Ever since mid-2017, Apple has been tackling web tracking in a big way. Various iterations of its Intelligent Tracking Prevention (ITP) technology have been introduced over the past few years in WebKit, the browser engine for Safari. ITP already protects users from tracking in various ways, but it left open a number of questions about the guidelines it uses to determine just who Apple considers a tracker, and what behavior is indicative of tracking. Last week, Apple answered these questions with its WebKit Tracking Prevention Policy, which also includes an extraordinary and newsworthy clause:
We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.
Treating Trackers like Hackers?
The past decade has seen companies taking product security increasingly seriously. Apple announced its own bug bounty program in 2016 with a maximum pay-out of $200,000. Yet a certain privacy nihilism has prevailed when it comes to companies brokering our personal information. Both big-name social media companies such as Facebook and little-known targeted advertisers such as Criteo have been using a wide variety of techniques to siphon our personal information, including advanced techniques such as fingerprinting and exploiting browser login managers. Until recently, privacy advocates were making precious little headway in convincing browsers to prioritize anti-tracking. This statement by Apple (inspired by a similar anti-tracking policy for Firefox introduced by Mozilla earlier in the year) sends a strong message to trackers: we have zero tolerance for attempts to extract user information without their consent. We applaud Apple for taking this strong stance for user privacy.
Intelligent Tracking Protection (ITP)
Even before ITP, Apple had been blocking 3rd party cookies and using cache partitioning to mitigate the effects of 3rd party resource cache-based tracking. ITP uses a number of novel techniques to stymie the efforts of trackers even further. For example, it expires cookies when users haven't interacted with a website for 30 days. It uses the Storage Access API which requires meaningful interaction between a user and third-party services before the service is allowed to access its first-party cookies. This means that a 3rd-party service (or a tracker) won't be able to access a stateful, cross-site, persistent identifier in the form of a cookie that they've stored on your browser unless you've actually, say, clicked on that "like" button. And without that identifier, they'll have a hard time linking your visit to `site-with-a-like-button.com` to your Facebook account. ITP most recently also expires cookies that have been set via link decoration. All this amounts to an impressive and powerful set of tracking protections for Safari users.
Striking a Balance with Developers
Apple's careful roll-out of these technologies has tried to protect users while ensuring that well-meaning web developers aren't caught in the cross-fire. This is a tricky balance to strike: many of the web technologies that enable trackers are also used by non-tracking developers to power the feature-rich web. Outright disabling of a technology such as WebRTC may limit the effectiveness of fingerprinting, but it also disables innovative services such as Google Hangouts, Jitsi Meet and WebTorrent. WebRTC is just one example - the web is replete with technologies that are being used by both good and bad actors. For this reason, it's extraordinarily difficult to remove or limit technologies that enable tracking without causing anger among developers when an application that doesn't track users stops working. Apple has taken a measured approach, introducing technologies and iteratively addressing developers’ concerns.
Diving Deep: Some Points of Interest in the Policy
In addition to defining exactly what Apple means by the term "tracking," the new policy also enumerates different forms of tracking, including the use of tracking cookies, fingerprinting, HSTS supercookies, and several other examples. The inclusion of HSTS as a tracking technology is significant. HSTS, or HTTP Strict Transport Security, is a web header that sites can use to indicate that they should only be accessed over the secure HTTPS transport layer in the future. Your browser will cache this response and ensure that future requests are not made over insecure HTTP. However, trackers can use this cache to piece together a supercookie that can identify your browser across multiple websites. Safari limits this by only respecting HSTS under certain conditions. For this reason, researchers have lately been suggesting the use of EFF's own HTTPS Everywhere, which maintains a list of HTTPS-supporting sites, as an alternative to caching HSTS headers.
Another interesting part of the policy reads:
If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.
Apple is reserving itself a great amount of latitude in this clause. We can speculate that this will cause companies which have a business model partially based on tracking to reconsider their practices, for fear of being blocked by Safari users universally. This may cause companies to self-police the shadier side of their revenue stream, if they value the visits of Safari users.
The policy ends with the clause
We want to see a healthy web ecosystem, with privacy by design.
We couldn’t agree more. We sincerely hope more browsers, such as Google's Chrome, adopt the tenet of "privacy by design" as well.