How Safari’s ITP 2.3 Update Is Cracking Down On Link Decoration ‘Abuses’

One more cookie workaround bites the dust, in Safari at least.

The latest iteration of Intelligent Tracking Prevention, ITP 2.3, is cracking down on localStorage and other tracking mechanisms that try and outfox ITP. The change was already in the code base, but hadn’t yet been publicized.

LocalStorage is a form of web storage that allows sites to store data directly in the browser with no expiration date. LocalStorage is sometimes lumped together with edge computing, which is a method for processing data closer to where it's created, in this case the publisher's domain within the browser.

The newer crop of second-generation data-management platforms, including Permutive, use a combination of localStorage and edge computing as an alternative to third-party cookies, and position the practice as privacy compliant, because the data doesn't leave a user's device. For this reason, Permutive claims that it's unaffected by ITP changes.

In a blog post on Monday, WebKit security and privacy engineer John Wilander explained that the primary motivation behind ITP 2.3 is to combat what WebKit considers to be the “continued abuse” of link decoration, aka adding code to a URL in order to create cookie-less identifiers.

Previously, ITP 2.2 cut the lifespan of persistent client-side cookies from seven days to 24 hours and restricted cross-site tracking via link decoration.

But WebKit engineers noticed that some trackers had responded by moving their first-party cookies to other forms of first-party website data storage to track users.

Because ITP 2.2 outlawed decorating the link of the destination page, some trackers added code to their own referrer URL to read the tracking ID on the destination page.

Under ITP 2.3, sites that do this will see all of their non-cookie website data deleted after seven days. Combined with the capped expiration of client-side cookies, this means trackers won’t be able to use link decoration combined with long-term first-party website data storage to track users.

It’s unclear if localStorage is still kosher as long as it’s not combined with link decoration.

Over the years, publishers have deployed third-party scripts on their sites that, according to Wilander, have been “repurposed to circumvent” Safari’s protections against third-party tracking.

“ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites,” Wilander wrote.

Although ITP 2.3 is “an expected next step in the arms race” between Apple and marketers, there’s actually a silver lining in this announcement, said Andraz Tori, head of recommendations and data science at Outbrain.

Because ITP 2.3 allows first-party tracking capabilities for conversions up to seven days after the click, it’s actually “much more generous” in detailing the data available to marketers, compared to Safari’s ad click attribution API proposal from a few months ago. The experimental feature, for example, proposes only reporting that a conversion happened for a user who clicked on an ad and nothing more specific than that.

“Seven days for granular conversion attribution is probably something most marketers will be able to live with,” Tori said.

Even so, the real takeaway from ITP 2.3 is that WebKit will systematically root out cookie tracking workarounds.

Also included in ITP 2.3 are updates to the storage access API, a debug mode for Safari on macOS Catalina and a note at the end encouraging the use of secure and HttpOnly cookies, which are cookies that can only be accessed via a server and not via a client script.

Intelligent Tracking Prevention (ITP) version 2.3 is included in Safari on iOS 13, the iPadOS beta and Safari 13 on macOS for Catalina, Mojave and High Sierra.

Updated 9/25 to reflect changes to the definitions of localStorage and edge computing and to the reference to Permutive.

1 Comment

  1. Jos Pamboris

    "Previously, ITP 2.2 cut the lifespan of persistent client-side cookies from seven days to 24 hours and restricted cross-site tracking via link decoration." This is not quite correct. ITP 2.2 only cuts the client-side cookie to 24 hours if both link decoration is in use, and the user has come from what the device deems to be a cross-site tracker. Otherwise the cookie will last for 7 days. So a marketer must decide what is more important when it comes to Safari-based users -web analytics based attribution for 7 days, or Facebook/DoubleClick attribution for 24 hours. Some marketers may choose to remove link decoration in order to avoid the collateral damage to their site analytics data.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>