February 24, 2020

Google Chrome Update Introduces a New Type of Privacy Concern

Google Chrome’s latest update is under scrutiny for what has the potential to be major privacy concern.

Chrome 80 implements a new browser capability called ScrollToTextFragment, enabling deep links to web documents. ScrollToTextFragment allows Google to link a single word of text and its position on the page.

You may be thinking – “doesn’t Google already do this?”

Yes, it does, but this capability has always been dependent on an anchor created by the site owner. ScrollToTextFragment doesn’t require an anchor, meaning a link to a specific piece of text within a document can be created by anyone.

Google provides the following example:

“For example, the URL:

[ islands, birds can contribute as much as 60% of a cat’s diet]

This loads the page for Cat, highlights the specified text, and scrolls directly to it.”

Google claims this is helpful, as it “will allow the link-creator to specify which portion of the page is interesting, without relying on author annotations.”

What’s the Concern?

While it’s true that ScrollToTextFragment can be useful, privacy pundits argue that it can also be exploited.

Suffering from fewer conversions for the same ad spend on your Google Ads?
Your ads might be getting click fraud. Check if you need to protect your ads from competitors & bots. Simple setup. Start your free checkup today.

Privacy concerns were raised before the release of Chrome 80, but it was still shipped anyways. In a comment on Github prior to release, Mozilla’s David Baron stated:

“My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems. So I think the question we should think about is how the problems of the solution chosen here compare to the problems of other options and how they compare to the value of the feature.”

In the same Github thread, Chromium engineer David Bokan says security issues were discussed but it was decided that ScrollToTextFragment would ship without opt-in. An option to opt-out may be introduced in the future:

“. We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in (though we are still working on adding an opt in/out).”

Currently, ScrollToTextFragment is only supported by the Chrome browser.

February 24, 2020