The Rundown: Google Chrome’s IP tracking updates 

However, the online behemoth’s recent policy update, particularly around the timings of its rollout of a much-anticipated user consent prompt, hints at the continuation of the status quo for much of the remainder of the decade.

Of course, an undercurrent to this has been device fingerprinting, an issue that has generally been frowned upon by the sector, given concerns over the ethics of collecting user attributes such as a device’s operating system, language setting, and (more pertinently) IP address — see video below.   

A recent proposal from Google Chrome — a unit that works parallel to its Privacy Sandbox initiative — moots further protection measures for those using the web browser incognito by limiting the use of IP addresses in a third-party context. 

“To that end, this proposal uses a list-based approach, where only domains on the masked domain list (MDL) in a third-party context will be impacted,” reads a Github update outlining the measures.

What is the new policy proposal? 

Per the policy update, the aim is to minimize disruption to the normal operations of servers, including the use of IP addresses for anti-fraud and anti-spam use cases, “until there are alternative mechanisms in place when users are signed into their Google account in the Chrome browser before starting an Incognito session.”

What does this mean for third parties?

Destination origins on the MDL, i.e., third parties such as demand- and supply-side platforms, don’t see the client’s original IP address. Ergo, the IP addresses of the proxies cannot be used for cross-site identification.

The latest Github update reads, “We are using a list-based approach, and only domains on the list in a third-party context will be impacted.” This further clarifies that companies that serve, target, or measure the effectiveness of ads, i.e., “the collection of user data for ads, commerce or marketing related activities,” will be prohibited.

Here is a full list of the identified MDLs or companies impacted by the above update. The fact there are multiple Google entries on said list has been interpreted by some as part of the organization’s orchestrated to ward off any additional antitrust charges.

A mixed stance

Will Harmer, chief product officer at Utiq, a European-based telco-backed company in the ad targeting space, points out that the above proposal only applies to incognito sessions. He maintains that this reflects the increasingly obfuscated approach taken by the various teams within Google and how it simultaneously has to balance user protection with various business interests. 

While fingerprinting isn’t outright eliminated within Chrome, the changes make it less scalable, Harmer observes, pointing out that other divisions, such as Google Marketing Platform, have recently U-turned on their earlier “fingerprinting is bad” stance.  

Observers also point to Google Ads’ recent policy shift*, which effectively permitted fingerprinting, as a notable departure. This move upset privacy advocates and has others nervously wondering if further attitude shifts can be expected in the future.   

“Chrome’s approach to fingerprinting in incognito mode aligns user expectations of tracking in this environment with real-world application. However, the question is, really, will the IP address be obfuscated from regular Chrome browsing?” opined Wayne Blodwell, svp programmatic, Assembly Global, before concluding, “I expect not.”

He added, “Many cite the costs to proxy traffic as being too high to do it now, but the reality is the IP address serves multiple use cases (not just for ad tech), which, if removed, would be detrimental to user experience. I believe Chrome will continue to focus on managing user expectations of tracking types, in line with regulatory oversight, as opposed to proxying the IP address everywhere.”

The evolution of fingerprinting

Apple has been at the forefront of restricting tracking. In 2017, Safari introduced Intelligent Tracking Prevention (ITP) to block third-party cookies, prompting advertisers to turn to fingerprinting.

Related Insights

WTF Series

WTF is Apple’s Advanced Tracking and Fingerprinting Protection? Read More

Apple responded by limiting access to APIs commonly used for fingerprinting (Canvas API, WebGL), randomizing user-agent strings, and launching Private Relay to obfuscate IP addresses. Additionally, App Tracking Transparency (ATT), introduced in iOS 14.5, required explicit user consent for tracking.

Chrome and Privacy Sandbox

Meanwhile, Google, a business model that relies on advertising, took a more gradual approach.

In proximity to its 2019 Privacy Sandbox launch and bid to phase out third-party cookies while maintaining ad functionality, Chrome later introduced Gnatcatcher to obscure IP addresses and began restricting fingerprinting-related APIs.

In fact, at the time it stated that “unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

Hence, the furor over its policy shift has opened the door yet again to this most controversial marketing practice. Given Google’s political situation, some wonder if more twists and turns are on the horizon.

*Editor’s note: An earlier version of this story referred to a policy shift from Chrome that “which effectively permitted fingerprinting.” The policy shift was from Google Ads