The guide to Chrome's privacy and security features

The Comprehensive Guide to Chrome's Privacy & Security Features and Settings

What Coca-Cola is to soft drinks, Google Chrome is to web browsers.

Created and maintained by Google, Chrome is feature-rich and fast. It radically altered the state of the web browser market in the early 2010s, taking over the lead position from Microsoft's Internet Explorer and triggering the decline of Mozilla Firefox. It's been the most popular browser ever since.

However, Google is also one of the largest advertising companies in the world, leaving some people wondering if their browsing behavior data is being sold to advertisers. Chrome's wide variety of privacy and security features therefore often comes under intense scrutiny.

In this article, you'll learn about Google Chrome's privacy and security features and, where relevant, how they compare to other browsers.

Chrome's Privacy Features

Let's take a look at Chrome's privacy features first.

Third-Party Trackers

Third-party cookies are one of the most notorious privacy-infringing mechanisms used in the industry. They are small pieces of text stored in your browser to identify your device anytime you visit a website that partnered up with that third-party advertising company.

For years, Google has been working on an alternative to third-party cookies and related tracking mechanisms that fulfill the needs of advertisers while preserving the user's privacy. In the first quarter of 2024, Google will phase out third-party cookies and replace them with features from their Privacy Sandbox, discussed below.

This feat is not without controversy. Chrome is very late to the party. Preventing third-party cookies from tracking users across websites has been a core feature of browsers like Safari, Firefox, and Brave for years. But the product team at Google needed to balance privacy while safeguarding one of the company's biggest advertising cash cows.

Privacy Sandbox and Interest-Based Advertising

The Privacy Sandbox is arguably the biggest privacy-related change to the browser industry in the history of the internet.

In the attention-based digital economy, Chrome's Privacy Sandbox APIs give the web browser a whole new role. According to this vision, browsers act on behalf of users to store and categorize their interests, sharing them with publishers to ensure users receive relevant advertising.

The sections below cover the technical aspects of the Privacy Sandbox that are related to privacy—namely CHIPS, Fenced Frames, the Topics API, the Protected Audiences API, and the Attribution API. Keep in mind that there are other features, but they're less related to privacy and more related to advertising and publishing.

Note: This discussion goes into the nitty-gritty of modern ad tech, so each one starts with a "tl;dr" to make it easy to follow along.

CHIPS

Tl;dr: Prevents trackers from collecting data related to your browsing behavior across multiple websites.

As mentioned, Google is finally jumping on the bandwagon of blocking third-party cookies with its main competitors, and the mechanism of Cookies Having Independent Partitioned State (CHIPS) is how it's done.

Partitioned cookies ensure that all cookies are assigned "a separate jar." This means that websites and third parties are only able to use a cookie when it's called upon in the context of that specific website. Third-party trackers are no longer able to assign a unique ID to a device and follow users and their devices across websites that partnered up with this tracker.

Fenced Frames

Tl;dr: Prevents publishers from collecting data related to the ads shown to a user visiting one of their websites.

In the past, when ads were shown (in an iframe), the website that displayed the ad could retrieve information about this particular ad. In a world where publishing ads is done through a mechanism of real-time bidding, this means that not only did the advertiser collect data about you, but the publisher also could—at least theoretically—store all the information related to the ads shown to you on their websites and infer what your interests were.

Fenced frames make this impossible since they reduce the data shared between the embedded frame and the website hosting that frame.

Topics API

Tl;dr: Enables advertisers to show you relevant ads in a privacy-friendly way.

As an alternative to the extensive advertising ecosystem built around the decades-old feature of third-party cookies, Google allows for interest-based advertising. At the center of this paradigm shift is the Topics API. Here's how it works.

Based on a user's browsing behavior, Chrome determines a list of topics that are of interest to the user. It stores this information for seven days on their device before removing it and defining new topics. A single period is known as an epoch.

Through the Topics API, a website or a third-party ad publisher can request one topic out of the top five topics for the currently active epoch. This topic is shared alongside the bid request so that advertisers can determine if they would like to show an ad to that user and what they're willing to pay for it.

Protected Audience API

Tl;dr: Enables advertisers to show you ads related to your browsing behavior on a website in a privacy-friendly way.

On top of the Topics API, Chrome also offers advertisers the Protected Audience API. When a user visits the advertiser's website, the advertiser can ask the API to add the user to a particular segment. When that same user visits another website with some reserved ad space, this information is only available to this particular advertiser and no one else.

The way the Protected Audience API works allows advertisers to make a very granular real-time bid for showing an ad to a user who previously visited their website and viewed one of its products sold online.

Attribution API

Tl;dr: Enables advertisers to attribute marketing conversions to their ad publishing actions in a way that doesn't share any individual user or device information.

One of the biggest conundrums in the adtech business is attributing conversions to ads shown and clicked. In the past, it required the advertiser (or its adtech platform) to store every user interaction. With third-party cookies disappearing, advertisers can no longer create this unified profile.

Google's solution is the Attribution API.

It stores ad clicks and marketing conversions in the user's browser. The browser then shares this information with the advertiser in a privacy-friendly way—for example, by releasing the conversion data at an unspecified point later in time.

Fingerprinting

Since a lot of browsers, browser extensions, operating systems, and VPNs are cracking down on mechanisms to track users across the web, websites are turning to other ways to identify users and their devices. One such technique is browser fingerprinting, which combines multiple device properties to turn it into a unique ID.

In an attempt to prevent fingerprinting, some browsers hide properties such as a device's fonts, screen size, and browser extensions from the websites you visit or even expose websites to random properties to confuse them.

Chrome, on the other hand, does no such thing. Instead, it benefits from the fact that billions of devices use Chrome, which reduces the possibility that a user's device properties are actually unique.

The fact that using the most popular browser instead of a privacy-minded alternative preserves privacy is counterintuitive to many people. Imagine it like this: when you wear a discrete gray jacket in a group of 100 people, with 99 people wearing a fluorescent orange jacket, it's super easy to track the gray jacket's movement and activities but difficult to track the orange ones.

Despite Chrome's wide adoption, tools like Fingerprint can still create unique identifiers for Chrome users, though—and this is not necessarily a bad thing. While fingerprinting is sometimes associated with bad intentions, it can also be used to prevent phishing scams, online impersonation, and fraud. For example, a banking website can use fingerprinting to identify that a user has changed devices since they last logged in.

What's Missing and Using Extensions

Clearly, Google wants to serve multiple sides of the market. On the one hand, it wants to offer the same privacy-friendly browsing experience as its competitors. On the other hand, it wants to serve its advertising and publishing clients, who are the source of billions in revenue. The result is that their approach to privacy differs a lot from other browsers.

If you want to use Chrome for its speed, simplicity, and ecosystem but want to make it more private, consider making the following changes:

  • Navigate to chrome://settings/adPrivacy and opt out of ad topics, site-suggested ads, and ad measurement.
  • Install the ClearURLs extension to remove identifiers from URLs—for example, when clicking paid search ads on Google or Amazon.
  • Install the Privacy Badger extension to prevent websites from communicating your browsing behavior to tech companies like Meta or Google.

Chrome's Security Features

Now let's see what Chrome offers in terms of security.

Enhanced Safe Browsing

In the Security tab on myaccount.google.com, you can turn on Enhanced Safe Browsing. While it protects users across the entire Google ecosystem, it has some browser-specific features.

When it's turned on, Chrome checks in real time if a website you're trying to visit is known to be fraudulent—for example, through phishing practices. It also notifies you about the trust level of Chrome extensions.

Finally, Chrome blocks suspicious files when you try to download them. When files are risky but not clearly unsafe, you can even request a thorough scan that takes a couple of minutes to complete.

Enhanced Safe Browsing is not without controversy. While the protections are legitimate, users are again sharing more data, such as what they're visiting or downloading with Google. Since Google is not known to be trustworthy about siloing your data and not using it for advertising purposes, you might want to think twice before enabling this setting.

Password Management

Like most browsers these days, Chrome has a built-in password manager. It scans known data breaches containing usernames and passwords and informs users when their information has been compromised.

HTTPS Enforcement

These days, most traffic on the web goes through the HTTPS protocol, which prevents "eavesdropping" by in-between parties like Wi-Fi access points, ISPs, and DNS providers.

However, Google estimates that about 5 percent to 10 percent of web traffic still goes through HTTP. In 2021, it therefore rolled out HTTPS-first mode. When enabled, it switches automatically to HTTPS when it's available. When a website has to fall back to HTTP, Chrome notifies you about the risks before navigating to the website.

Google aims to enable this feature by default for all users throughout 2024.

Fast Release Cycle

When Internet Explorer was the most-used browser in the early 2000s, it was a stale piece of software that barely received any updates. Google Chrome took the world by storm by working with six-week release cycles.

Not only did this allow for a constant stream of new implementations, but it also drastically improved security. Whenever new vulnerabilities are discovered, users no longer have to wait months (or even years) to see them patched.

As of the release of Chrome 116, Google is going one step further by releasing weekly security updates. This prevents bad actors from reverse engineering patches implemented in beta releases and using this information for attacks.

Conclusion

Google has made tremendous improvements to the privacy and security of Chrome users. However, as a major advertising company, it has to balance these features with its hunger for more user data, which is at the core of its ad tech business.

While Chrome has robust privacy features, most privacy advocacy groups recommend against using the browser and choosing privacy-first alternatives instead. The same applies to Chrome's security features. While they are, without doubt, good at preventing hacks, they again require users to share their data with the advertising giant.

If you're bent on using Chrome, custom configuration and extra extensions are recommended to improve your privacy and security.

And if you're a developer who wants to protect your website against attacks despite browsers' anti-fingerprinting measures, consider Fingerprint. It supports all major browsers, including Chrome.

Share this post