Here's how Apple's browsing privacy features will work in Safari
We spoke with Apple, and we have details.
- 2022 Eddie Award for a single article in consumer technology
Apple wants to help all you Safari users block two major web-tracking tools, even though you may have never heard of them.
At its Worldwide Developers Conference earlier this week, Apple said it would help prevent shadowy web trackers from following you from website to website as you browse on Safari, the consumer electronics giant's own web browser. It will also prevent them from tracking you between different browsing sessions, which they can do even when you're using Safari's private browsing mode.
If you're asking yourself whether web-tracking tools can really do that, the answer is yeah, they can.
With Safari's new tools, "it will be dramatically more difficult for data companies to identify and track you," said Craig Federighi, Apple's senior vice president of software engineering.
Apple's Safari browser runs on iPhones, iPads and Macs.
Apple's moves are happening against a broader backdrop of international conversations around privacy. The central questions are what the tech industry's responsibility is to protect users' information and how much we should reasonably expect companies to peer into our lives in order to show us a better ad.
Facebook brought many of these conversations front and center after it acknowledged in March that as many as 87 million user profiles had been leaked to a Trump campaign-connected political consulting group, Cambridge Analytica. Since then, it's emerged that Facebook was also sharing data with phone makers, including China's Huawei, which the US government considers a security threat.
Facebook isn't the only one tracking your data, but along with Google, it's the best-known company amassing huge amounts of your data for the purpose of targeting ads. What's more, Its tracking tools can collect information about you, whether you have an account or not, about things you do outside of Facebook's website and apps. That creates something privacy advocates call shadow profiles. That could be why Apple singled out the social networking giant on stage while demonstrating how its Safari browser will block common tracking techniques.
We spoke with Apple about these new tools and how they'll work. Here's what we learned.
Why now?
Apple's stance on privacy has always been pretty aggressive. The company's co-founder and former CEO Steve Jobs said Apple takes privacy "extremely seriously." Back in 2010, for example, he said Apple doesn't even trust app developers to get it right, which is why the company asks iPhone owners for permission to access their location information.
"We do a lot of things like that to ensure what people understand these apps are doing," Jobs said. "Privacy means people know what they're signing up for in plain English and repeatedly."
Safari was one of the first companies to block Flash by default, in part over security concerns, and the company last year rejected the ad industry's efforts to fight its "intelligent tracking prevention" features.
Now it's going a step further, sticking itself between users and two powerful forms of web tracking.
"Most people have no idea that this is happening," said Serge Egelman, director of usable security and privacy research at the International Computer Science Institute. Apple's new effort, he said, "gives users more control over how these companies collect information from them."
Third-party cookies
Cookies can do a lot of good for you. They make online shopping easier, for instance, by letting you add things to a shopping cart while surfing around, streamlining the checkout process.
They can also be used by advertisers to track you across websites. Ever notice when a toy truck you looked at on Amazon suddenly shows up as an ad on Facebook? That's thanks to cookies.
Apple isn't a fan of all this. It thinks these kinds of cookies have a big impact on your privacy, and that's why it's come up with a way to give you more control.
That doesn't just potentially stop obvious tracking like ads following you around. It also tackles a technique that tracks you when you go to outside websites that have a feature from a social network -- such as a Facebook Like button or a comment box. As Federighi said on stage on Monday, those features can track you on websites whether you click on them or not.
With its update coming in the fall, Apple will stop that data collection from happening until you interact with the third party's widget, like clicking on the Like button. Then Safari will ask whether you're comfortable sharing information with a third party like Facebook.
ITP 2.0
The way Apple's going to do all this is through a system called ITP 2.0, which stands for intelligent tracking protection service.
ITP 2.0 works in stages. First, Apple's Safari browser will detect third-party cookies that track your activity when you visit a website. Then, when it does, the system will automatically limit information about your visit.
This system will work both for cookies from those Facebook comment fields and the ones that come from companies you've probably never heard of and that don't come as part of a useful feature on a website. These are ad networks that use cookies to track browsing behavior and then place targeted advertisements on your screen.
Apple can do this because it sits between you and the website you're visiting. To display a commenting feature from a third party, for example, the website maker has to talk with Apple's Storage Access API, a software program that controls what information cookies can access. It can even delete them.
If you do want to comment on a website using your Facebook account, Safari asks to make sure you're comfortable with it. What happens is that when you click on the comment field, a popup appears asking if you want to allow the cookies to potentially track you. Once you accept, Safari won't bug you the next time you want to comment on that website.
An example of the prompt Safari will show you if you want to interact with part of a website that requires third-party cookies.
A company of Apple's size making these moves can have a significant impact on the industry. Apple sold more than 215 million iPhones in 2017 alone. Starting in the fall, each of them will have this new feature through Apple's free software updates.
Facebook declined to comment on its appearance in the Apple demo. For its part, Apple said that while it uses cookies, it doesn't use them to track users' web browsing data.
Fingerprinting your browser
Cookies aren't the only way you can be tracked, by the way. There's also a technology called fingerprinting, which is a technique to identify you based on the information your browser sends to websites when surfing around the web.
For example, using a combination of information on the fonts you have installed, what software you're using and which plug-ins your browser can run can help to identify your machine rather well.
Every time you go back to a website using that browser, virtual fingerprinting identifies you as the same person. That's helpful for a bank, for example, to detect fraud. But it's also a powerful tracking tool that works even if you've taken steps to cover your tracks, like deleting your cookies or using a private browsing window.
So Apple has an answer for that too.
Freezing out the fingerprinters
In previous years' software updates, Apple stopped websites and third parties from accessing information from your browser called the user agent string, or a series of of data that's specific to your browser. Now, Apple said it'll also control the information your browser gives out about fonts and plugins too, which will hide part of your device's digital fingerprint.
Instead, Safari will create a type of virtual camouflage by handing out the information for all users. When it comes to plugins, Apple will only share whether you're running Flash, for example.
Some fingerprinting is done to protect you and your accounts, and it's unclear how Apple's move will affect a website's ability to keep doing that. This even includes Apple's websites, which the company said will check your browser's behavior when you create a new account to make sure you're not a bot. Facebook does something similar when you're logging on, according to a blog post from Facebook product manager David Baser.
But Apple said it's willing to get in its own way to stop the kind of fingerprinting that lets websites give you a persistent identity that keeps coming back to life each time you launch your browser.
Only in Safari, only with MacOS Mojave or iOS 12
Apple's new features aren't available to every web user, and not even to every Apple user.
Apple is making these protections available on Macs running MacOS Mojave, as well as iPhones and iPads running iOS 12. Those updates are slated for release this fall, and even then Mojave won't work on computers more than seven years old.
Even if you're on a device that's capable of giving you these protections, the features are only available on the Safari browser on a Mac, iPhone or iPad. Safari by the way represents less than a quarter of the market share of browsers.
The company does have some control over how developers from other companies show you internet content on third-party apps made for iPhones and iPads, but Apple said the Safari app is currently the only place where these protections will work.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.