After three years of escalating restrictions on third-party cookies to protect user privacy, Apple on Tuesday went all-in with full third-party cookie blocking.
That particular privacy-preserving step has only, to the best of our knowledge, been taken previously by the Tor browser; the Brave browser does so, too, albeit with a few exceptions for site compatibility. Google has been moving more cautiously: it aims to eliminate third-party cookies in Chrome by 2022 and shift to other tracking mechanisms.
Apple's latest iteration of its Intelligent Tracking Prevention (ITP) technology, intended to prevent companies from tracking online activities using cookie files set in a third-party context, has created the misapprehension that client-side persistent storage in web applications is no longer possible.
That's not quite true, as the iGiant clarified in a public missive on Wednesday.
With the arrival of Safari 13.1 and iOS/iPadOS 13.4, Apple's mobile and desktop browsers will delete data stored in the browser by script-writable storage. Specifically, Safari will erase IndexedDB, LocalStorage, Media keys, SessionStorage, and Service Worker registrations after seven days if the user does not interact with the associated website during this period.
This applies to other browsers on iOS too since Apple's platform rules require that all browsers use WebKit as a rendering engine.
Apple is doing so because its cookie restrictions, alongside privacy measures implemented in other browsers, have prompted ad tech companies to look for alternative ways to track people across the web. Since cookies are simply files with identifier data, marketers found they could store their tracking identifiers as database entries using various browser-based storage APIs.
After Apple's WebKit team put a seven-day expiration date on client-side cookies in February 2019, those interested in tracking internet users turned to storing identifiers in less policed parts of the browser.
"As many anticipated, third-party scripts moved to other means of first-party storage such as LocalStorage," explained John Wilander, WebKit engineer at Apple, in a memo. "If you have a look at what’s stored in the first-party space on many websites today, it’s littered with data keyed as various forms of 'tracker brand user ID.'"
And, Wilander, said, these storage APIs have no way of specifying an expiration date, meaning that these cookie-equivalent identifiers persist indefinitely.
Safari's Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking EnablerREAD MORE
Apple's latest ITP changes have been welcomed by privacy experts. In an email to The Register, Dr Lukasz Olejnik, an independent privacy researcher and consultant, praised the changes as a positive step that further improves privacy controls.
"It's the direction all other web browser vendors want to pursue, eventually," said Olejnik. "It was a long fight of the previous decade, but we're slowly arriving there. The big questions are how the future web architecture will look like. We should hope that Apple will want to share their experiences with the broader web community."
But some developers have complained that the automatic local data deletion will make privacy worse by forcing web apps to connect to the internet to fetch application state data and configuration data.
"Deleting all local storage (including Indexed DB, etc.) after seven days effectively blocks any future decentralized apps using the browser (client side) as a trusted replication node in a peer-to-peer network," wrote programmer Aral Balkan in a blog post. "And that’s a huge blow to the future of privacy."
In response to concerns voiced in various forums, Wilander on Wednesday added a clarification to his memo that may assuage developer concerns. While the seven-day storage window applies to Safari, it doesn't apply to all web applications.
"Web applications added to the home screen are not part of Safari and thus have their own counter of days of use," he explained in an update. "Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.
"If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications." ®