Apple is continuing its whack-a-mole war against online tracking. Since introducing the Intelligent Tracking Prevention feature within its Safari browser in 2017 to limit companies’ abilities to track people around the web, Apple has had to semi-regularly update the feature to close loopholes that companies have been able to exploit to continue tracking people.
Apple’s latest ITP update — announced on Sept. 23 and included in the latest versions of Apple’s operating systems for its computers, iPhones and iPads — seals up the limits that it had introduced in two previous updates made this year. However, ITP 2.3 could have a broader impact on websites that use certain non-cookie-based web storage tools to maintain visitors’ preferences.
“The consequences of the cross-site tracking restrictions to date have been around persistent attribution with maybe limited impact on user experience. But this now heightens that impact and is probably more noticeable as a consequence,” said Sara Stevens, vp of identity, audience and measurement at digital marketing firm Conversant.
WTF is ITP 2.3?
The latest update to Safari’s Intelligent Tracking Prevention feature, ITP 2.3 aims to eliminate a workaround that enabled companies track people on other companies’ sites without relying on cookies.
Wait. I thought the last two updates to ITP were supposed to eliminate cookie-related workarounds?
They were, and they did. Earlier this year, Apple announced ITP 2.1 to curtail companies’ abilities to use first-party cookies to track people on third-party sites. Prior to that update, when someone clicked a link from one website to another, the first website could include an identifier in the destination URL that the second website would store within a first-party cookie and pass back to the first website in order for the first website to record what the person did on the second website; this practice is called cross-site tracking via link decoration and provided a way for companies to sidestep ITP’s previous crackdown on companies using third-party cookies for cross-site tracking. With ITP 2.1, Apple would delete these first-party cookies seven days after they were installed on a browser so that they could not be used to persistently track people around the web. In April, Apple announced ITP 2.2, which cut the first-party cookies’ lifespan to one day.
Got it. So then companies found a way to track people without using cookies?
Yes. Companies have been able to use the same link decoration practice to pass identifiers from one website to another, but instead of storing the IDs within a first-party cookie, they stored it within non-cookie-based web storage mechanisms, such as local storage.
WTF is local storage?
Local storage is similar to a cookie in that websites can use local storage to record information about a person visiting their site, such as an ID, and store that information on that person’s browser in order to quickly refer to it the next time that browser visits their site. The main difference between local storage and a cookie is that local storage can be used to stash more information than a cookie, which is why some websites use local storage to preserve people’s preferences when visiting a website.
How does ITP prevent companies from using non-cookie-based web storage for cross-site tracking?
If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link.
Safari will delete all non-cookie-based website data on the second site? Is that a problem?
It could be. There’s the evergreen caveat that, as of August 2019, Safari accounted for 15% of the global browser market compared to Google’s Chrome browser’s 64% market share, according to online traffic monitor StatCounter. Furthermore, if people typically visit a site at least once a week, then it’s probably not a problem because of the seven-day stipulation. That said, for sites that are visited somewhat regularly but less frequently than weekly, ITP 2.3 could be a problem. However, that also depends on whether a website uses these web storage tools and what information the site stores within them. According to Conversant vp of platform architecture Danny Avni, it’s “fairly common” for websites to use non-cookie-based web storage to save information that sites use to maintain the user experience, such as whether a person has already filled out a survey solicited by the site or at what volume a person prefers videos to play.
So the consequences of ITP 2.3 could extend beyond how ads are targeted and measured online?
Yes. Advertising-wise, ITP 2.3 is considered by programmatic advertising experts to be a fairly minor update. “I believe it pales in comparison to the cookie-related rules rolled out previously with ITP. These changes impact publishers/sites more so than advertising efforts from my vantage point,” said Amanda Martin, vp of enterprise partnerships at Goodway Group, in an email.
If anything, ITP 2.3 could be a positive for advertisers, particularly with regard to measurement and attribution. By deleting first-party cookies after 24 hours, ITP 2.2 effectively cut the measurement and attribution window from seven days to one day. ITP 2.3 re-extends the window to seven days so long as companies use non-cookie-based web storage to stash the identifier used for measurement and attribution, said Ameet Shah, vp of publisher and technology strategy at Prohaska Consulting.
What can sites that rely on these web storage tools do about this?
They can save information on their own servers instead of within these web storage tools. However, that would require time for these sites to switch to server-side storage, including rewriting their sites’ code, and would increase sites’ back-end costs because they would be storing more data on the server, said Avni.
Are there ways other than link decoration for companies to pass data from one site to another while staying under the radar?
Yes, but it’s no longer under the radar. Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”
Will companies find other workarounds that Apple will have to cordon off?