Google researchers find serious privacy risks in Safari’s anti-tracking protections

Enlarge (credit: Ben Miller)

When Apple introduced powerful anti-tracking protections to Safari in 2017, advertisers banded together to say they were "deeply concerned" it would sabotage ad-supported content. Now, there's new information showing that Safari users had good reason for unease as well.

Known as Intelligent Tracking Prevention, the mechanism uses machine learning to classify which websites are allowed to use browser cookies or scripts hosted on third-party domains to track users. Classifications are based on the specific browsing patterns of each end user. Sites that end users intentionally visit are permitted to do cross-site tracking. Sites that users don't actively visit (but are accessed through tracking scripts) are restricted, either by automatically removing the cookies they set or truncating referrer headers to include only the domain, rather than the entire URL.

A paper published on Wednesday by researchers from Google said this protection came with unintended consequences that posed a risk to the privacy end users. Because the list of restricted sites is based on users' individual browsing patterns, Intelligent Tracking Prevention-commonly abbreviated as ITP-introduces settings into Safari that can be modified and detected by any page on the Internet. The paper said websites have been able to use this capability for a host of attacks, including:

Read 8 remaining paragraphs | Comments