To revoke the registration, remove the Chrome OS user, sign out of Chrome on Android, remove the desktop profile, or remove the enrollment token and device token for Chrome Browser Cloud Management. Chrome on Android uses Android MediaDrm to play protected content. As on ChromeOS, the website may request verification that the device is eligible to do so.
A provisioning request is sent to Google, which generates a certificate that will be stored on the device and sent to the site whenever you play protected content. The information in the provisioning request and in the certificate vary depending on the Android version. In all cases, the information can be used to identify the device, but never the user.
Google only learns about the destination domain that will be prefetched, which Google already knows as it generated the Search results page. Registered profiles and devices check for policy changes periodically (every 3 hours by default). In some cases, the server pushes policy changes to the client without waiting for Chrome’s periodic check. Unregistered profiles check whether a policy has been turned on for their domain each time Chrome starts up. If so, the Chrome OS user session, Chrome profile, or enrolled Chrome Browser is assigned a unique ID, and registered as belonging to that Google Apps domain.
On some platforms, the website may additionally request verification that the device is eligible to play specific types of protected content. In this case, Google creates a certificate using a unique hardware identifier for the device.
Prefetches are tunneled through a CONNECTproxy operated by Google, and only HTTPS links are prefetched. Consequently, the TLS connection is established between Chrome and the origin so the proxy server cannot inspect the traffic, and requests to the origin come from a Google IP instead of the user’s IP.