Is user-agent a privacy concern?

Recently, I had a discussion with an e-commerce client about the implications of logging user-agents for their customers. Are there any privacy concerns involved? Can this data be used for anything other than identifying the browsers customers use to visit the site? And what about customers browsing in incognito mode — does the user-agent reveal that?

To find out, I decided to conduct a quick experiment.

Using RequestBin by Pipedream, I examined how user-agents are transmitted across the internet, using a simple public bin; visiting the URL of the bin using different browsers.

This was the request from ‘normal’ Chrome

Notice the user-agent is:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Now I repeated the experiment with Incognito mode in Chrome
(Note: I requested /incognito at the endpoint, so I could differentiate)

Notice the User Agent is identical — whether in incognito or not.

What does this User Agent mean, anyway?

There are various ‘parts’ to the user agent:

1. Mozilla/5.0: This is a common string found at the beginning of most user-agent strings for compatibility purposes. It doesn’t specifically indicate the Mozilla browser but rather a historical quirk that many browsers adopted.
2. (Macintosh; Intel Mac OS X 10_15_7): This part indicates the operating system. It specifies that the device is a Macintosh computer running Mac OS X version 10.15.7, with an Intel processor.
   This is interesting, because this particular device uses Apple processor (m2!) Version 10.15.7 of OSX has been out for almost 2 years now. I didn’t realise it hadn’t been updated for so long!
3. AppleWebKit/537.36 (KHTML, like Gecko): This specifies the browser engine used to render web pages. AppleWebKit/537.36 indicates the version of the WebKit engine, which is used by Safari and other browsers. KHTML like Gecko suggests that the browser behaves like Gecko, the engine used by Firefox.
4. Chrome/123.0.0.0: This indicates the browser name and version. In this case, it’s Chrome version 123.0.0.0. Note that this version number is likely a placeholder or an example, as real Chrome version numbers follow a different pattern.
   This is another good point. I noticed my version of Chrome was outdated. So I did the update, but replayed the experiment, but the user-agent was stillMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
5. Safari/537.36: This part shows compatibility with Safari, another browser that uses the WebKit engine. The version number here (537.36) matches the WebKit version, reinforcing the engine used.

Brave (and other Chromium based browsers)

I replayed the experiment on Brave (which is based on Chromium)
This was ‘up to date’ — and the returned user-agent was:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

…Which of course, was identical to my (newly updated) Chrome

Are there any privacy implications? Security?

Could my user-agent be used to identify me? In short, no.

Chrome and Brave, and Arc (although I didn’t specifically talk about it in the post) all use the same user-agent.

The footprint of possible users would be in the millions, maybe even tens of millions with these two points:

• Mac 10.5.7 (released almost 2 years ago at time of writing)
• Chrome version 123 (released months ago — March 2024 it seems) 125 was released almost a month ago

Relying on that to identify someone wouldn’t be accurate, nor useful, not even for analytical purpose.

Originally published at https://www.alexjamesbrown.com on June 9, 2024.