Apple has published their WebKit Tracking Prevention Policy. It describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. WebKit’s policy was inspired by Mozilla’s anti-tracking policy.
These practices are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.
WebKit’s current anti-tracking mitigations are applied universally to all websites, or based on algorithmic, on-device classification.
WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert). These goals apply to a several types of tracking mentioned in the policy, including: cross-site tracking, stateful tracking, covert stateful tracking, navigational tracking, fingerprinting or stateless tracking, and covert tracking (which includes covert stateful tracking, fingerprinting, or other methods that are hidden from user visibility and control).
If a particular tracking technique cannot be completely prevented without undue user harm, WebKit will limit the capability of using the technique. If even limiting the capability of a technique is not possible without undue user harm, WebKit will ask for the user’s informed consent to potential tracking.
Interestingly, WebKit considers logging in to multiple first party websites or apps using the same account to be implied consent to identifying the users as having the same identity in these multiple places. WebKit believes that such logins should require a user action and be noticeable by the users, not be invisible or hidden.
WebKit is taking policy circumvention seriously. They will treat circumvention of shipping anti-tracking measures with the same exploitation of security vulnerabilities.
There may be some unintended impact of the policy, in which certain practices are inadvertently disrupted. Some of these include:
- Funding websites using targeted or personalized advertising
- Measuring the effectiveness of advertising
- “Like” buttons, federated comments, or other social widgets
- Analytics in the scope of a single website
- Audience measurement
WebKit is the source engine that underpins internet browsers, including Apple’s Safari browser. If I’m understanding this correctly, that means that Safari (and potentially other browsers) will have WebKit’s Tracking Prevention Policy “baked in”. I wonder if the policy will be effective enough that it will replace the use of ad blockers.