Apple published the WebKit Tracking Prevention Policy, outlining the types of tracking practices being blocked by the Safari web browser to provide users with an Internet ecosystem focused on privacy.
When the WebKit ITP feature was first implemented within the engine, the development team was able to find “popular websites with over 70 such trackers, all silently collecting data on users.”
The newly published tracking prevention policy was inspired by Mozilla’s anti-tracking policy, published on January 28, 2019. Mozilla currently uses Disconnect’s Tracking Protection list to classify the trackers that its Firefox web browser blocks from using cookies and browser storage features.
Thanks everyone who attended my talk on web privacy at #usesec19. My demos worked – yay!
By the way, we *just* announced the WebKit Tracking Prevention Policy: https://t.co/jo5MPkNAAs
— John Wilander (@johnwilander) August 14, 2019
Types of web tracking blocked by Safari
“Tracking is the collection of data regarding an individual’s identity or activity across one or more websites. Even if such data is not believed to be personally identifiable, it’s still tracking,” as per WebKit’s definition.
According to its development team, the “current anti-tracking mitigations in WebKit are applied universally to all websites, or based on algorithmic, on-device classification.”
All future WebKit patches and web standards will be reviewed in accordance with the new tracking prevention policy, while new web technologies will also be designed from the ground up with non-harmful practices in mind and without reintroducing tracking capabilities.
WebKit’s new policy lists the following known web tracking practices that the browser engine is doing its best to block:
Besides the tracking methods listed above, WebKit will also try to add mitigation measures to currently unknown techniques in its effort to protect the users’ privacy while they’re browsing the web.
For tracking techniques that WebKit will not be able to block, the browser engine will limit the sites’ capability to use the tracking method. In the event that limiting the capability “is not possible without undue user harm,” the browser will inform the users of potential tracking measures being used by the website they’re visiting.
Stance on policy exceptions and circumvention
WebKit’s policy also says that no exceptions are granted to any websites and that the tracking protection features embedded within the browsers that use it will automatically block all tracking attempts from any parties.
“Some parties might have valid uses for techniques that are also used for tracking,” the policy states. “But WebKit often has no technical means to distinguish valid uses from tracking, and doesn’t know what the parties involved will do with the collected data, either now or in the future.”
When it comes to sites implementing anti-tracking measures to bypass WebKit’s tracking prevention features, the development says that it will add extra restrictions “without prior notice.” Also, “these restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.”
The policy also explains how the WebKit browser engine will handle unintended impact stemming from current or soon to be implemented tracking prevention measures.
All legitimate practices that will be affected or disrupted by WebKit’s tracking prevention features are tagged as unintended impact, with the development team potentially trying, in some cases, to “alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience.”
WebKit’s dev team will also attempt to create new web tech to re-enable some of the accidentally obstructed legitimate web practices disrupted.
This has already happened in at least two instances in the past when Storage Access API and Private Click Measurement were designed to restore site capabilities broken after blocking privacy invasive cross-site tracking tech.