It’s common knowledge that Google has used their political, marketing and technical prowess to stop and co-opt effective ad blocking on the web. What hasn’t been clear until recently is how Google is using the Chrome web browser to track individuals, even when ad blocking and in-built tracking prevention is enabled.

Tracking three ways

Google recently invented a third way to track who you are and what you view on the web.

The first wave of web tracking worked via cookies. Each visitor to a page would be given a unique ID which would be stored within a browser cookie. Using third-party JavaScript tracking, this cookie was then cross-referenced and retrieved on pages you visited, even across different websites.

Eventually a profile of your browsing history would be created. Google (and other ad companies) then used this profile to determine the best ads to serve you, in order to prompt a click and a purchase.

However as cookie-based tracking became more obvious and intolerable, users employed ad blockers to prevent and block these cookies.

Consequently ad networks deployed a second way to track users called browser fingerprinting. Browser fingerprinting consists of collecting data about the configuration of your browser and system when you visit a site. This process can reveal a surprising amount of information about your software and hardware environment, and ultimately can be used to construct a unique identifier of you, called a browser fingerprint.

The browser fingerprint is then used to, once again, target advertising. In order to reduce the effectiveness of fingerprinting, some browsers like Safari have been changing how they identify the browser and its features to websites. This has effectively neutered this tracking approach.

With the first and second tracking approaches no longer as effective, Google has decided to up the ante and deploy tracking directly via its Chrome browser.

Chrome’s unique install ID

As an open-source project, it’s possible to view the source code for the Chrome web browser. Insightful contributors to the code have recently discovered an insidious third way that Google tracks you across the web.

Each and every install of Chrome, since version 54, have generated a unique ID. Depending upon which settings you configure, the unique ID may be longer or shorter.

Irrespective, when used in combination with other configuration features, Google now generates and retains a unique ID in each Chrome installation. The ID represents your particular Chrome install, and as soon as you log into any Google account, is likely also linked directly to your individual Google profile.

The evil next step is that this unique ID is then sent (in the “x-client-data” field of a Chrome web request) to Google every time the browser accesses a Google web property. This ID is not sent to any non-Google web requests; thereby restricting the tracking capability to Google itself.

As well as being immoral, this step may also be illegal (at least in privacy sensitive jurisdictions) as it’s retaining and sending personal identifiers without informed consent.

So every time you visit a Google web page or use a third party site which uses some Google resource, this ID is sent to Google and can be used to track which website or individual page you are viewing. As Google’s services such as scripts, captchas and fonts are used extensively on the most popular web sites, it’s likely that Google tracks most web pages you visit.

Unfortunately for users of Google Chrome, this third wave tracking identifier will not be removed by using VPNs or Chrome based ad blockers.

Who can you trust?

It has been repeatedly demonstrated that Google cannot be trusted with user privacy. Their business model depends upon tracking and surveilling web users.

For a user who wants online privacy, the only option is to use a web browser whose creators aren’t funded via advertising. Creators who aren’t incentivised to continually gather more information about you. Luckily there are a number of alternative options available including Firefox or Safari. If you’re still using Google Chrome, it’s time to switch to a browser that isn’t built to monetise your privacy.