Apple is Copying Mozilla’s Anti-Tracking Policy

Posted on August 18, 2019 by Paul Thurrott in Apple Safari, Mozilla Firefox with 12 Comments

Apple has quietly revealed that it will implement an anti-tracking policy for its WebKit browser engine that’s based on Mozilla’s.

“We are publishing the WebKit Tracking Prevention Policy, covering what types of tracking WebKit will prevent when other tracking countermeasures come into play such as limiting capabilities and informed user consent, and how WebKit handles unintended impact of our tracking prevention,” Apple’s Jonathan David announced. “We’d like to thank Mozilla for their anti-tracking policy which served as inspiration for ours.”

Mozilla began offering what it calls Enhanced Tracking Protection in Firefox 63 last October. This blocked the most common form of cross-site tracking, meaning cookies and storage access from third-party trackers. This past summer, it expanded this technology into Enhanced Privacy Protection, and it’s now enabled by default for new users and will be auto-enabled for all Firefox users soon.

Basically, Apple picked the right policy to copy, and given its focus on customer privacy, this change makes a lot of sense.

“WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert),” Apple’s new policy reads. “If a particular tracking technique cannot be completely prevented without undue user harm, WebKit will limit the capability of using the technique … If even limiting the capability of a technique is not possible without undue user harm, WebKit will ask for the user’s informed consent to potential tracking.”

Apple says it will treat any attempt at circumventing its anti-tracking functionality with the same severity as it does the exploitation of security vulnerabilities. And that it will grant no exceptions to its tracking prevention; should sites not behave properly because of the changes—something that happens occasionally with Firefox now as well—that’s the site’s problem, Apple says. “We will typically prioritize user benefits over preserving current website practices,” the policy explains. “We believe that that is the role of a web browser, also known as the user agent.”

This is the right approach to tracking. And a model for Google, Microsoft, and all other web browser makers to follow.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (12)

12 responses to “Apple is Copying Mozilla’s Anti-Tracking Policy”

  1. bart

    I don't have any knowledge of this topic, but how does this compare to Microsoft's efforts in Chredge?

  2. lilmoe

    The easiest, and most secure way to secure your browser against cross site tracking is by disabling 3rd party cookies from your browser settings. If you want to go the extra mile, just disable javascript for all sites but the ones you trust.

    Sites that do not offer an alternative to client side javascript/scripting, or at least a very strict content security policy where all content is served from the site itself, in the future should be marked as insecure.

    You can download duckduckgo's tracking blocker for a rating for the sites you frequent.

    • wright_is

      In reply to lilmoe:

      Disabling third party cookies only stops a small fraction of the tracking these days. JavaScript as well. They both help, but the world has moved on.

      There are hidden (and not so hidden) elements on the page (E.g. the Facebook Like button and script, invisible GIFs etc.), then there are things like the browser header string, list of add-ons, window size, operating system and hardware information, motion sensors, timing delays and lots of other things.

      Even measuring the delay to write to disk for the local database cache can be used to track you - or at least identify certain things about the browser and visitor; as the workaround for the new Chrome anonymous mode being broken within hours of release last week.

      The only real answer is to forbid connections from tracking sites. I use a mixture of a hosts file on my laptop and a Pi-Hole on my home network to block such sites.

      The hosts file re-routes known tracking sites to (unreachable), whereas the Pi-Hole acts as my local DNS server for my home network and uses several well known anti-tracking lists to provide a list of site which are actively blocked at the DNS level.

    • rosyna

      In reply to lilmoe:

      Safari was the first browser to automatically disable third-party cookies. Ad companies then circumvented the policy through redirection (making Cookies first party), so Safari go intelligent tracking prevention, which applies rules to this type of circumvention.

  3. madthinus

    This is why Mozilla is so important. They are the only company where the web and users come first.

  4. Stooks

    Safari was the first browser to prevent cross site tracking, which made a lot of advertisers un-happy. To this day Safari has the BEST audio media playing blocker. I simply do not understand why other browsers do not do this.

    • rosyna

      In reply to Stooks:

      Although Safari generally implements all the things discussed in the policy first, this is the first time there’s been an official policy that states their goals.

      (to get the WebKit policy before, you’d have to look up multiple past release notes and announcements)

  5. dontbeevil

    OMG you wrote "apple is COPYING", that explains the iceland ice melting

    of course it's not an Hassan article about a feature copied by apple... it will happen only when the hell will freeze