One step forward and one step back for Apple's privacy campaign with latest Safari build

Apple recently released Safari 12.1 for iOS 12.2 and macOS 10.14.4, bringing with it both privacy improvements and an unexpected regression.

On Friday, Jonathan Davis, web technologies evangelist for Apple, highlighted a handful of feature additions, the most significant being version 2.1 of the company's Intelligent Tracking Prevention system.

"Updates to Intelligent Tracking Prevention add new restrictions to cookies, further reducing the ability of hidden third parties to track users across websites they visit," explained Davis in a blog post.

Specifically, the latest Safari caps the expiration of persistent cookies created client-side via the Document.cookie property to seven days, because lengthy cookie lifetimes lead to less privacy.

Cookies sent from a server via HTTP responses are unaffected but the change is significant enough to have marketing companies scrambling to ensure customers that Apple's privacy kick won't do that much damage.

Following discussions of Intelligent Tracking Protection enhancements by Apple's WebKit team in February, Adobe in March tried to assuage concerns among Adobe Marketing Cloud customers that Apple's tech might disrupt their analytics data gathering.

Adobe marketing manager Erin Davis said the change might inflate website visitor counts, decrease return visitor counts, limit the amount of historical visitor traffic data available, and potentially break the connection between ads and customer conversions driven by those ads if the conversion event (e.g. purchase) takes place after more than seven days.

Even as Davis insisted that Adobe "respects consumer privacy options," she offered advice on how to mitigate the impact of Safari's privacy defenses.

Other Safari improvements include support for: dark mode on websites; the Payment Request API; the VP8 codec with WebRTC; DRM via the Encrypted Media Extensions (EME) API; streaming improvements; the Intersection Observer API (for assessing the visibility of page elements); the Web Share API (for invoking native share dialogs); and a handful of other additions.

The browser that goes ping

But Safari's changes are not all for the better. Version 12.1 breaks the ability to disable an HTML tracking mechanism called ping, also referred to as hyperlink auditing. Ping in this case is an an attribute that can be set in a web link. As the name suggests, it pings the designated URL (with a POST request) when the enclosing link (which could open a different URL) gets clicked.

Ping has long raised privacy concerns, but somehow has found enough support to survive in web specifications. As was noted in a discussion of ping last year, both the WHATWG HTML and HTML 5.3 specs require user agents should make it clear to the user that clicking a hyperlink will trigger a secondary web request. But they don't do that, which represents a textbook privacy problem.

Nonetheless, ping is presently supported in the major modern browsers except Mozilla's Firefox, which dropped support in 2008 and hasn't looked back.

In a blog post earlier this week, developer Jeff Johnson observed that Safari 12.1 has lost the ability to disable the ping attribute. That used to be achievable with an obscure command line preference setting:

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

But not anymore. Johnson filed a bug report in January with Apple's opaque bug reporting system, known as Radar, and hasn't yet heard anything from the company.

"Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing," he said in his post.

"I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists."

In an email to The Register, Johnson said he suspects the loss of the ability to disable ping is an inadvertent error. "Perhaps the hyperlink auditing preference was simply lost in the shuffle during those architectural changes," he said.

"However, it's always been a hidden preference set at the command line rather than something visible in the Safari Preferences window, which means that Apple might not have a lot of motivation to restore the preference. In short, I believe it's just a bug, but I'm not sure whether Apple will bother to fix it unless there's a big public uproar about it."

He also notes that Google has deliberately gotten rid of the ability to disable the ping attribute, ostensibly because the feature has been enabled by default for a decade. "So maybe they assumed that nobody cared about it anymore," he said, adding, "Google makes most of its revenue from advertisers, so privacy is not much of a priority for them."

The Register asked Apple for comment. We don't expect anyone to answer. ®