Apple Turns the Anti-Ad Thumbscrews With Safari Cookie Blocking

Apple’s latest salvo in the privacy war is to fully block third-party cookies in Safari. Crucially, this will be turned on by default.

Not only that, but Safari will delete any browser storage that’s not been used for seven days. But that comes with some unintended consequences.

Cloud Native Now

Such as? Such as breaking some types of serverless progressive web app (PWA). In today’s SB Blogwatch, we tread carefully.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: chart porn.

Monstrous Change

What’s the craic? Nick Statt reports—“Apple updates Safari’s anti-tracking tech with full third-party cookie blocking”:

 Safari Intelligent Tracking Prevention (ITP) [is] the privacy feature that allows the … browser to block cookies and prevent advertisers from snooping on your web habits. … Safari now blocks all third-party cookies; [so] by default, no advertiser or website is able to follow you around the internet.

Apple first launched ITP within Safari nearly three years ago. … Apple has been pioneering a machine learning approach to web tracking prevention that has made Safari one of the most … secure web tools available.

And Wesley Hilliard notes that it “comes to Safari two years ahead of Chrome”:

 ITP blocked cookies before, but left enough information for trackers to begin tracking users based on what was being blocked. With the newest update, even this type of tracking and fingerprinting is blocked. Google Chrome is expected to have full third-party cookie blocking by 2022.

Full third-party cookie blocking prevents websites from seeing information about the “global browser state” which allows them to see what websites you were signed into previously. … No telling yet how this will again affect ad firms, as even with its limitations previously, it was reported that hundreds of millions in revenue were being lost as a result

“No telling”? But NinjaMan tells:

 As someone who works for one of the big 5 holding companies, ITP had no measurable impact: Workarounds … were identified pretty quickly so no meaningful losses ever surfaced. One workaround that worked well was having advertisers drop the cookie from their site so it registered as a 1st party cookie and not a 3rd party. It took Apple a couple of releases to patch that but other methods exist.

Even blocking 3rd party cookies will have a less than expected impact because tech exists and continues to be developed for advertising to exist in a cookie-less world.

Horse’s mouth? Apple’s John Wilander blogs with absolutely no PR oversight, oh no, none whatsoever—“Full Third-Party Cookie Blocking and More”:

 Safari continues to pave the way for privacy on the web, this time as the first mainstream browser to fully block third-party cookies by default. … Brave just has a few exceptions left in its blocking [but] in practice they are in the same good place.

Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie blocking behavior. … ITP’s classifier keeps working to detect bounce trackers, tracker collusion, and link decoration tracking.

Back in February 2019, we announced that ITP would cap the expiry of client-side cookies to seven days. … Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site.

Wait. Pause. Seven days? Aral Balkan thinks, “That’s A Bad Thing”:

 [It] effectively kills off Offline Web Apps. [It] effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network.

If they care about your privacy, why is the Apple News app a sewer of surveillance. … If they did care about your privacy, [they’d] implement all of the privacy protections they have in Safari [and] allow content blockers like Better to protect your privacy.

Instead, what do they do? They kill offline web apps. You’d almost think they had an App Store to promote or something.

I really hope this was just a badly-thought out decision … and that it will be reversed entirely.

And Andre Alves Garzi gives us, “PWAs are hard, but now Apple made them impossible”:

 There is a huge opportunity for the creation of private client-side-only PWAs in the world but developers wanting to build such apps are in for an uphill battle against the status quo and now against Apple as well. … There is a market for PWAs that work without a backend component by storing all data for a given user at the user’s own machine.

I’m building my own feed reader. I wanted it to be a PWA so that others could benefit from it, but I wanted to do it without a backend server. I don’t want to know what you’re reading, or how much time you spend on a given blog post, I just want to offer a little feed reader.

Basically, you go on a vacation and the data is lost. This means that apps must necessarily keep the data on a server, or they risk losing it all because Apple thinks this equates to privacy.

Some readers concluded that apparently if you install the PWA to the home screen, then [this is] a non-issue. I want to remind everyone that installing to the home screen is not what makes a PWA.

So admax88q breaks the Second Commandment:

 It sounds like there’s a time bomb in Safari web views just waiting to happen. … The code path is just there, they just don’t ever expect it to be hit because the timer should reset every time the user opens the app.

I can’t wait to deploy an application where there is literally an “rm -rf” pointed at my user’s data, with a complex conditional blocking it. That makes it far to easy for a webview bug to nuke my users data.

This is shoddy engineering … a terrible idea … a disaster just waiting to happen. … You lose your emails that you wrote on the plane and didn’t get a chance to send yet.

But boss.king won’t be returning to Safari:

 Now if they could just bring back extensions … I’d happily switch back. … They relocated basically all useful extensions to the grave.

There are definitely power user extensions but extensions as a whole are not a power user feature. … Many of even the most commonly used ones aren’t there to begin with: … Enpass, Noilsi, Gmail Checker, uBlock Origin, … OneTab, SEO Minion, Streak, and some form of full-page screenshot extension.

Why would devs invest work into a platform that actively makes it hard for them to distribute their software, and even then to a small audience?

Meanwhile,  reboot246 quips thuswise:

 I much prefer chocolate chip cookies to Apple cookies. I do like Apple Newtons more than fig Newtons, though they’re not really cookies.

And Finally:

A new way to chart coronavirus cases

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Louis Briscese (public domain/a>)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 474 posts and counting.See all posts by richi