How Apple’s Intelligent Tracking Prevention works & why Google/Facebook could benefit most

Apple has announced that the next version of Safari in macOS High Sierra, coming out this fall, will include Intelligent Tracking Prevention, an initiative designed to beef up Apple’s efforts to block third-party trackers from capturing cross-site browsing data for ad targeting purposes. What has become clear the more I learn how Intelligent Tracking Prevention works is that it will give Google and Facebook an even bigger advantage over third-party ad tech players.

That’s largely the result of the 24-hour window built into Intelligent Tracking Prevention.

blog post by Apple WebKit security engineer John Wilander explains that Intelligent Tracking Prevention builds on Safari’s existing default blocking of third-party cookies and “reduces cross-site tracking by further limiting cookies and other website data.”

Intelligent Tracking Prevention collects statistics on “resource loads as well as user interactions such as taps, clicks, and text entries” and groups those statistics by top privately controlled domains. The system then determines which cookies (of any type) have the ability to track user activity across sites.

As mentioned above, there is a one-day window in which those cookies may remain available in third-party contexts. “If the user interacted with example.com [in] the last 24 hours, its cookies will be available when example.com is a third-party. This allows for ‘Sign in with my X account on Y’ login scenarios,” writes Wilander. Users can “stay logged in even if they only visit a site occasionally while restricting the use of cookies for cross-site tracking.”

After that, the cookie will be partitioned so that it can be referenced for login purposes for 30 days, but no longer for cross-site tracking. After 30 days, the cookie is purged, and Apple will continue to purge it if it tries to collect new data.

The one-day window opens a key opportunity for the web’s most popular services and the companies that control them and puts the ad tech companies with which users don’t have direct interactions at a clear disadvantage. Or as Curt Larson, VP of product at Sharethrough, put it, “It helps them [Google and Facebook] in the fact that it hurts everyone else.”

Daily visits to Google services will keep its tracking capabilities persistent. Facebook’s mobile activity largely happens in-app, so that traffic won’t be affected by the change. Those who access it through the web, and do so daily, can continue to be tracked by Facebook on Safari.

“This means users only have long-term persistent cookies and website data from the sites they actually interact with and tracking data is removed proactively as they browse the web,” Wilander explains.

The solution is aimed at plugging the loophole of using first-party cookies or other tactics to transmit data limiting tracking and skirt the third-party cookie blocking. This can analyze any cookie type.

The actual impact of Apple’s Intelligent Tracking Prevention would be more symbolic than tangible if it were going into effect on desktop only — Safari had just 5.02 percent of the desktop browser market share globally and 9.18 percent of the US market in May, according to StatCounter. However, with it running on iOS, where Safari has nearly 50 percent share in North America, it has the potential to upend behavioral targeting on the mobile web.

Earlier this month, Google announced its Chrome browser would block ads that don’t meet the standards set by the Coalition for Better Ads, of which Google is a founding member. Apple’s tactic sets it apart from Google, as it is not actually blocking ads but instead focusing on the privacy side of the equation. That’s the space Apple is clearly trying to occupy, in contrast to Google and Facebook. The irony is that they’re likely to be among the biggest beneficiaries to Apple’s latest move. That is, until the ad tech industry adapts, as many expect it will, again.

Privacy advocate Alexander Hanff said in a blog post that server-side scripts are able to gather the same information even if they are not loaded in Safari, and that while Apple’s efforts are welcome, “it is highly probable that Apple’s new approach to tracking will only accelerate a move to these server side technologies from those who have yet to use them.”