==== Background
Google Chrome is changing the way it shares user-agents for increased privacy of users. You can read more about it here: https://www.chromestatus.com/feature/5704553745874944
Google Chrome has released [[https://wicg.github.io/ua-client-hints/|Client Hints]] to provide device information. This first release “is intended to allow for developers to experiment and provide feedback”: https://groups.google.com/a/chromium.org/g/blink-dev/c/-2JIRNMWJ7s/m/u-YzXjZ8BAAJ
==== Technical practicalities
**How it works (simple overview)**
* A user sends a request to our site via their browser (e.g. “show me an article”)
* Our server sends a response that includes the article and a header that asks the browser to send some user data on the next request
* If the user makes subsequent requests (e.g. “show me another article” or “show me the editor so I can edit this article”) they will also include this user data
**Differences from receiving the user agent string**
* The site asks explicitly for the information, meaning that this can be flagged up to the user
* The site specifies which information it needs, out of [[ https://wicg.github.io/ua-client-hints/#http-ua-hints | this list ]]
* Browsers may legitimately decline to send the information (e.g. if considered [[ https://wicg.github.io/ua-client-hints/#access | unnecessary ]] or if the site is asking for [[ https://github.com/bslassey/privacy-budget | too much ]])
* If the user only ever sends one request, we will not receive any extra data
==== Timeline
Client hints is an experimental feature on Chrome 84, meaning that the browser will only send client hint data if the user has enabled Experimental Web Platform features (disabled by default).
| Google Chrome Stable Version | Stable promotion | What happens then? |
|----|----|----|
|Chrome 84| July 14 2020| [[ https://www.chromestatus.com/feature/5995832180473856 | Sec-CH-UA Client Hints ]]
|~~Chrome 86 (?)~~ | ~~October 6 2020~~ | ~~[[ https://www.chromestatus.com/feature/5704553745874944 | Reduce User Agent string information ]]~~ |
Deprecation of the user agent string has been deferred [[ https://groups.google.com/a/chromium.org/g/blink-dev/c/-2JIRNMWJ7s/m/u-YzXjZ8BAAJ | until at least 2021 ]].
==== Implications on CheckUser
User-agent strings are important pieces of information for checkusers and stewards in their work of detecting and blocking sock accounts. To continue to get that important data, we should implement support for client-hints on our end.
Even with client hints, the fingerprinting data may become unavailable to CheckUser in ways beyond our control (see **Differences from receiving the user agent string**). This should be discussed with checkusers.
==== Implications on privacy awareness
By actively asking for data, we expose Wikimedia to scrutiny over when/why we're asking for it. Anti-vandalism is an important reason. The vast majority of requests to our site don't result in making changes stored in CheckUser.
Fingerprinting for fighting vandalism is considered a legitimate but unfortunate use case, and may not always be supported in the future: https://github.com/WICG/ua-client-hints#fingerprinting
This project is being discussed with the #trust-and-safety and #wmf-legal teams. The #anti-harassment tools team has been tasked with executing the technical work on this project.
==== Investigations
* {T258591}
* {T258592}
==== Further reading
https://github.com/WICG/ua-client-hints
https://web.dev/user-agent-client-hints/