Google backpedals on a previous denial that Chrome’s X-Client-Data header does not contain personally identifiable (PI) information. Google accused of violating users’ privacy and being in possible breach of GDPR.
Last month an article in The Register took Google to task with regards to the X-Client-Data header used in Chrome browsers. The article reported claims by a software developer working on the Chromium-based browser Kiwi, that the header contains PI information. The software developer, Arnaud Granal, argued in a GitHub Issues post that the header was a unique identifier.
Consequently, Granal maintained that not only was Google violating users’ privacy, but that Google was in breach of Europe’s GDPR.
Google responded to the claims by denying that the X-Client-Data header contains PI information. In a statement to The Register, a Google spokesperson said: “The X-Client-Data header is used to help Chrome test new features before rolling them out to all users. The information included in this header reflects the variations, or new feature trials, in which an installation of Chrome is currently enrolled. This information helps us measure server-side metrics for large groups of installations; it is not used to identify or track individual users.”
Although Google has not retracted its denial that the X-Client-Data header contains PI information, there has been an interesting development.
Google publishes the Google Chrome Privacy Whitepaper in which it “…describes the features in Chrome that communicate with Google, as well as with third-party services…”. Since The Register’s article, information regarding the X-Client-Data header in the whitepaper has been significantly changed.
Originally the information about the X-Client-Data header in the whitepaper was as follows: “A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.” In the latest version of the whitepaper, the text stating that the X-Client-Data header doesn’t contain any PI information has been removed.
Google’s Lack of Transparency
The fact that Google may be tracking users through the X-Client-Data header, is in itself of concern. However, it is not the most important issue here. Google probably has other means for tracking users.
Of greater concern is the fact that Google did not disclose what it was using the header for. Google was tracking users without their knowledge, which is a violation of users’ privacy. Furthermore, the original description as to the header’s use was incredibly inaccurate and likely to have been in breach of legal compliance requirements.
Blocking the X-Client-Data Header
Chrome’s header cannot be blocked, not without making modifications that requires users to change the X-Data-Header whenever they open Chrome. Furthermore, even if users run Chrome with a proxy, VPN or Tor, Google will still be able to identify them.
Users’ only real option is to stop using Chrome and switch to other browsers like Mozilla Firefox or Microsoft Edge. These browsers do not send any kind of X-Client-Data headers to Google servers.