IN A NUTSHELL:
- Google probably tracks users who are using experimental features.
- The X-Client-Data generates a unique code for each user, which is treated as an ID.
- We are tracked even when using VPN, Tora and we are logged out of Google services.
Some time ago, Google introduced an experimental mode, where a certain concise paragraph about X-Client-Data ensured that the implemented test features were not used to identify or track users. In February, Arnaud Granal, programmer of Kiwi - an open-source browser based on Chromium, expressed some doubts in The Register. He noticed then, that every user using the experimental functions receives a unique identifier. He also suggested that it could be used by Google to track people on the Internet. This, in turn, violates the general regulation on the protection of personal data (GDPR), issued by the European Union, because such an identifier is treated on an equal footing with personal data.
What is the X-Client-Data?
An official document published by Google explains that X-Client-Data is used to collect information and describe various experiments and hidden functions (so-called Chrome Flags). When a user turns on a test of a particular feature that has not yet been officially launched, the browser generates a unique sequence of letters and numbers, which is hidden in the X-Client-Data header.
Granal warns that whether we use VPN or even Tor (when using Google Chrome), we can be tracked using X-Client-Data. Google can see our traffic even if we are not logged into its services or when using a proxy. If you don't feel safe, you should start using other browsers that don't transmit information to Google's servers and don't generate X-Client-Data code.