Safari to ape Firefox, go all-in on anti-tracking
- 21 August, 2019 04:53
The WebKit project - the open-source initiative that generates code for Apple's Safari browser - quietly announced last week that it would follow in Mozilla's footsteps and quash tracking technologies designed to follow users across the web.
In a short message on Aug. 14, the WebKit team pointed to its new Tracking Prevention Policy, a document that spells out its plans in detail, including what types of tracking it will create and how it will deal with any side effects.
"We have implemented or intend to implement technical protections in WebKit to prevent all tracking practices included in this policy," the document read. "If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques."
The policy document ticks off half a dozen types of tracking WebKit will bar or does now, including cross-site tracking and fingerprinting. Safari already blocks some cross-site tracking under its Intelligent Tracking Protection (ITP), which debuted in 2017 and was enhanced last year with the browser bundled with macOS Mojave and iOS 12; it's stingy with the information it offers sites - information that can be abused to identify a user by, for instance, recording the installed fonts and plug-ins.
The WebKit team tipped its hat to Mozilla for motivating it to put its plans digital paper. "Our policy was inspired by and derived from Mozilla's anti-tracking policy," the group wrote, linking to the Firefox maker's own guidelines.
Firefox has been on a privacy tear of late. And because of its rapid release cadence - Mozilla pushes out a new browser every six weeks or so, while Apple upgrades Safari only once during a year - its new features and functionality have received plenty of press. In June, for example, Mozilla switched on Firefox's Enhanced Tracking Protection (ETP) for new users and let current users enable it themselves. The technology, which had been in development for four years, stymied cookie-based and URL parameter-based cross-site trackers, and optionally also stopped fingerprinting.
By mimicking Mozilla, WebKit - and by extension, Apple - may hope to steal some of the anti-tracking, pro-privacy spotlight. It may not be a coincidence that both browsers - Firefox and Safari - have lost user share in the last six months; their makers likely see privacy as an edge over the leader, Google's Chrome, and thus an opportunity to attract more users.
How a browser protects users' privacy, in fact, has largely replaced older metrics, such as rendering speed, to define differences between brands. As an example of the trend, Microsoft too has pitched its reborn Edge, that browser relying on the Chromium open-source project's technologies, as a shield between the user and bad behavior on the part of sites and their advertisers.
Of the top four browsers, only Chrome has not proclaimed its anti-tracking bonafides.
But WebKit didn't simply repeat what Mozilla promised in its anti-tracking screed: The former took a much tougher line on trackers.
"We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities," WebKit wrote. "If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention."
In other words, WebKit will retaliate against scofflaws, maybe by holding everyone accountable for the actions of miscreants, perhaps by singling out the those who try to go around the tracking prevention.
"Equating circumvention of anti-tracking with security exploitation is unprecedented," applauded Lukasz Olejnik, an independent security and privacy researcher and consultant, in one tweet. "Overt treatment of privacy as a first-class citizen (like security) is the only direction (your move Microsoft, Google, all the rest!)," he added in another.
The policy document does not specify a timetable for adding new tracking protections or enhancing existing ones in WebKit, much less when they would migrate into Safari.