Apple shed light on its policy on cross-site tracking prevention last week and, if you read between the lines (and use a magnifying glass), it’s leaving the door slightly cracked on a potential workaround for certain tracking-related use cases.
The document, posted on Wednesday, is designed to make plain, if it wasn’t already, Apple’s intentions when it comes to tracking prevention on Safari.
WebKit, the open source browser that powers Safari, will “do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert),” Apple wrote, and it reserves the right to expand its policy to smoke out any new tracking techniques it discovers down the line.
Over the last couple of years, Apple has refined Intelligent Tracking Prevention (ITP) in Safari, which limits both first and third parties from tracking visitors across the web. If WebKit determines a tracking practice infringes on a user’s privacy, it will block it by default.
Some ad tech vendors – like Claudio Vaccarella, founder and CEO of video ad platform HyperTV – see what’s happening on Safari as an overreach.
“There should be firm action against [companies] taking the initiative to decide what is good for users in terms of privacy,” Vaccarella said.
But Apple recognizes that implementing ITP will create collateral damage. There are certain practices on the web that Apple doesn’t intend to disrupt, “but which may be inadvertently affected” because they rely on techniques that could also be used for tracking.
This list of unintended victims includes ad measurement, like buttons and other social widgets, bot detection, fraud detection, site analytics and single sign-on across multiple websites.
When faced with what Apple calls “a tradeoff,” it’ll typically prioritize user benefits over preserving a site’s current practices. But Apple also says it “will try to limit unintended impact” and “may alter tracking prevention methods to permit certain use cases,” particularly when being a stickler about tracking could “harm the user experience.” There haven’t been any carveouts yet.
In other cases, Apple says it will create and implement new technologies to reenable these practices without reintroducing tracking capabilities, like it did in May with privacy-preserving click attribution for the web.
Although it’s “surprising” to see Apple keeping the door open for tracking in certain circumstances, said Andraz Tori, head of recommendations and data science at Outbrain, Apple isn’t softening its policy.
“This move is consistent with Apple’s previous actions, which all focused on preventing tracking exclusively, [and] which had an impact on publishers,” Tori said. “What’s new in this case is that Apple is openly acknowledging and speaking about this trade-off.”
That, however, is where the potential leeway ends.
The ad tech industry’s response to each iteration of ITP has been to craft workarounds, while Apple responds by quickly plugging the holes. In its new policy, Apple states in no uncertain terms that policy circumvention isn’t going to fly.
Safari will treat tracking technologies that try to get around its policies “with the same seriousness as exploitation of security vulnerabilities” and any party that tries to circumvent its tracking prevention methods could be slapped with additional restrictions without notice.
There will also be no exceptions to tracking prevention for specific parties.
But despite clearing up questions about its anti-tracking guidelines for the web, a big one remains hovering over Apple’s plans for the app ecosystem. In other words, what happens, said Gadi Eliashiv, CEO and co-founder of mobile marketing analytics company Singular, if Apple decides to get rid of the IDFA?
“You can maybe look at what Apple is doing on Safari as a precursor to what could happen in mobile,” Eliashiv said. “Are mobile and web on the same path in terms of privacy?”
