macOS High Sierra: The new Safari takes steps to reduce persistent user tracking, but is it enough?
In macOS High Sierra, third parties will have a more difficult time sharing any tracking information via Safari. It’s all part of Apple’s approach to privacy, and it’s not just lip service. While such policies certainly helps the company from a marketing standpoint, they’re also routinely turned into product features.
The new feature seems to have the potential to make it harder for unrelated sites to follow you around the internet. But some experts believe that, while a noble technology to deploy, the action has already shifted to a different front that Apple can’t help with directly.
You’re the product
Apple has long taken the stance that it doesn’t treat our private data and online behavior as property it can sell or lease to others. This notion is partly in reaction to Google, Facebook, Amazon, and others who make their money in different ways than Apple, all of which have led them to push at the legal and ethical limits of harvesting our personal lives.
When was the last time you remember any of those sites making a change that you felt increased your privacy? Meanwhile, you can list court cases, features, options, and under-the-hood technology that Apple has pursued to prevent unwanted or unwarranted access to your data and private life.
In iOS 9, Apple added content-blocking Safari extensions, and brought the same technology to macOS in Sierra the next year. App developers could create rulesets that prevented content from specific domains, containing certain formatting elements, or in various media formats from loading at all.
This seemed like an awfully hostile move, even though 11 percent of all internet users currently use ad-blocking software, according to PageFair. But ad blocking largely isn’t about advertising. Rather, it’s about page bloat, load time, popovers, auto-play videos, bandwidth usage, a site’s usability, and unintentionally delivered malware. Most users don’t necessarily complain about all these factors at once, but those who install Ghostery, 1Blocker, and other desktop and mobile filters do so from frustration. (Yes, some people just object to ads qua ads, but ads pay the bills.)
Apple’s latest move, announced at WWDC, doesn’t block ads at all, but it tries to prevent unwanted pathways between user behaviors and tracking, often used for targeted advertising. Those pathways allow tracking systems to follow you by storing information in your browser that the browser then sends when you visit other sites that use the same trackers.
Intelligent Tracking Prevention (ITP) is Apple’s term for the new technology going into WebKit, the open-source engine Apple developers that underlies Safari for macOS and iOS, as well as third-party browsers. At this stage, Apple has discussed ITP only as a macOS feature.
Trackers work by generating a unique token stored in the browser. This is typically done with cookies, but tracking systems that are nominally scrupulous may use other storage mechanisms, too, creating “evercookies.” Evercookies drop tracking IDs in all the nooks and crannies in a browser that allow any form of data storage or caching, making it almost impossible to root out. The only way to avoid them in Safari is by using private browsing.
ITP attempts to recognize tokens designed to identify you across sites, rather than those used for routine single-site-based interaction. It watches how remote resources are loaded, and how you interact with them, including whether you tap, click, or enter data into forms. Because it’s Apple, the statistics and actions gathered aren’t sent back to the cloud, but are stored locally to build up a profile for your Safari on your Mac. (It’s possible Apple will send certain limited and anonymized data back using differential privacy, but that wasn’t announced.)
The system is smart enough to differentiate between first-party and third-party visits. A first-party visit happens when you go directly to a site, like macworld.com; a third-party visit counts any non-macworld.com scripts, images, video, or other resources that load from macworld.com.
ITP does allow limited use of cross-site tracking for the first 24 hours after you visit a first-party site. Apple’s example is a site called Account.com that handles the logins for SiteA.com, SiteB.com, and SiteC.com. Visiting Account.com and logging in sets a cookie at Account.com that the other sites can retrieve by loading a script from Account.com, letting them validate your login.
After 24 hours, however, Apple’s system will stop allowing those third-party cookies and other data to load. While your browser data related to Account.com itself can be retrieved for up to 30 days through a first-party visit to that domain, the sites with other domains can no longer access that information.
A site developer would need to create a simple redirect to refresh the first-party connection: you’d go to SiteB.com, it would redirect you to Account.com, and then back to SiteB.com. This should be fairly seamless, and some sites make use of this today. For user tracking, however, embedded scripts and resources in a web page can’t create those redirects and thus won’t get information after 24 hours.
For domains identified as tracking you across sites, Safari will dump all cookies and “website data” associated with the domain after 30 days with no first-party visit. While Apple hasn’t provided details about which data is removed, I hope it’s all the locations that evercookies rely upon. Otherwise, this purging doesn’t truly stop browser-based tracking. (You can read a more technical rundown of the system at the WebKit site.)
This all sounds pretty slick. It allows short-term use of cross-site data for limited purposes and medium-term use for more focused uses, while it rejects data intended to persist over long periods across unrelated parties.
But there’s a problem. It’s only effective on the browser side.
What lies beneath
Alexander Hanff, a privacy activist, deflated the ITP bubble a bit with a post describing the limits of browser-side control of cross-site tracking. In brief, anything a third-party script or resource loaded on a web page can do, so can the first party serving the page up. Tracking code can be run in such a way that it’s handled by the domain that a user is visiting, short-circuiting the utility of blocking third-party tracking.
The first-party site can use the data it acquires and communicate server-to-server with tracking networks to associated a user with other visits. It’s not perfect, because it relies on identifying unique session characteristics of the browser and its network location, but it can used with a high degree of accuracy. Hanff and others note that the trend towards first-party server-side tracking isn’t new, and that Apple’s move will only accelerate that approach.
That’s not to say Apple shouldn’t implement ITP, Hanff says and I agree. Not every site has the capability or interest in hosting server-side tracking, and thus ITP can have a broad impact against casual but widespread unsophisticated tracking. Many sites incorporate analytics, ad-serving, and other tracking code without understanding the privacy implications (or even being aware there are any to think about, depending on the site). And the lack of perfect browser tracking using first-party server tools reduces the value of that tracking, too. Low-hanging fruit can be picked off.
Apple will also add let High Sierra’s Safari prevent auto-play videos, the scourge of the net. And an upcoming version of Google Chrome reportedly will block ads that don’t conform to an industry consortium’s rules for “acceptable” ads.
Hanff argues that only regulation and enforcement can make a difference, because of the server-side shift. But I believe that the extensive use of ad blockers and these upcoming Apple and Google plans mean that the air supply for borderline and unethical behavior is being cut off. This, in turn, will lead publishers to make better decisions about what to include on their pages, because it will be a difference between users blocking all advertising or being able to tolerate ads that respect their bandwidth, time, and intelligence. ITP is another piece in this process.