Apple's warning: Break Safari's web-tracking rules and we'll hit back

Apple posts WebKit Tracking Prevention policy, thanks Mozilla for leading the way.
Written by Liam Tung, Contributing Writer

Apple's Safari WebKit team has posted its official policy on web-tracking prevention, which it implemented in Safari's Intelligent Tracking Prevention (ITP) technology.

ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads

ITP, first rolled out in 2017, originally targeted third-party cookies, but recent updates also take aim at abuse of first-party cookies.   

The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. 

The company warns it will treat efforts to circumvent its anti-tracking tech in Safari "with the same seriousness as exploitation of security vulnerabilities", with its response potentially targeted at a specific organization. 

"If a party attempts to circumvent our tracking-prevention methods, we may add additional restrictions without prior notice," the WebKit team said. 

"These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention."

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Among the list of techniques that Apple said it considers tracking includes link decoration, device fingerprinting, and tracking that uses storage on a user's device, such as "cookies, DOM storage, IndexedDB, the HTTP cache and other caches, HSTS, and media keys".    

The policy appears to be a shot across the bow for the likes of Google and Facebook, which use link decoration to bypass ITP, but the policy is also aimed at marketing companies that use shadier privacy-busting practices like browser fingerprinting

The WebKit team said in the release of ITP 2.2 that, since introducing ITP, it had noticed unnamed social networks tracking users across sites through 'link decoration', which involves adding a 'click ID' in the URLs for all outgoing links as a substitute for an actual user ID in cross-site tracking. 

The click ID is stored in a first-party cookie but can be used by a social network to track users across multiple sites, as long as the developer of a destination site has allowed their page to import scripts from the social network. Apple says this is usually achieved by the social network offering developers a new feature to integrate.   

At the time, Apple said that "changes to third-party JavaScript embedded on websites introduced link decoration without web developers' knowledge". 

However, Apple also vows to "limit unintended impact" of its anti-tracking measures. Practices that fall into this category include "Like buttons, Google and Facebook login to third-party sites, analytics on a single website, and audience measurement". 

"We may alter tracking-prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience. In other cases, we will design and implement new web technologies to re-enable these practices without reintroducing tracking capabilities," the WebKit team notes. 

Apple WebKit says the new policy document was inspired by Mozilla's Firefox anti-tracking policy in February, which ZDNet reported on in January

Editorial standards