When discussing
The X-Client-Data header is not a hidden functionality and its behavior
Title
It is stated that the title does not contain personally identifiable information, but only describes the status of the Chrome installation and active experimental features. If sending browser usage telemetry and crash reporting is disabled in the settings, only 13 bits of entropy (8000 different combinations) are used to generate the base value of the X-Client-Data header, which is not enough for identification.
Given that the header also encodes some settings and system parameters, in the end, the content of X-Client-Data is quite suitable as an additional data source for indirect user identification in a short period of time (experimental features are turned on and off over time, which leads to to a periodic change in the value in X-Client-Data).
However, in addition to the initial entropy, the X-Client-Data value also uses a seed sequence returned by Google servers and depending on the country, IP address and other criteria that Google considers important (for example, nothing prevents returning a large random sequence , which will become the exact identifier).
In addition, checking against Google domain masks when sending X-Client-Data does not exclude situations where an attacker can register a domain like "youtube.xn--55qx5d" and start collecting identifiers.
Source: opennet.ru