phone-bug

User-Agent Client Hints June 2020 Update

Engineering

6/4/2020 11:22 AM

Client Hints User Agent News

How have the UA client hints specifications evolved since January 2020?

HTTP client hints are an experimental set of standards that enable a web server to ask a web browser to send additional HTTP header fields and values in subsequent requests. The development has been led by engineers from Google working on the Chromium web browser.

The HTTP client hints experimental standard was approved in May 2020 by the IETF and will expire in November 2020. The experimental standard now enables multiple browser vendors to create consistent implementations and determine how the concept works in practice.

The W3C is hosting an unofficial draft document that describes how User-Agent client hints might operate.

One such experiment is available in Google’s Chrome Canary nightly build. Simply enter the following into the browser address bar:

chrome://flags/#enable-experimental-web-platform-features

Change the feature to Enabled and restart Canary.

Visiting the 51degrees.com/me web page in Canary version 85 on a desktop device displays the following HTTP header fields on the second request:

Field Value
sec-ch-ua "\\Not;A\"Brand";v="99", "Google Chrome";v="85", "Chromium";v="85"
sec-ch-ua-mobile ?0

This experimental version shows GREASE being applied to the User-Agent data. GREASE is random data added to the field value to reduce the probability of the value being used for statistical pseudonymous IDs, often called “fingerprinting”. Google’s stated objection to pseudonymous IDs is that they do not provide sufficient notice or choice to end users. However, instead of enabling people to more easily express their privacy choices associated with their content consumption, Google is instead focusing on determining which companies they will allow to continue to collect and process personal data.

There are many problems associated with the specification of User-Agent client hints. One of the chief issues with the current experiment is the lack of goals or any clear description as to how this technical change would better protect people. Moreover, the proposers of this change fail to discuss how the increased reliance on associating people’s content consumption activity with their non-resettable offline identity is somehow safer.

Until clear success goals can be properly documented it would be better to remove GREASE from the User-Agent client hints unofficial specification. Given the social benefits of user agent metadata to improve end user experiences and protect marketers from robot activity and fraud, 51Degrees APIs will continue to provide this useful data.

In addition to documenting the experiment’s goals, the current experiment appears to restrict the values returned. This option is mentioned briefly in the Access Restrictions chapter of the unofficial draft. We can only assume at this stage Google developers are experimenting with the implications of removing this data ahead of the privacy budget feature being added to future experiments.

Alternatively, this could just be a bug with the experiment. There are plenty of other bugs such as this one with the graphics display.

phone-bug
Canary 85 on Android 10 – 1st June 2020

In all other regards, the experiment appears to follow the analysis documented in our January 2020 blog post. Those wishing to try out client hints can do so at https://51degrees.com/me.

The current implementation of User-Agent client hints relies on at least three documents:

  • IETF Http client hints experiment
  • Unofficial draft of User-Agent client hints
  • Privacy budget – as yet unclear

Each of these documents on their own and when viewed from a certain perspective might seem sensible. It is only when they are assembled into a complete implementation that the impact on the web from these restrictions become apparent.

Suppose the privacy budget makes client device metadata available to Google domains, as X-Client-Data has done, but not to other domains? Suppose the privacy budget will not respect people’s consent preferences and restrict client device metadata, or other important features? These questions relate to what end users want from the web. The IETF has recently documented these considerations in their paper “The Internet is for End Users”.

51Degrees CEO James Rosewell has led the authoring of a document providing success criteria for the Open Web within the W3C Improving Web Advertising Business Group.

While participation in the standards setting body is time-consuming the high risk of a negative impact on the web due to underrepresentation warrants this investment. . Even though many businesses do not have the resources to continuously follow the work of the engineers from a handful of US companies that control browsers, a short investment of time now can pay off. Like 51Degrees, now is the time to “lean in” and join the debate if you value an open web and all the benefits it brings to innovation, competition, society, democracy, and free speech.

We will continue to document developments via these blogs and newsletters.