Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> A quick check of Chrome installers returned identical hashes each time.

OK, however, are we completely sure that Chrome installer doesn't generate this token on launch and talk with the mothership?

This sounds like whitewashing Chrome just to increase the impact of the article or push Chrome or both.

Like Chrome is not tracking me in and out of the internet and in the kitchen making tea and noting its brand and reporting to Google.




The way firefox does it can connect the downloading session with the running session. You can argue with the value or validity of that, but it seems like the chrome installer cant do that, which is nice.

As for why it's in the article I think it's valuable to include it since if chrome was doing it too it might be seen as just "normal", but now it seems even more weird that firefox which is supposed to be the privacy alternative is tracking something that google is not.


Considering that ~everyone was tracking device or installation IDs before Apple cracked down on it, on iOS, I think it's a safe bet that ~everyone is still doing it on desktop, and yeah, generating at install time is probably enough for most use cases and makes your build and distribution processes simpler.


>OK, however, are we completely sure that Chrome installer doesn't generate this token on launch and talk with the mothership?

That wouldn't give any information about where/when you got the installer from, which is the topic of this article. Doing so would be impossible without embedding information in the exe (which would change the hash).

While I agree that it's a little weird to specifically note it for Google of all companies, the relevance to the article is that Chrome isn't engaging in this specific type of tracking.


Chrome has the X-Client-Data header: https://github.com/bromite/bromite/issues/480


Of which there are (supposedly) only 2^13 possible variants:

>Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value (see above). These are transmitted using the "X-Client-Data" HTTP header, which contains a list of active variations. On Android, this header may include a limited set of external server-side experiments, which may affect the Chrome installation. This header is used to evaluate the effect on Google servers - for example, a networking change may affect YouTube video load speed or an Omnibox ranking update may result in more helpful Google Search results.

https://www.google.com/chrome/privacy/whitepaper.html#variat...


> This sounds like whitewashing Chrome just to increase the impact of the article

I removed ghacks from my RSS reader years ago because that website tends to sensationalize these stories, and I can’t stand that.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: