This update takes several important steps to fight cross-site tracking and make it more safe to browse the web. First of all, it paves the way. We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap.— John Wilander (@johnwilander)
“Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or ‘a little bit of cross-site tracking is allowed,’” Wilander notes in the announcement post on the blog for WebKit, which is Apple’s in-house browser engine that powers many of its features under the hood. Wilander notes that users might not notice a big change because ITP has been doing this more or less already. “It might seem like a bigger change than it is. But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.”
Apple first launched ITP within Safari nearly three years ago, where it immediately set a new bar for web privacy standards on both desktop and mobile by blocking some, but not all, cookies by default. Alongside the substantial privacy work of Mozilla’s Firefox, which also blocks third-party cookies by default as of last summer, Apple has been pioneering a machine learning approach to web tracking prevention that has made Safari one of the most widely used and secure web tools available.
In addition to blocking third-party cookies across the board and by default, Wilander says ITP now has safeguards against trackers using the very nature of tracking prevention as a way to keep tabs on users. He adds that the new feature set also ensures that websites and trackers can’t use login IDs to digitally fingerprint users who might otherwise be using tracking prevention or other privacy tools.
“Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie blocking behavior. We’d like to again thank Google for initiating this analysis through their report,” he writes, referencing Google’s research published earlier this year on ITP that revealed the possibility of using some elements of it as a fingerprint. (Apple had to disable the Do Not Track feature in Safari in 2019 for similar reasons.) Wilander goes on to detail some other, more technical elements of the ITP update. But in general, he says Safari is again setting a new bar for web privacy that he and Apple hope other companies will follow. “Safari continues to pave the way for privacy on the web, this time as the first mainstream browser to fully block third-party cookies by default. As far as we know, only the Tor Browser has featured full third-party cookie blocking by default before Safari, but Brave just has a few exceptions left in its blocking so in practice they are in the same good place. We know Chrome wants this behavior too and they announced that they’ll be shipping it by 2022,” he writes. “We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap.”
Siri, Privacy, and Trust