As browser providers strive to provide greater privacy for their users, the user’s IP address continues to enable linking of user activity across different origins, which would not otherwise be possible. This information can be combined over time to create a unique and persistent user profile and track a user’s activities across the web, posing a threat to their privacy. Additionally, unlike third-party cookies, there is no direct way for users to opt out of this type of covert tracking.
In addition to being used as a possible vector for tracking, IP addresses continue to play an essential role in routing traffic, preventing fraud and abuse, and performing other important functions for network operators and domains.
Therefore, any IP address protection solution must consider both user privacy and the security and functionality of the web. This proposal initially focuses on efforts where IP addresses are most likely to be used as a tracking vector in third-party contexts.
IP address protection will evolve and expand over time as the ecosystem changes to continue protecting user privacy from cross-site tracking.
Cross-site tracking and the role of IP addresses
There are multiple definitions of the term “tracking” in the web ecosystem. First, we’ll use Mozilla’s definition of cross-site tracking because it has served as inspiration for other browsers’ policies.
Mozilla defines tracking as “…collecting data about a particular user’s activity across multiple websites or applications (i.e., first-party) that are not owned by the data collector, and storing, using, or sharing data derived from that activity with parties. ” except the first party from which it was collected.
Browsers reject cross-site tracking. For Chrome, it’s about phasing out third-party cookies and limiting its digital footprint while keeping the web healthy and vibrant. One way to limit fingerprinting is to limit sources of identifiable information such as IP addresses.
An IP address is an effective cross-site identifier because it is very unique, relatively stable, and inexpensive to capture, and applications of IP addresses by websites cannot be recognized by the browser. Therefore, it is important to limit access to IP addresses to prevent cross-site tracking methods other than third-party cookies.
Given the impact of IP addresses on tracking, it would make sense to initially focus on third parties that have been identified as potentially using IP addresses for web-wide cross-site tracking. We will explore similar methods to other browsers and existing lists that identify these third parties.
Chrome’s increasing focus on third-party tracking is a result of feedback on the Gnatcatcher proposal. Chrome wants to focus on behaviors that are most likely to use intellectual property to track users across websites in ways that may not meet users’ privacy expectations. Chrome will work with the ecosystem to maintain privacy while not disrupting important uses on the web.
Suggestion
Chrome is reintroducing a proposal to protect users from cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses to qualify traffic as described above.
Goals
- Improve user privacy by preventing their IP address from being used as a tracking vector.
- Minimize disruptions to normal server operations, including the use of IP addresses to combat abuse by third-party websites, until other mechanisms are put in place.
Privacy proxy
basic requirements
- The target origin does not recognize the client’s original IP address
- The proxy and network intermediaries are unaware of the content of the traffic.
To meet these requirements, this proposal prioritizes routing traffic from authorized third parties through the Privacy Shield Proxy.
CONNECT and CONNECT-UDP (with MASK) are used to transmit data traffic. There is an end-to-end encrypted tunnel over TLS from Chrome to the target server.
We are considering using two hops to improve privacy. A second proxy would be managed by an external CDN while Google would manage the first hop. This ensures that no proxy can see both the client IP address and the destination. CONNECT and CONNECT-UDP support proxy chaining.
Anti-abuse
Trading with third parties by proxy raises several problems in the fight against abuse:
- Proxy defense capability: A compromised proxy can be used to carry out attacks
- Disrupting existing DoS defenses
- Disrupting existing defenses to detect fraud and invalid traffic.
To limit proxy abuse, we consider the following non-exhaustive anti-abuse safeguards:
- User authenticates with proxy
- A user account is required for this
- Authentication tokens are set and changed by the proxy
- The proxy should not be able to attribute traffic to the user account
- Blind signatures are used
- Limit abuse by collecting authentication tokens
- Limiting the number of tokens per account
- Token expiration
In addition to preventive measures, we also want to enable websites to report denials of service and other abuses. In addition, we are actively exploring new anti-abuse protections to enable third parties to prevent abuse and fraud.
GoIP
IP-based geolocation is used by a variety of services as part of third-party proxy traffic to comply with local laws and regulations and provide relevant content to users, such as: content location (e.g. language), local cache mapping and geographical targeting of advertising. To meet these requirements, the Privacy Proxy assigns IP addresses that represent the user’s approximate location, including country.
longer term
Long-term solutions will be created and developed in collaboration with the ecosystem. We will work with ISPs, CDNs, third parties and landing sites to achieve the end state of web privacy proxies. For example, ISPs and CDNs are well positioned to operate privacy protection proxies.
As intellectual property protection continues to evolve, we believe policy will play a role in the overall solution to address the problem of website circumvention. If necessary, we develop a policy and seek the opinion of the ecosystem. Our intent in the proposal is to encourage web services to report the use and sharing of customers’ IP addresses, taking into account the sensitivity of IP as identifying data. By creating transparency around the use of IP addresses, we hope to promote industry accountability regarding the way IP addresses are accessed and used across the web ecosystem.
We welcome your comments on this proposal, particularly on some of the outstanding questions we are considering.