Publication · ARES ’24
A Privacy Measure Turned Upside Down?
Investigating the Use of HTTP Client Hints on the Web
Open Access Peer-reviewed ACM Vienna, Austria 30 July 2024
Summary
HTTP Client Hints are standardized request headers meant to modernize and eventually replace the classic User-Agent string. Instead of broadly exposing many device and browser details, clients are supposed to disclose their properties selectively — and thus more privacy-friendly.
The paper provides the first long-term study of how Client Hints are actually used on the web. The result: although nearly all browsers support them, server-side adoption is low overall — but markedly higher among third parties and trackers. That is concerning, because it can leak more data than the User-Agent string without users being able to notice or control it.
Adoption is markedly higher among third parties and trackers — without users being able to notice or control the data leakage.
My contribution
- Large-scale privacy crawl of login pages running over a year (Aug 2022 – Dec 2023).
- Statistical analysis and visualization on an HPC cluster (Python, pandas, NumPy, seaborn).
- Open dataset of the collected Client Hint responses for reproducibility.