Apple updates Safari’s Intelligent Tracking Prevention to block all Third-Party Cookies
Other browser makers to block the third-party cookies
The Tor Browser is the first to implement blanket third-party cookies blocking. Although Apple just announced the new update to the Intelligent Tracking Prevention just recently, it has already been blocking many third-party cookies for a long time. Apple says it has introduced a lot of restrictions to ITP since its initial release in 2017.
Google had also proposed to implement a full blocking of third-party cookies since 2019 in a blog post. The internet giant intends to implement the same on the Chromium Open Source project, on which many browsers are built on. It has already released the Chrome v80 with third-party cookies blocking functionality. However, the feature will only be universally available in 2022. Since last summer, Mozilla Firefox also blocks all third-party cookies by default.
Chromium-based Microsoft Edge also blocks third-party cookies, although the feature is not enabled by default.
Google also helped Apple understand how various elements of the ITP could be used for fingerprinting. By entirely blocking third-party cookies, ITP ensures that no state can be used to fingerprint the browser. This is unlike the Do Not Track (DNT) setting, whose state can either be on or off. Apple, therefore, disabled the DNT feature on Safari in 2019.
Apart from third-party tracking, Apple has also pursued a machine learning approach to curb user tracking by third parties.
ITP allows other forms of tracking
Although the ITP blocks all third-party cookies, it is important to note that other types of tracking still remain. The ITP blocks third-party monitoring that relies on planting a cookie on the users’ browsers and rechecking it across sites. However, not all third-party tracking relies on this method. User tracking that relies on browser fingerprinting will continue to take place.
How the new Apple ITP update works
The Apple ITP disables login fingerprinting. Third-party cookies are global states that allow cross-site tracking through this method. This behaviour can only be mitigated by partitioning cookies into third-party contexts. Since the global browser state is becoming the tradition, the only way to mitigate this behaviour is by blocking global cookies.
Benefits of the third-party cookies blocking
ITP improves security by eliminating the possibility of cross-site request forgery. It also eliminates the possibility of websites using third-party domains to identify users. Third-party auxiliary domains can be used even when the user deletes website data on the first-party website. Eliminating third-party cookies denies them this opportunity. Removing the reliance on third-party cookies also makes it easier for developers to achieve the same functionality using the storage access API, but without compromising the users’ privacy. Similarly, developers can utilize the OAuth 2.0 Authorization to request authentication in a third-party domain.
The evolution of ITP 1.0, 2.0, 2.1, and 2.2
In the first release of ITP 1.0, third-party cookies were allowed for 24 hours. They could be used as first-party cookies for 30 days. When Apple first released the ITP 2.0, it blocked all third-party cookies, while first-party cookies could only remain for 30 days. Advertisers devised a walkaround to circumvent Apple’s third-party blocking by storing third-party cookies as first-party cookies. Apple, therefore, released the ITP 2.0 to counter the ingenious walkaround. Under this version, all client-side cookies are blocked after 7 days. In the ITP 2.2, all client-side cookies are blocked after the first day if the users visit a site from a cross-site link. Similarly, the cookies are blocked after 24 hours if the final URL contained the id fragment. Both ITP 2.1 and 2.2 are included in the macOS High Sierra release.
Despite resistance by advertising companies, the era of tracking users and targeting them based on how the users interact with third-party websites is coming to an end. Apple is already in consultation with the W3C group to make the practice a standard. This development means advertisers will have to find new ways of rendering advertisements without tracking users’ behaviour across domains.