Apple Just Made Safari the Good Privacy Browser

The next version of Safari takes on ad-trackers more aggressively than ever.
Image may contain Craig Federighi Human Person Crowd Audience Speech Lecture Clothing and Apparel
David Paul Morris/Bloomberg/Getty Images

Apple announced a slew of new software features at its Worldwide Developers Conference on Monday, including an augmented reality upgrade and animojis that can stick out their tongues when you do. But the company's latest desktop and mobile operating systems contain a more subtle, yet more radical, innovation. The newest version of Apple's Safari browser will push back hard against the ad-tracking methods and device fingerprinting techniques that marketers and data brokers use to monitor web users as they browse. Starting with Facebook.

The next version of Safari will explicitly prompt you when a website tries to access your cookies or other data, and let you decide whether to allow it, a welcome step toward explicit choices about online tracking. Safari will also make a dent in defeating the so-called "fingerprinting" approach, in which marketers use publicly accessible information about devices—like the way they're configured, the fonts they have installed, and the plug-ins they run—to assign them an individual, trackable ID. In macOS Mojave and iOS 12, Safari will scrub much of this data, exposing only generic configuration information and default fonts. The browser will also stop supporting legacy plugins. The idea is to make your Mac indistinguishable from millions of others, muting the fingerprinting effect.

"Data companies are clever and relentless," Craig Federighi, Apple's senior vice president of software engineering, said on Monday, explaining why Apple pushed to add these features. The company calls the set of tools "Intelligent Tracking Prevention 2.0," and they feature WebKit changes, like eliminating a 24-hour grace period that gave trackers a day of cookie access.

The new version of Safari will also help improve password hygiene by offering to generate, autofill, and store strong passwords. It's a well-intentioned approach, although one that can be problematic depending on how it's deployed. The browser will now also audit password reuse to try to discourage people from using the same password for multiple services—a crucial way consumers can reduce their risk of being impacted by data breaches.

The antitracking features continue Apple's assault on ad tech; last year's Safari update prevented video and audio from autoplaying, and the then-nascent Intelligent Tracking Prevention Webkit tool worked to identify and block tracking cookies. This year's updates, though, take things a step further by significantly expanding the tracking techniques Safari can block or warn users about.

Apple's not the only company to toughen up its browser against privacy and security menaces. As with Chrome's Do Not Track mechanism, Apple seems to have based some of the new Safari protections on research from Mozilla, which offers its own protections in the Firefox browser. In February, Chrome also started offering native ad-blocking measures to bring more comprehensive protections to users based on standards from the Coalition for Better Ads. There are also browser plugins like Ghostery, Privacy Badger, and Adblock Plus to help stymie various tracking techniques. But Apple's efforts in Mojave and iOS 12 appear to be the most prominent and comprehensive yet.

Though the new privacy mechanisms will potentially hinder all sorts of tracking, Apple specifically called out Facebook's massive ad network—which is known for employing an array of user tracking strategies, like its ubiquitous "Like" buttons. In one of the slides depicting an example of how Intelligent Tracking Prevention 2.0 will work, Apple's Federighi showed a Safari page open to Facebook with a popup notification reading "Do you want to allow 'facebook.com' to use cookies and website data while browsing 'blabbermouth.net'? This will allow 'facebook.com' to track your activity."

Facebook did not immediately respond to a request from WIRED for comment, and the platform is certainly not the only large ad network incorporating these techniques. But it's a prominent player that has received extensive criticism for letting a variety of user data tracking tools run rampant. The company's chief information security officer Alex Stamos noted on Twitter that it doesn't seem like the new Safari will block tracking pixels or Javascript components, which are notorious for being exploitable as trackers or by bad actors for malicious activity.

Stamos seemed more focused on blasting Apple's attempt to single Facebook out, but it's true that this generation of Intelligent Tracking Prevention will inevitably have limitations. It's difficult to fully block online tracking methods without also eroding website usability, and different privacy initiatives have approached dealing with this conflict in different ways.

"The consent popups will be a big deal to people. It's more visual so you know that they are attempting to track you versus it just happening in the background silently," says Will Strafach, an iOS security researcher and the president of Sudo Security Group. "I guess the real test will be how well these measures work and how advertisers and trackers will react."

Google and Firefox already offer plenty of solid ad-blocking and antitracking mechanisms, and offer a host of other features that may make them more desirable than Apple's browser. But if privacy matters most to you, it might be time to give Safari a try.


More WWDC 2018 Coverage