An IP address is a number that identifies each unique device on a network, like a mailing address. IP addresses are essential to the basic functioning of the web, notably for routing traffic and to prevent fraud and spam. However, IP addresses are also strong tracking signals. They are cheap to collect, relatively stable over time and, combined with other signals, can be used to identify an individual device.
IP Protection enhances Incognito mode's cross-site tracking protections, by masking a user's original IP address in third–party contexts, with a coarse geolocation IP, for domains listed in Masked Domain List (MDL).
Scope of IP Protection
IP Protection only applies for network requests that occur in a third-party context, such as when a domain for a resource (google.com, for example) on a page is different from the top-level domain (youtube.com). IP Protection will not apply in a first-party context - meaning that the domain for a resource matches the top level domain — even if the domain itself is on the MDL.
In a detailed explainer you can learn more about how IP Protection determines first- and third-party contexts.
IP Protection in Chrome will roll out in certain regions before being available globally, and may not be available in all countries.
How IP Protection works
IP Protection anonymizes the user's IP address, to help protect it from potential cross-site tracking.
IP Protection uses a two-hop proxy system that anonymizes qualifying traffic:
- The first proxy server, operated by Google, sees only the user's IP and a request to connect to the second proxy server. The first proxy server does not see the destination IP address or the content of the request.
- The second proxy server, operated by an external CDN, sees only the destination domain. This proxy does not see the user's original IP address or the content of the request.
This approach ensures neither proxy server can link the user's IP to the websites they visit. Responses are routed back through the same two hops, maintaining the same level of protection.
The system also uses HTTPS between the client and each proxy, further protecting the content of the communication. Chrome uses an RSA blind signature scheme for IP Protection to ensure that the proxies cannot link the traffic that they're handling to a user's account, neither the one operated by Google nor the one operated by the CDN.
IP-based geolocation
IP-based geolocation may be used by services within proxied third-party traffic to obey local laws and regulations. IP-based geolocation can also allow services to provide better performance as well as content that is relevant to users through content localization (for example, to set language) and geographic targeting for ads.
To support these needs, the two-hop proxy system assigns IP addresses that represent the user's coarse location, including country. Developers can refer to the complete list of IP addresses and geo assignments exposed by IP Protection in the public geofeed file.
To learn more refer to the IP Geolocation explainer.
Take action on IP Protection
We encourage you to:
- Review the Masked Domain List and identify any of your domains that may be on it. To learn more refer to the dedicated MDL page.
- Keep an eye on the Privacy Sandbox timeline for details about IP Protection implementation.
Engage and share feedback
If you have any feedback, we'd love to hear it.
- GitHub: Read the explainer or raise questions and participate in discussion.
- Developer support: Ask questions and join discussions on the Privacy Sandbox Developer Support repository.