Google's Chrome team, advancing its web privacy effort, later this year will begin testing the "privacy sandbox" proposals it unveiled in 2019. The Chrome tests, which Google announced Tuesday, are part of an effort to make it harder for publishers, advertisers and data brokers to harvest your personal data without your permission and to track you online.
Other browsers, including Apple's Safari, Brave Software's Brave, Mozilla's Firefox and Microsoft's new Chromium-based Edge, have pushed steadily to cut tracking for the last few years. Google's privacy sandbox plan came later in the process, but carries enormous importance given that Chrome dominates browser usage, accounting for 64% of web activity, according to analytics firm StatCounter.
Google's announcement effectively puts websites on notice: The most-used browser is going to start changing the way the web works, so you'd better prepare.
If Google's changes materialize as planned, "the web becomes inherently privacy preserving," said Justin Schuh, a director of Chrome engineering. "The concrete difference is you don't have people collecting this information on you, building profiles without your consent."
For details on the Chrome changes and the schedule Google plans to make them, you can check Google's blog post.
Although Chrome's browser rivals and other critics have taken issue with some of Chrome's privacy sandbox ideas, it's clear the overall attitude among browser makers has shifted toward protecting your personal information. Facebook's Cambridge Analytica scandal helped raise awareness for privacy, and it's become an issue for regulators.
For browser makers, it's now a matter of figuring out the best way to protect your data. Chrome's privacy sandbox includes an upper limit on the data a website can harvest, called a "privacy budget;" a "trust token" that can help websites separate you from bots, spammers and untrustworthy actors without having to track you personally; tools to group people by their interests but without invading privacy; and a way for websites to communicate without knowing your internet address.
In Chrome's case, Google also needs to figure out how to protect the data without damaging its online business, which relies on ads.
Google's online ad business
Google is an online ad giant that keeps detailed profiles of people and uses that information to target ads. Google hopes that targeted ads are more relevant to users, which should generate more revenue for the company.
Google's privacy sandbox ideas -- a collection of proposed standards and other technologies -- are designed to offer online companies a path forward, Schuh said. "Let's get rid of those old mechanisms and replace them with new ones that are privacy preserving by default," he said.
One of the key changes will be to cookies -- the text files that websites and their online partners can store in your browser. Cookies can be convenient, for example letting you set language preferences or keeping you logged into a site so you don't have to constantly sign on. But cookies can also be used to track your online behavior, especially third-party cookies that are placed by partners, not the website operator.
Phasing out third-party cookies
For example, you might visit a news website that shows ads that have third-party cookies to track whether you click on messages supplied by other companies. The cookies let companies track your activity across a wide range of sites. And they can use them to "retarget" ads, or show you the same ads even as you move around the web. If you visit a company's website and later see an ad for it on Twitter or Facebook, cookies -- especially third-party cookies -- are likely the reason why.
Third-party cookies could meet their end, though. Google plans to phase out support in Chrome within two years. "We need to call out the timeline so we can start making real progress," Schuh said. "By default, a website will not be able to ID you or track you across multiple visits."
Achieving consensus with publishers, advertisers, browser rivals and others who use the web won't be easy. But the privacy agenda is moving forward. "We are at the stage of proving out or solutions," Schuh said.
Scrapping decades-old browser IDs
With the crackdown on cookies, some web developers have embraced an alternative called fingerprinting to try to track people. It works by gathering data like a browser's identification text and the features it supports. With enough data points, a tracker can establish digital "fingerprints" that identify people.
Browser makers are working to curtail fingerprinting, and Google announced a doozy of a step in this direction on Tuesday: It'll stop updating Chrome's "user-agent string," the identification text that browsers use to tell websites their version details and what operating system they're running on. There's now a more privacy-sensitive alternative in development called client hints, and Google will adopt that while "freezing" the user-agent string.
It's an obscure piece of web technology to be sure. But it carries outsized importance. It's existed for decades, mostly as a way to identify what features a browser has and therefore what web developers can take advantage of. It's an imperfect gauge of those abilities, though, and browsers challenging Chrome can struggle when websites reject them out of hand simply because they're not Chrome.
Thus, Google's attempt to effectively kill the user-agent string could actually boost Chrome challengers. The Vivaldi browser just last month abandoned its own user-agent string in favor of Chrome's, for example, and the Brave browser always has just used Chrome's. With no more user-agent string to count on, web developers will have a harder time rejecting non-Chrome browsers.
Originally published Jan 14, 8 a.m. PT.
Update, 9:14 a.m. and 11:57 a.m. PT: Adds details about Chrome freezing the user-agent string and link to Google blog post.