Google Chrome wants to hide your IP address

Google is working out some kinks in the project formerly known as Gnatcatcher, which will now be known under the more descriptive name “IP Protection.” Which means that Chrome is reintroducing a proposal to hide users’ IP addresses, to make cross-site tracking more difficult.

An Internet Protocol (IP) address is a unique number that’s assigned to your computer when it joins a network. The number acts as your address on the network. In order for two computers to communicate, each must know the other’s address, so that messages go to the right place.

The IP address you use on the Internet is typically the one that your router is given by your ISP (Internet Service Provider). Although the IP address you use isn’t assigned to you permanently it will likely go unchanged until you disconnect or turn off your router. Blocks of IP addresses are assigned geographicaly, so it’s also possible to use them for a form of crude geolocation, accurate to about the nearest city.

Your IP address’s combination of persistence and uniqueness makes it a useful identifier for anyone who wants to track you across multiple websites. It can also be combined with other semi-permanent information from your browser to create an even more accurate “fingerprint”, that identifies you when you browse.

Over time this fingerprint can be used to build up a unique, persistent user profile that can be used for targeted advertising, which many people see as a threat to their privacy.

As a result, some users do not like to reveal their IP address, so they hide it using a proxy server or a VPN. Both proxies and VPNs mask a user’s IP address with one of their own. Only the proxy operator or VPN provider knows the user’s real address.

Google’s IP Protection proposal will use proxies to hide users’ IP addresses.

Because there are some potentially unwanted side-effects, and Google wants to learn as it goes, the feature will be tested and rolled out in multiple phases. In the first phase the feature will use a single Google-owned proxy, will only proxy requests to domains owned by Google, and will only work for users with US-based IP addresses.

Apparently Google wants to test the infrastructure without impacting third-party companies. Domains owned by Google include services like Gmail, but also AdServices. Note that in this phase Google will automatically enroll a small percentage of users, and they must be logged in to Chrome.

In later phases Google plans to  use a chain of two proxies so that neither proxy can see both the origin and destination IP addresses. There are some concerns that will need to be ironed out in the course of the testing phases:

  • Defensibility, since a compromised proxy may be used to deploy attacks.
  • Disruption of existing Denial of Service (DoS) defenses by using the two proxies.
  • Disruption of existing defenses for fraud and invalid traffic detection. For example, depending on the way they work, some block-lists will no longer be effective because the final destination is not detected.

Google expects that this may change plans along the way, and states:

“Long term solutions will evolve and will be shaped in conjunction with the ecosystem. We will collaborate with ISPs, CDNs, third parties, and destination sites towards the end-state of privacy proxies for the web. For instance, ISPs and CDNs are well suited to operate privacy proxies.”

We will keep an eye on how this development takes shape. But, even if I could, I would not sign up for the first phase if I were a user that now uses a VPN to hide their IP address. Because in this phase Google will be able to see your IP address and the one you are visiting, which means you would only be shifting the information gathering from several Google services to one central point.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.