I was surprised that the post doesn't contain any example user agent strings for a sample of how they are expected to look starting from the different milestones.
Maybe it can be removed altogether with small whitelist of exceptions.
general.useragent.override, String, leave empty
In the interest of fingerprinting a server would request this every time.
> It provides the information in small increments, so servers are only exposed to the information they need and request
Then the server would need and request the most comprehensive list possible in order to fingerprint someone with better granularity than a UA string could.
I'm not against this as I appreciate the value of this kind on information for the developers. It would be done one way or another. But why is this billed as mainly a privacy move? Nothing suggests it intrinsically offers better privacy when facing a website configured to fingerprint you. It actually looks like it gives even more granular info over which the user has less control than they used to with the UA.
How do I know which (binary) download to offer my users?
Edit: How do I provide reasonable defaults when the user’s OS actually matters?
That’s a load of horseshit if I’ve ever heard it.
iOS users will almost always install apps via the AppStore. Most Windows-users are probably not interested in a DMG. Are you really going to argue against that?
I agree that taking away options based on OS-detection is a seriously nasty UX anti-pattern though.
It may be true in the case of iOS and Android, because they are so locked down. However, on more powerful platforms that Windows, Mac and Linux are it isn't. I may want to run it in a VM, or not install it, but place it somewhere on a shared drive, or anything that a non-handicapped OS is capable of facilitating and many of these things will mean I will want a binary not meant to be run by my native OS. Sometimes it happens that one of my devices will break and so I want to use another one to download something that will help me fix the issue. But now I'm going to have to go full Sherlock Holmes on a website that thinks it knows better what I'm looking for.
Regular users are not technical and if you ask them to make a choice based on technical matters (Windows, MAC, Linux, Apple AppStore, Android AppStore, Chrone WebStore, whatever), where you instead could have had -1 clear choice- already presented by default in a big nice button, you will lose conversions or increase tech-support costs.
The evidence for this is so overwhelming that knowingly trying to ignore that makes it look like you have an agenda or horse to grind.
Perhaps you should propose a feature detection for it. It could look like the media source API for resolutions and formats for web video - except the same for binary formats for software.
In what other places of application development should we also stop providing reasonable defaults and force the user to choose instead?
- country? city?
- number for local support hotline?
- email of logged in user?
- type of currency for payments?
No? Then why is having a reasonable default for downloads bad?
But anyways, the service should not make it difficult to download if it detects a wrong computer; it should allow it always, and should not be so difficult by trying to hide it.
- Chrome is still shipping with 3rd party cookies turned on by default (Safari and Firefox have them off, by default)
- Chrome on mobile automatically shares your location with your default search engine i.e. Google
- Chrome sort of forces a login …which shares browser and user details history with Google
- Google redirects logins through the youtube.com domain to enable them to set a cookie for YouTube as well as Gmail or whatever, every time you login. Naughty stuff.
So the stated reason for the change doesn't appear to make sense, suggesting that something else is going on.
It amazes me that more people aren't calling Google out on this.
That's unsubstantiated and dilutes the discussion IMO. If you read the post, the proposal outlines a bunch of good reasons to stop supporting UA strings (feature detection, etc)
This doesn't get more true by just repeating it over and over. If you login to Google it'll show up in Chrome next to the address bar but it doesn't enable any syncing to Google servers. That's a different step and it requires opt-in. You can also use Chrome without logging in to any Google services.
I don't get why privacy advocates, who often have a point when talking about Google, have to rely on FUD.
Anyway, Google is a big company. Different teams have different priorities. Does the US government care about privacy? Depends - at the very least - whether you're the NSA or the FTC. Given the many signs in the past that parts of Google are willing to fight other parts of Google they disagree with, I think a better strategy for us as the community is to call the Chrome team out, specifically, on things under their control and otherwise not be excessive cynical about the fact that they along a hundred thousand other people work for Google, and some of those other people are bad.
(Automatic login to Google is a think I think we should call them out for, to be clear.)
This all-or-nothing mindset ends up harming privacy in practice.
That would be check mate for all other advertisers.
I'm just not sure whether it's good or bad that antitrust regulators won't notice before it's too late.
I'll take that benefit even if it tilts the advertising table in favor of Google. I don't care even a little about the overall health of the advertising/marketing industry.