Brave browser concerned that Client Hints could be abused for tracking

The people at privacy-focused browser, Brave, have criticised an industry proposal it says would make it easier for websites to identify a browser using a passive, cookie-less technique called fingerprinting.

Called HTTP Client Hints, the proposal provides a standard way for a web server to ask a browser for information about itself. It comes from the Internet Engineering Task Force (IETF). This organization works with industry members to create voluntary standards for internet protocols, and it has a lot of power. It standardized TCP and HTTP, two of the internet’s foundational protocols. 

HTTP already offers a technique called proactive negotiation, which lets a server ask a browser about itself. This technique makes the browser describe its capabilities every time it sends a request, though. That takes too much bandwidth, says the IETF.

Client Hints makes things easier. It defines a new response header that servers can send whenever they like, asking the browser for information about things like its display width and height in pixels, the amount of memory it has, and its colour depth. 

The IETF says that Client Hints would make it easier for servers to deliver the right content for a browser. You wouldn’t want a massive picture delivered if you’re viewing on a mobile device, for example.

So Client Hints doesn’t seem to ask the browser for information that a server couldn’t already find by other means. And, in fact, in its security guidelines for those implementing the proposed standard, the IEFT urges them not to request any information to the server that isn’t available via other means (such as HTML, CSS, or JavaScript). 

This doesn’t mollify the team at Brave, though. It views Client Hints as yet another tracking method providing a way for browsers to serve up information about users. It says:

Brave is working on preventing websites from learning many of these values using JavaScript, while at the same time not breaking websites; adding Client-Hints into the browser platform would expose an additional tracking method to block and potentially make it even more difficult to maintain a usable, private Web.

Third-party delegation

Brave also dislikes another part of Client Hints: It lets a server instruct a browser to send its information to third parties (a process it calls third-party delegation). These other websites could include advertising networks serving up ads on a page.   

The Client Hints proposal also makes it easier for companies in between your browser and the website you’re visiting to know more about your device, warns Brave. It’s referring here to content distribution networks (CDNs). These are services that cache website content around the world so it’s closer to the people that read it, improving website performance. 

The IETF proposal urges developers to only deliver Client Hints to the website they’re viewing (the origin), rather than to third party sites that may interact with it. But these security guidelines are just that: guidelines. The technology itself won‘t stop unscrupulous sites from contravening them.

Brave points out that it is the server that opts to serve these requests, and that users don’t get to choose:

The browser won’t send the values unless the server requests them, but should provide them when the server does request them.

Opt-in mechanisms for the user themselves aren’t mandatory, apparently because it’s hard to explain. The IETF proposal says: 

Implementers MAY provide user choice mechanisms so that users may balance privacy concerns with bandwidth limitations. However, implementers should also be aware that explaining the privacy implications of passive fingerprinting to users may be challenging.

Ultimately, browser vendors will have the right to implement the standard or not, and Brave can do as it sees fit. Even if major browsers do opt to implement it, most have shown a willingness to hobble the standards if they’re abused for fingerprinting instead of the intended purpose.