Many people find Google services useful and easy to use, but they have at least one important feature. We are talking about constant monitoring of users, about the intensive collection and sending of data on their activity.Not all users can imagine what kind of data the company collects, and in what volumes. But many fundamentally relate to their confidentiality, and some are ready to perceive a violation of privacy secrets even in sending a log with purely technical information. However, sometimes truly advanced users take the path of fighting Google.On May 25, 2018, the GDPR General Data Protection Regulation came into force , a law adopted by the European Parliament that tightened and unified user data protection rules. The EU has made this decision due to the growing number of large leaks of personal data collected by IT giants such as Google and Facebook. However, in fact, this law has affected not only EU citizens, but also the rest of the world.Many Internet services, working in different countries, however, try to meet the most stringent privacy requirements. So, the GDPR has become the de facto world standard.So google there
On Tuesday, February 4, 2020, Arno Granal, the developer of the Kiwi browser based on Chromium, raised the issue of passing the so-called “unique identifier” that Google Chrome generates during installation. Granal suggested that at least Google itself could use it.He and some other users suggest that this is a backdoor that she can use for her own purposes. And in this case, we can talk about violation of the GDPR law, since this unique identifier can be considered as data that allows you to uniquely establish the identity of the user.Google has not commented on the issue. And official documents and other messages of the company do not allow to fully clarify the situation.How it works
When the browser requests a web page from the server, it sends an HTTP request that contains a set of headers, which are key-value pairs separated by colons. These headers also determine in what format the data should be sent. For instance,accept: text / html
Earlier (at least since 2012), Chrome sent a header called “X-client-data”, also known as “X-chrome-variations”, to test features under development. Google will activate some of these features when installing the browser. Information about them is displayed when you type chrome: // version in the address bar of Chrome.Variations: 202c099d-377be55a
On line 32 of the Chromium source file, the X-client-data header sends Google Field Trials information for the current Chrome user.“The Chrome-Variations (X-client-data) header will not contain any personally identifiable information and will only describe the installation options for Chrome itself, including active variations, as well as server-side experiment data that may affect the installation.” , Says the Google Chrome Features Guide .However, this is not quite true.For each installation, Google Chrome randomly generates a number from 0 to 7999 (up to 13 bits). This number corresponds to a set of randomly activated experimental functions.The more empty bits, the more difficult it is to create a browser fingerprint with a high degree of uniqueness, and vice versa. But if you combine this data with usage statistics and crash reports, which are enabled by default, then for most Chrome users you can still get fingerprints with fairly high accuracy.The fingerprint “is determined by your IP address, operating system, Chrome version and other parameters, as well as your installation parameters,” Granal explains.If you, for example, visit YouTube, a heading will include a line of the form:X-client-data: CIS2yQEIprbJAZjBtskBCKmdygEI8J/KAQjLrsoBCL2wygEI97TKAQiVtcoBCO21ygEYq6TKARjWscoB
You can check it yourself if you open the developer’s console in Google Chrome, then the Network tab and then go to youtube.com, or doubleclick.net for example.According to Granal, only youtube.com , google.com , doubleclick.net , googleadservices.com and some other Google services have access to such identifiers . But only if the browser is not in incognito mode.Best defense
If only Google has access to the X-client-data, this may indicate that the company protects user data from everyone except itself.Lukas Oleinik, an independent researcher and consultant on the protection of personal data, believes that this function can be used for personal gain, although it is quite possible that it was created to track technical problems.“I believe that most users have no idea about this identifier, what it does and when it is used. And perhaps the problem is that the identifier remains constant and is not reset when the user clears the browser data. In this sense, it can be considered an imprint. [So far] the main risk is that data is sent to sites managed by only one organization. "
Granal notes that such a data transfer mechanism can be considered as a vulnerability. The source code of Chromium only implements verification of a predefined list of Google domains, but it does not check other domains. Therefore, an attacker can buy a domain, for example, youtube.vg, and deploy a website on it to collect X-client-data headers.Undocumented Features
In August 2017, Kaspersky Lab experts discovered a backdoor in NetSarang, a popular software for managing corporate servers. The ShadowPad backdoor was found by analyzing suspicious DNS queries in the corporate network of one of the largest companies that installed software. Through the backdoor, attackers gained access to the confidential data of organizations using NetSarang.The development company said that it did not know anything about this, and the malicious code was introduced into their product by unknown attackers. However, after the backdoor was found, NetSarang experts suspiciously quickly eliminated the vulnerability.Do companies often turn a blind eye to such undocumented opportunities?