your head, you'll be much less shocked.

"We personally get to track you" is not a unique stance, and it's far from a
backdoor. It's just another vile move from a surveillance company that's
pretty explicit that that's their goal.

~~~
JadeNB
Sure, the general pattern of behaviour is familiar, but I didn't know about
this specific manifestation, and now I do. What's the use of being so
dismissive about specific information on which one can act?

~~~
kick
It's not a backdoor! Calling random anti-consumer behavior a backdoor is the
privacy-equivalent of Godwin's law.

------
a3n
"It's only metadata."
[https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#R...](https://en.wikipedia.org/wiki/PRISM_\(surveillance_program\)#Responses_to_disclosures)

------
_jal
I was fooled by Google for a while, thinking it was less evil than FB. They're
just a little smarter about their shittiness.

------
orthecreedence
I hate to say this, but duh. It's a closed-source browser made by an ad
company. What the hell to do people expect?

------
CommanderData
We need the GDPR equivalent in the US.

------
bilekas
Jesus.. It gets better and better..

------
eitland
I haven't read this carefully enough to decide exactly how bad it is, but one
thing seems clear to me:

From what I see many techies are now aware and upset, and hardly anyone seems
to want to defend Google anymore.

I consider it more likely than not that Google will take some real beatings in
the years to come. Kind of like Microsoft was fined by the US and EU, forced
to advertise for competing browsers and ridiculed by Apple ads. On a case by
case basis I think some of this will be well deserved, some less so, but few
outside of employees and shareholders will cry.

I also _guess_ a lot of people, including certain owners and many in
management hasn't deciphered the writing on the wall yet, and in that case it
whatever comes next will be surprising.

~~~
glyxbaer
When I moved into IT almost 10-15 years ago, Google was one of the companies
that I adored (in a kind of naive way, but nevertheless..). Working at that
company has always been a dream of mine. They had the reputation for hiring
the best of the best engineers, with great benefits and work culture.

Meanwhile I'd hate to apply for them. Everything they do in terms of tracking,
etc. has become so vile and almost evil that even Microsoft has a better
standing among my peers..

Would love to hear some insight from ex employees on what changed on the
inside of that company, but from the outside it doesn't even seem to be the
same any more. Maybe they're just worse at hiding it..

~~~
thu2111
Well, I'm an ex employee. Actually nothing has changed inside the company.
"Tracking" as you put it isn't perceived as evil, it never has been, and for
good reasons. The only thing that's changed is people's perception of the
company and - very recent post 2016 political issues aside - that was mostly
driven by a sustained campaign by an angry media industry that wanted money
(see: link taxes).

Firstly, if tracking usage statistics or activity was actually evil then
everyone would hate it, desperately try to stop it and have tons of stories
about the horrors of it.

In fact what Google sees is:

1\. Web apps are extremely popular although they all keep server side logs
that reveal every button click, every message you type, every email you send,
every search you do. Users routinely migrate from thick client apps that give
great privacy to web apps that give none whatsoever without batting an eye.

Hacker News readers in particular should understand this. It's overrun with
Silicon Valley types who build their entire livelihoods around "let me run
this program for you as a service". There's nothing special about Google in
this regard. The entire software industry has moved away from privacy in the
last 20 years because ...

2\. Users rarely if ever use privacy features when they're provided, even when
they're heavily promoted. In fact, despite all the noise, hardly anyone cares.
For the vast majority convenience wins over privacy every time. But not just
convenience, also ...

3\. Security trumps privacy. People say they like privacy, but they _hate_
getting hacked and tend to blame the service provider if it happens. They have
very little patience for explanations of the form "yes this attacker was
obviously not you and yes we had enough data to know that, but we didn't use
any of it ... for your own good!"

4\. Users can't and won't give accurate feedback about what they value or what
their actual experience of using an app is like. This means A/B testing is
critical to avoid making bad business decisions. The heavy reliance on
experiments and data driven decision making is one reason tech firms tend to
steamroller their legacy competitors.

Google hasn't become evil over time. It's been doing A/B tests, keeping server
logs and writing unused privacy features since the company first began. All
that's changed is it got big and rich, so people - rightly - started to think
about its power more. But the hypocrisy is strong. The world is full of
companies collecting and using data for the benefit of their customers. It's
really only Google and Facebook that get the vitriol.

~~~
mafuy
Most people use default settings and have no idea about the software they are
using at all. "everyone would hate it" assumes people know about these things,
but they do not. Don't use this as a point.

ad 3), you make it sound as if it was one xor the other. This is sometimes the
case to some degree (like checking urls for phishing sites), but far from
always.

ad 4), it is not my problem as a user that you have trouble doing tests. If
you need information for your business, then spend the money and effort to
acquire it. Do not abuse your users without care. Your business case is not
more important than people's privacy. And if others do this to gain an
advantage over your business, don't whine, sue them.

When I was involved in user tests we had a lot of trouble due to our ethical
concerns, but we did not consider dropping these concerns.

edit: I may add that I'm German. We were taught about the value of privacy in
our history. "boring statistics about religion" led to the murder of hundreds
of thousands of Jews. Disregard for privacy led to the atrocious human rights
violations in Eastern Germany. I cannot understand why Americans, who
explained this to us Germans after WW2, apparently forgot all about the
_reason_ for privacy.

~~~
pb7
>hundreds of thousands

Millions.

------
deeblering4
I see people recommending Firefox, but I'll say that for mac users Safari is a
very usable browser too. It's quite fast, and to my knowledge is not
collecting/sharing my personal data with apple.
[https://www.apple.com/privacy/](https://www.apple.com/privacy/)

These days I only use chrome for the g-suite tools that seem to require it to
avoid mid-meeting crashes.

~~~
chatmasta
Safari on iOS is great. Safari on Mac is underwhelming and sucks.

My biggest gripe is I can’t update it without updating the entire OS. Also,
dev tooling is really bad. God help you if you ever need to unregister a
service worker.

~~~
pb7
For non-developers, which is most people, those are non-issues. Safari is
excellent for the things that matter: speed, power usage, and integration with
the rest of the Apple ecosystem.

~~~
chatmasta
Agreed. Although Firefox is probably better for general purpose browsing if
you are a non-dev power user, especially one who cares about ad blocking.

The integration is a good point.

------
DangerousPie
If you haven't used Firefox in a while you should really give it another
chance. It has vastly improved in terms of CPU and battery usage. It also has
a lot of great privacy-enhancing features like tracking protection enabled by
default and extensions like Facebook Container make it trivial to prevent
tracking even further.

~~~
tapoxi
Or just use Ungoogled Chromium, and get the performance advantage of Chrome
without the tracking.

~~~
DangerousPie
Is there actually still a performance advantage these days? Would be curious
to see some benchmarks.

I will say that Gmail/Hangouts feels faster in Chrome but that's obviously not
a fair comparison.

~~~
autonomuzw
Yes, there is definitely a performance advantage especially on mobile. see for
example some benchmarks for brave browser, and also a couple of recent tests
for desktop browsers.

[0] [https://brave.com/brave-one-dot-zero-performance-
methodology...](https://brave.com/brave-one-dot-zero-performance-methodology-
and-results/)

[1] [https://brave.com/brave-saves-batteries/](https://brave.com/brave-saves-
batteries/)

[2] [https://venturebeat.com/2020/01/15/browser-benchmark-
battle-...](https://venturebeat.com/2020/01/15/browser-benchmark-battle-
january-2020-chrome-firefox-edge-brave/view-all/)

[3]
[https://linuxreviews.org/Web_Browser_Showdown:_Six_Browsers_...](https://linuxreviews.org/Web_Browser_Showdown:_Six_Browsers_On_Four_Computers)

~~~
cdubzzz
The conclusion of the linuxreviews article doesn’t really make a strong case
for any major difference between the browsers —

 _It is hard to declare an absolute winner. Brave and Chromium, seem to be the
overall winners but Pale Moon, SeaMonkey and Firefox are not bad choices if
you never visit pages with fancy WebGL or WebAssembly ever. Chromium may be
the best choice if you watch a lot of video on a laptop if your distributions
Chromium package has the hardware video acceleration patches._

Lots of “ifs” in there for all conclusions.

------
8ivek
Got this from google white paper: "run Chrome with the command line flag
"\--reset-variation-state" to reset the value."

I tried this and my "x-client-data" header changed.

------
bamboozled
You should also donate to Mozilla because it’s an insanely good piece o
software for the price!

~~~
kick
Firefox should definitely be used, but donating to Mozilla is a mistake. They
waste a lot of it, their executive compensation rates are way too high
(especially given that MoCo just laid off employees), and Mozilla still hasn't
kept up with promises they gave years ago (that Pocket is still proprietary
being a notable and depressing example).

Donate to smaller developers of software you use, it'll go a lot further, and
they'll probably put it to better use!

~~~
kevlarr
Donations go to Mozilla "the non-profit organization" rather than Mozilla "the
corporation".

Mozilla (the corporation) has the typical/bad corporate structures and
ridiculous executive compensations. Mozilla (the corporation) had the layoffs.
Mozilla (the corporation) bought Pocket with money that comes from deals with
search engines.

That being said, though...

> Donate to smaller developers of software you use, it'll go a lot further,
> and they'll probably put it to better use!

... is still a great point.

(Updated this because "Mozilla, Org" and "Mozilla, Inc" were inaccurate)

~~~
kick
The Mozilla Foundation controls and owns the Mozilla Corporation, and the
executive structure looks more or less the same. Baker's compensation has been
inversely tied with performance, and she runs both.

~~~
frandroid
> Baker's compensation has been inversely tied with performance

You've mentioned this twice in the thread now. "Inversely tied" is quite a
strong and unusual claim for compensation. Care to prove it?

~~~
kick
Happily!

2.5 million, 2018:

[https://assets.mozilla.net/annualreport/2018/mozilla-2018-fo...](https://assets.mozilla.net/annualreport/2018/mozilla-2018-form-990.pdf)

2.3 million, 2017:

[https://assets.mozilla.net/annualreport/2017/mozilla-2017-fo...](https://assets.mozilla.net/annualreport/2017/mozilla-2017-form-990.pdf)

1 million, 2016:

[https://assets.mozilla.net/annualreport/2016/2016_Mozilla_Fo...](https://assets.mozilla.net/annualreport/2016/2016_Mozilla_Foundation_Forms_990_Public_Disclosure.pdf)

<1 million, 2015:

[https://static.mozilla.com/moco/en-
US/pdf/2015_Mozilla_Found...](https://static.mozilla.com/moco/en-
US/pdf/2015_Mozilla_Foundation_Forms_990_Public_Disclosure.pdf)

Firefox market share has been in decline (30% to <5%) for over a decade now:

[https://upload.wikimedia.org/wikipedia/commons/6/61/StatCoun...](https://upload.wikimedia.org/wikipedia/commons/6/61/StatCounter-
browser-ww-monthly-200901-201905.png)

~~~
frandroid
That's not "tied", which would imply a contractual relationship...

~~~
kick
That's malarkey. Tied is _not_ exclusively used to imply a "contractual
relationship," and that's (if anything) a minority-usage of the idiom of tied
to/with.

~~~
ameister14
I think you probably should have used 'associated with' instead of 'tied to'
as when discussing remuneration contractual ties is not a minority usage of
the idiom.

~~~
eganist
I'm not Kick, but while you're correct that "associated with" would've been
better for clarity, no reasonable person would assume that "inversely tied"
describes a contractually mandated drop in performance for an increase in pay
(my other comment here links to dictionary.com and thesaurus.com, both good
references for this discussion). Couple that with the generally accepted usage
of 'tied' and the usage by Kick was correct, if perhaps ambiguous to a narrow
population.

~~~
ameister14
Kick's usage is correct except within the business world and especially
financial and executive populations, which, while admittedly narrow, are what
we were discussing. When you say that an executive's pay is tied to the
company's performance, within these communities it's generally understood that
this is a contractual relationship.

ex. "John's salary is tied to performance - if the company is valued at over
100 billion, he'll get another 5% stock" etc.

or "bonuses are tied to performance milestones"

If you are simply observing that an executives pay rises while performance
falls, associated is a clearer term.

------
reaperducer
I don't understand why Google and some other tech companies use their users as
involuntary, unpaid guinea pigs. No consent. No opt-out.

What's the motivation? Is it simple laziness because they don't want to deal
with wetware? Is it afraid that if people knew what was happening they
wouldn't be happy? Google has eighty brazillion employees it can test new
features on.

~~~
w0m
... what?

If you aren't paying for it; you are the product. Simple.

~~~
Iolaum
Nowadays you are the product even if you pay. (E.g. Subscription news sites
including trackers on subscribed users, smartTVs siphoning data etc)

~~~
Agenttin
Thing is the TV's you're only half the customer. That's why the TV's have
gotten so cheap, the extra revenue stream from selling data. You can't even
buy a dumb TV any more.

~~~
deathanatos
My gas pump feeds me ads while I pump gas that I paid for.

T-mobile sends me ads over SMS that I paid for.

JetBlue serves ads to paying passengers on the seat-back displays.

I hear Windows has ads now, but I got off that ship a while back.

Being the customer is no longer sufficient; companies have figured out that
they can make more money by charging you _and_ serving you ads.

------
marriedWpt
Ahh the good ol HN "stop using Google and start using Firefox" advertisement.

It's a bit odd to see this in every Google thread.

Btw, Firefox is too slow.

~~~
fortran77
It's not odd at all. It's what the folks at Mozilla do. They jump in to every
thread to push Firefox and Rust and make people think it's more widely
used/better than it is.

~~~
falcolas
Not everything is a conspiracy. I'm not a Mozilla employee, have never been
one (probably never will be one). Firefox is awesome, fast, and extensible.
It's my daily driver for all of my machines.

~~~
bonestamp2
Side question: I've been trying to switch to firefox as my main browser but
one thing is holding me up. When I'm using a private window, cookies are not
shared between private tabs. I can see the advantage to that behavior, but is
there a way to share them so that I can be logged into the same site in
multiple private tabs? Unironically, I haven't had any luck googling this
problem.

~~~
falcolas
If you open a new tab from an existing tab, your session persists across tabs.
So, for example, middle clicking on the Hacker News logo will preserve your HN
session across tabs.

~~~
bonestamp2
Huh, this is how I expected it to work and it does work for hacker news but it
doesn't work for one site I want it to work for. I'll have to dig deeper,
thanks.

------
Ohn0
What a mess

------
nacho2sweet
Break this company up.

------
jgon

      U S E  F I R E F O X
    

That is all.

------
dathinab
>It's a unique ID to track a specific Chrome instance across all Google
properties.

>Really curious about your opinion, especially after the GDPR explicitly
forbidding such tracking.

>Moreover, it doesn't make sense to anonymise user-agent if you have such
backdoor

Oh, but it does make sense because with this everyone _but_ google will have a
harder time tracking people :\

------
cs702
Doubtlessly, this will be rationalized and justified as being necessary for,
and in the best interest of, consumers...

...but inevitably, it _will_ be used for tracking -- regardless of intent.

It might also get Google in trouble. Copying and pasting from the a comment in
the OP's URL:

 _> Example: [https://www.youtube.com](https://www.youtube.com) \- in network
headers, look for x-client-data

> Now, go to [https://ad.doubleclick.net/abc](https://ad.doubleclick.net/abc)
> \- and your browser also sends this magic x-client-data.

> It's a unique ID to track a specific Chrome instance across all Google
> properties.

> Really curious about your opinion, especially after the GDPR explicitly
> forbidding such tracking. Moreover, it doesn't make sense to anonymise user-
> agent if you have such backdoor._

~~~
floatingatoll
This comment is unreadable on mobile.
[https://i.imgur.com/jFusqw0.png](https://i.imgur.com/jFusqw0.png)

Could you please remove the four-space indent? You can wrap each paragraph in
* ... * if you want to italic them.

~~~
cs702
Fixed. Sorry about that. Thank you for letting me know!

~~~
floatingatoll
No worries :)

------
owaislone
I visited my family a couple of weeks ago and was shocked when my father told
me that his phone 'received' some of our photos. I checked and a huge chunk of
whatsapp photos that were backed up by my wife's phone had ended up in my
dad's Google Photos account. I discounted it as my wife accidentally sharing
the whatsapp folder with my dad but now I'm not so sure.

~~~
Cthulhu_
Yup, that's one of the issues you'll get with interlinked accounts; in this
case, Whatsapp backs up / stores photos automatically to your phone's photo
gallery, and said photo gallery is automatically synchronized with the cloud.

I don't know exactly what's going on with your wife's / your father-in-law's
accounts though, are they sharing Google accounts, photo albums, or were the
photos shared in the same whatsapp group?

~~~
owaislone
> are they sharing Google accounts, photo albums, or were the photos shared in
> the same whatsapp group?

None of these. They don't share any accounts. I don't share any account with
my father either. Me and my wife use the shared galley feature. The photos
that ended up on my fathers phone were shared by me and my wife with each
other on whatsapp. I suspect either mine or my wife's gallery somehow "leaked"
into my fathers even though none of the accounts have any connections AFAICT.
Probably we clicked some share button somewhere accidentally but I couldn't
find any shared galleries on any of our phones.

------
dazbe
Wow, I didn't think sensationalist headlines were allowed on HN. I'm guessing
mods are asleep or just don't care anymore.

Edit: If the mods are listening, I've come up with an alternative title for
you:

"The Evil GOOGLE Has Installed a MALICIOUS BACKDOOR On All Chrome Users
Machines To Sell PERSONAL DATA to RUSSIAN HACKERS on the DARK WEB".

This will surely get the clicks now. You can thank me later.

~~~
dang
The mods were asleep. That happens sometimes.

If you really want to help, suggesting an accurate and neutral title,
preferably using representative language from the article itself, is a great
way to do that. We don't know enough to get it right in every case, even when
awake.

