Another Google Search Parameter? For RLZ!
There are many query string parameters in Google Search URLs that hold interesting information. The rlz parameter is no exception, but thankfully it isn't as mysterious as many others; Google explains what the RLZ parameter is and how it functions in a white paper.
From the Google Chrome Privacy Whitepaper:
To measure searches and Chrome usage driven by a particular campaign, Chrome inserts a promotional tag, not unique to you or your device, in the searches you perform on Google. This non-unique tag contains information about how Chrome was obtained, the week when Chrome was installed, and the week when the first search was performed. For desktop versions of Chrome, Chrome generates a promotional tag, if the promotional installation token described in the previous paragraph indicates that Chrome has been installed or reactivated by a campaign on a device which has not been associated with any campaign yet. For Chrome on Mobile, a promotional tag is always sent regardless of the source of installations.
The promotional tag is generated using a software library called "RLZ" and looks similar to “1T4ADBR_enUS236US239”. The RLZ library was fully open-sourced in June 2010. For more information, please see the In the Open, for RLZ post on the Chromium blog and the article “How To Read An RLZ String”.
It is also not new by any means; the RLZ code was open-sourced 10 years ago! With the help of that code (in its new home under Chromium), I've implemented a parser for the RLZ tags in Unfurl:
I think a few things in the RLZ tag may be of interest to an investigator:
- Application: this is the application (or sometimes called "access point") that generated the Google search. From this, one may be able to infer: the web browser (or non-browser app), the operating system (either implicitly, as IE likely means Windows, or explicitly, as in 'Chrome Omnibox on Mac'), and device type (examples: iOS Tablet or ChromeOS)
- Language: this might add more context about the user or be a flag if the value is unexpected
- Cohorts: indicates installation and first search time. I think the timing may add interesting context (was it just installed, or been there for years) but don't see much difference in value between Install or Search cohort (they are also the same in many cases).
Try it out! Check out the live version of the example from the image above. The hover text on the RLZ child nodes has explanations based on the “How To Read An RLZ String” post, in case you want more details on each.