MMS • RSS
The latest release of Apple’s web browser, Safari 12, will provide “Intelligent Tracking Prevention” (ITP) 2.0, which aims to reduce the ability of third-parties to track web users via cookies and other methods.
The WebKit open source web browser engine is used by Safari and many other apps on macOS, iOS and Linux. The ITP function within WebKit collects statistics on web page resource loads as well as user interactions such as “taps, clicks, and text entries”. The statistics are put into buckets per top privately-controlled domain or eTLD+1, shorthand for an “effective Top Level Domain” consisting of a typical base website URL. An example of an eTLD+1 would be social.co.uk, but not sub.social.co.uk (eTLD+2) or co.uk (just eTLD). According to the WebKit blog, a machine learning model is used to classify which top privately-controlled domains have the ability to track the user cross-site, based on the collected statistics. All data collection and classification happens on-device.
Once a eTLD is classified as having the ability to track a user cross-site, several preventative measures were implemented in ITP version 1.0 and 1.1. If the user had not interacted with a site in the last 30 days, say “example.com”, the example.com website data and cookies were immediately purged and continued to be purged if new data was added. However, if the user interacted with example.com as the top domain, often referred to as a first-party domain, ITP considered it a signal that the user is interested in the website and temporarily adjusted its behavior as depicted in this timeline below:
With ITP 1.0 and 1.1., if the user had interacted with example.com in the previous 24 hours its cookies would also be available when resources from example.com are requested or embedded as a third-party. According to the WebKit blog, this allowed for “Sign in with my X account on Y” login scenarios. This meant users only have long-term persistent cookies and website data from the sites they actually interact with, and tracking data is removed proactively as they browse the web.
ITP 2.0 has removed the 24 hour cookie access window. Authenticated embeds can only get access to their first-party cookies through the Storage Access API. ITP 2.0 has also restricted third-party content to only be able to identify the user when they actually use the content, such as write a comment or play a video. This is also the point at which Safari will ask for the user’s permission (if the widget is asking for permission to see its cookies).
ITP 2.0 also has the ability to detect when a domain is used as a “first party bounce tracker,” meaning that it is never used as a third party content provider but tracks the user purely through navigational redirects. This pattern is often seen with shortened links provided by social media sites. Additional countermeasures to tracking include protection against tracker collusion, where multiple sites attempt to collude to identify a user, and origin-only referrer for domains without user interaction, which means that the referrer information is downgraded to just the page’s origin for third party requests (e.g. the referrer “https://store.example/baby/strollers/deluxe-stroller-navy-blue.html” becomes simply “https://store.example/”).