CLICK TO SHARE
When Apple introduced powerful anti-tracking protections to Safari in 2017, advertisers banded together to say they were “deeply concerned” it would sabotage ad-supported content. Now, there’s new information showing that Safari users had good reason for unease as well.
Further ReadingAd industry “deeply concerned” about Safari’s new ad-tracking restrictionsKnown as Intelligent Tracking Prevention, the mechanism uses machine learning to classify which websites are allowed to use browser cookies or scripts hosted on third-party domains to track users. Classifications are based on the specific browsing patterns of each end user. Sites that end users intentionally visit are permitted to do cross-site tracking. Sites that users don’t actively visit (but are accessed through tracking scripts) are restricted, either by automatically removing the cookies they set or truncating referrer headers to include only the domain, rather than the entire URL.
A paper published on Wednesday by researchers from Google said this protection came at considerable risk to the privacy end users. Because the list of restricted sites is based on users’ individual browsing patterns, Intelligent Tracking Prevention—commonly abbreviated as ITP—introduces settings into Safari that can be modified and detected by any page on the Internet. The paper said websites have been able to use this capability for a host of attacks, including:
The Google researchers said that Apple addresses “a number of the issues” with the release in December of Safari 13.0.4 and iOS 13.3. The researchers didn’t elaborate.
Not all third-party tracking is invasive. Using Google or Facebook credentials to log in to a different site through OAuth is one example of cross-site tracking that many people find useful. The Google paper provides more details about how ITP decides which sites should be restricted. While the process is complicated, the threshold for a site being included on the restricted ITP list was when Safari detected it was used for third-party tracking by three other domains. The list is stored as registered domains. The list can only be appended, but it’s wiped clean any time a user clears the Safari browsing history.
If you don't see any comments yet, congrats! You get first comment. Be nice and have fun.
CLICK TO SHARE