Google Can Track Your Individual Chrome Browser Install ID
As I take steps to extract myself from Google (and others) ubiquitous tracking, I’ve been paying attention to anything related to Google’s Chrome browser. In my news feed yesterday, I came across this threaded discussion in Hacker News: Google tracks individual users per Chrome installation ID.
I was stunned to learn that every install of Chrome generates a unique ID just for you and it’s possible that Google is using this install ID to track us. As soon as you log in to any Google account with that new installation of Chrome, it’s also likely linked directly to your individual Google profile.
Not only is this completely “evil” on Google’s part if true and they’re using this ID for browser fingerprinting, but it also means it is a complete violation of Europe’s General Data Protection Regulation (GPDR) and would result in massive fines for the company.
In order to get a deeper sense of what was going on, I went out and did a bunch of online searching (using my now preferred search engine, DuckDuckGo, of course). There are dozens of developer and tech site articles and posts that helped me fully understand what is going on, and why developers (and those of us who care about security and privacy) are so upset, concerned, and making a huge fuss to get an answer out of Google.
“On Tuesday, Arnaud Granal, a software developer involved with a Chromium-based browser called Kiwi, challenged a Google engineer in a GitHub Issues post about the privacy implications of request header data that gets transmitted by Chrome. Granal called it a unique identifier and suggesting it can be used, by Google at least, for tracking people across the web.”
“Each and every install of Chrome, since version 54, have generated a unique ID. Depending upon which settings you configure, the unique ID may be longer or shorter.
Irrespective, when used in combination with other configuration features, Google now generates and retains a unique ID in each Chrome installation. The ID represents your particular Chrome install, and as soon as you log into any Google account, is likely also linked directly to your individual Google profile.
The evil next step is that this unique ID is then sent (in the “x-client-data” field of a Chrome web request) to Google every time the browser accesses a Google web property. This ID is not sent to any non-Google web requests; thereby restricting the tracking capability to Google itself.”
Google needs to address this and quickly. Just about every developer I know has abandoned Chrome and are using Firefox exclusively (as am I).