WebKit’s new anti-tracking policy puts privacy on a par with security
WebKit, the open source engine that underpins Internet browsers including Apple's Safari browser, has announced a new tracking prevention policy that takes the strictest line yet on the background and cross-site tracking practices and technologies which are used to creep on Internet users as they go about their business online.
Trackers are technologies that are invisible to the average web user, yet which are designed to keep tabs on where they go and what they look at online - typically for ad targeting but web user profiling can have much broader implications than just creepy ads, potentially impacting the services people can access or the prices they see, and so on. Trackers can also be a conduit for hackers to inject actual malware, not just adtech.
This translates to stuff like tracking pixels; browser and device fingerprinting; and navigational tracking to name just a few of the myriad methods that have sprouted like weeds from an unregulated digital adtech industry that's poured vast resource into 'innovations' intended to strip web users of their privacy.
WebKit's new policy is essentially saying enough: Stop the creeping.
But - and here's the shift - it's also saying it's going to treat attempts to circumvent its policy as akin to malicious hack attacks to be responded to in kind; i.e. with privacy patches and fresh technical measures to prevent tracking.
"WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it's not covert)," the organization writes (emphasis its), adding that these goals will apply to all types of tracking listed in the policy - as well as "tracking techniques currently unknown to us".
"If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques," it adds.
"We will review WebKit patches in accordance with this policy. We will review new and existing web standards in light of this policy. And we will create new web technologies to re-enable specific non-harmful practices without reintroducing tracking capabilities."
Spelling out its approach to circumvention, it states in no uncertain terms: "We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities," adding: "If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention."
It also says that if a certain tracking technique cannot be completely prevented without causing knock-on effects with webpage functions the user does intend to interact with, it will "limit the capability" of using the technique" - giving examples such as "limiting the time window for tracking" and "reducing the available bits of entropy" (i.e. limiting how many unique data points are available to be used to identify a user or their behavior).
If even that's not possible "without undue user harm" it says it will "ask for the user's informed consent to potential tracking".
"We consider certain user actions, such as logging in to multiple first party websites or apps using the same account, to be implied consent to identifying the user as having the same identity in these multiple places. However, such logins should require a user action and be noticeable by the user, not be invisible or hidden," it further warns.
WebKit credits Mozilla's anti-tracking policy as inspiring and underpinning its new approach.
Commenting on the new policy, Dr Lukasz Olejnik, an independent cybersecurity advisor and research associate at the Center for Technology and Global Affairs Oxford University, says it marks a milestone in the evolution of how user privacy is treated in the browser - setting it on the same footing as security.
Equating circumvention of anti-tracking with security exploitation is unprecedented. This is exactly what we need to treat privacy as first class citizen. Enough with hand-waving. It's making technology catch up with regulations (not the other way, for once!) #ePrivacy #GDPR https://t.co/G1Dx7F2MXu
- Lukasz Olejnik (@lukOlejnik) August 15, 2019
"Treating privacy protection circumventions on par with security exploitation is a first of its kind and unprecedented move," he tells TechCrunch. "This sends a clear warning to the potential abusers but also to the users" This is much more valuable than the still typical approach of 'we treat the privacy of our users very seriously' that some still think is enough when it comes to user expectation."
Asked how he sees the policy impacting pervasive tracking, Olejnik does not predict an instant, overnight purge of unethical tracking of users of WebKit-based browsers but argues there will be less room for consent-less data-grabbers to manoeuvre.
"Some level of tracking, including with unethical technologies, will probably remain in use for the time being. But covert tracking is less and less tolerated," he says. "It's also interesting if any decisions will follow, such as for example the expansion of bug bounties to reported privacy vulnerabilities."
"How this policy will be enforced in practice will be carefully observed," he adds.
As you'd expect, he credits not just regulation but the role played by active privacy researchers in helping to draw attention and change attitudes towards privacy protection - and thus to drive change in the industry.
There's certainly no doubt that privacy research is a vital ingredient for regulation to function in such a complex area - feeding complaints that trigger scrutiny that can in turn unlock enforcement and force a change of practice.
Although that's also a process that takes time.
"The quality of cybersecurity and privacy technology policy, including its communication still leave much to desire, at least at most organisations. This will not change fast," says says Olejnik. "Even if privacy is treated at the 'C-level', this then still tends to be about the purely risk of compliance. Fortunately, some important industry players with good understanding of both technology policy and the actual technology, even the emerging ones still under active research, treat it increasingly seriously.
"We owe it to the natural flow of the privacy research output, the talent inflows, and the slowly moving strategic shifts as well to a minor degree to the regulatory pressure and public heat. This process is naturally slow and we are far from the end."
For its part, WebKit has been taking aim at trackers for several years now, adding features intended to reduce pervasive tracking - such as, back in 2017, Intelligent Tracking Prevention (ITP), which uses machine learning to squeeze cross-site tracking by putting more limits on cookies and other website data.
Apple immediately applied ITP to its desktop Safari browser - drawing predictable fast-fire from the Internet Advertising Bureau whose membership is comprised of every type of tracker deploying entity on the Internet.
But it's the creepy trackers that are looking increasingly out of step with public opinion. And, indeed, with the direction of travel of the industry.
In Europe, regulation can be credited with actively steering developments too - following last year's application of a major update to the region's comprehensive privacy framework (which finally brought the threat of enforcement that actually bites). The General Data Protection Regulation (GDPR) has also increased transparency around security breaches and data practices. And, as always, sunlight disinfects.
Although there remains the issue of abuse of consent for EU regulators to tackle - with research suggesting many regional cookie consent pop-ups currently offer users no meaningful privacy choices despite GDPR requiring consent to be specific, informed and freely given.
It also remains to be seen how the adtech industry will respond to background tracking being squeezed at the browser level. Continued aggressive lobbying to try to water down privacy protections seems inevitable - if ultimately futile. And perhaps, in Europe in the short term, there will be attempts by the adtech industry to funnel more tracking via cookie 'consent' notices that nudge or force users to accept.
As the security space underlines, humans are always the weakest link. So privacy-hostile social engineering might be the easiest way for adtech interests to keep overriding user agency and grabbing their data anyway. Stopping that will likely need regulators to step in and intervene.
Another question thrown up by WebKit's new policy is which way Chromium will jump, aka the browser engine that underpins Google's hugely popular Chrome browser.
Of course Google is an ad giant, and parent company Alphabet still makes the vast majority of its revenue from digital advertising - so it maintains a massive interest in tracking Internet users to serve targeted ads.
Yet Chromium developers did pay early attention to the problem of unethical tracking. Here, for example, are two discussing potential future work to combat tracking techniques designed to override privacy settings in a blog post from nearly five years ago.
There have also been much more recent signs Google paying attention to Chrome users' privacy, such as changes to how it handles cookies which it announced earlier this year.
What Chrome's browser changes mean for your privacy and security
But with WebKit now raising the stakes - by treating privacy as seriously as security - that puts pressure on Google to respond in kind. Or risk being seen as using its grip on browser marketshare to foot-drag on baked in privacy standards, rather than proactively working to prevent Internet users from being creeped on.