Page MenuHomePhabricator

Deal with Google Chrome User-Agent deprecation
Open, MediumPublic

Description

Background

Google Chrome is changing the way it shares user-agents for increased privacy of users. You can read more about it here: https://www.chromestatus.com/feature/5704553745874944

Google Chrome has released Client Hints to provide device information. This first release “is intended to allow for developers to experiment and provide feedback”: https://groups.google.com/a/chromium.org/g/blink-dev/c/-2JIRNMWJ7s/m/u-YzXjZ8BAAJ

Technical practicalities

How it works (simple overview)

  • A user sends a request to our site via their browser (e.g. “show me an article”)
  • Our server sends a response that includes the article and a header that asks the browser to send some user data on the next request
  • If the user makes subsequent requests (e.g. “show me another article” or “show me the editor so I can edit this article”) they will also include this user data

Differences from receiving the user agent string

  • The site asks explicitly for the information, meaning that this can be flagged up to the user
  • The site specifies which information it needs, out of this list
  • Browsers may legitimately decline to send the information (e.g. if considered unnecessary or if the site is asking for too much)
  • If the user only ever sends one request, we will not receive any extra data
Rollout plan

Client hints is an experimental feature on Chrome 84, meaning that the browser will only send client hint data if the user has enabled Experimental Web Platform features (disabled by default).

Google Chrome Stable VersionStable promotionWhat happens then?
Chrome 84July 14, 2020Sec-CH-UA Client Hints
Chrome 92October 6, 2020Audit site to understand where migration may be necessary
Chrome 95October 19, 2020Origin trial to experiment with Client Hints and provide feedback
Chrome 100March 29, 2022Deprecation trial (opt-in)
Chrome 101April 26, 2022Reduced Chrome version number rollout
Chrome 107October 25, 2022Reduced Desktop User-agent string rollout
Chrome 110Feb 7, 2023Reduced Mobile User-agent string rollout
Chrome 115May 2, 2023Deprecation trial ends. Everyone receives reduced user-agents

Chrome versions release schedule

Implications on CheckUser

User-agent strings are important pieces of information for checkusers and stewards in their work of detecting and blocking sock accounts. To continue to get that important data, we should implement support for client-hints on our end.

Even with client hints, the fingerprinting data may become unavailable to CheckUser in ways beyond our control (see Differences from receiving the user agent string). This should be discussed with checkusers.

Implications on privacy awareness

By actively asking for data, we expose Wikimedia to scrutiny over when/why we're asking for it. Anti-vandalism is an important reason. The vast majority of requests to our site don't result in making changes stored in CheckUser.

Fingerprinting for fighting vandalism is considered a legitimate but unfortunate use case, and may not always be supported in the future: https://github.com/WICG/ua-client-hints#fingerprinting

Investigations
Further reading

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

@dbarratt Thanks for that summary. Seems accurate to me.

Stewards and checkusers have been talking about this project for a while (ever since google's initial announcement). Trust-and-Safety requested Anti-Harassment tools team to pick up this project given the importance of this work in our anti-vandalism workflows.

I just wanted to quickly jump in and confirm this. We liaise quite frequently with community groups like the Stewards and other CheckUsers who consistently express concerns about the potential loss of this data, especially given this may jeopardise their existing anti-vandalism workflows.

Task description has been updated with more context following further discussions with AHT.

I'm flagging this for Analytics. This deprecation will probably impact how device classification for browsers works in a bunch of our stats tools, like this one.

@ovasileva @SCherukuwada @Jdlrobson @SWakiyama @CBogen @MarkTraceur @DVrandecic @CBlanton @Jdforrester-WMF probably good to have in at least a watching column. I got a ping to raise awareness. Others such as TProgM (hi @LGoto I saw you were already triaging a related task) or Product Analytics (hi @kzimmerman and others on task !) may broach this as well, but doing my part and raising awareness in case there are UX or feature detection or instrumentation pieces requiring attention.

I have updated the task to reflect the latest timelines as published by the Google Chrome team.

We are actively working on T257893: [EPIC] Support User-Agent Client Hints header in CheckUser and preparing for rollout to production wikis in the next weeks.

This task is somewhat open-ended; it's hard to know what would mark its completion. I would propose we close it in favor of tracking follow-up work with Google-Chrome-User-Agent-Deprecation.

For that reason, I will remove T257893: [EPIC] Support User-Agent Client Hints header in CheckUser as a subtask of this task. (If someone disagrees about organizing things in this way, please say so / change it back.)