Hacker News new | past | comments | ask | show | jobs | submit login
Apple's WebKit team proposes a way ads can be measured while maintaining privacy (theregister.co.uk)
125 points by fauigerzigerk on May 25, 2019 | hide | past | favorite | 38 comments

"Once the browser has matched a conversion against a stored ad click, it sets a timer, randomized between 24 and 48 hours. When that timer fires, the browser makes an ephemeral, stateless POST request to the same well-known location."

Alternatively, once the ad fraudsters have decided to scam an advertiser using this system, their ad fraud programs make a series of POST requests to the same well-known location pretending to be copies of Safari that have seen conversions from this ad campaign. The only way to detect this fraud would be to match up actual orders with claimed conversions from a particular site, completely bypassing the intended privacy protections. (Which probably wouldn't be that hard in some circumstances, but fraudsters would of course get to target the scenarios where matching up orders is hardest.)

Like, as far as I can tell, this completely fails to provide attribution data that advertisers can trust at all because it relies totally on the honesty of software installed on end-user devices. It will also fail to provide the stated privacy level in many situations, such as when the user keeps the same unique-ish IP address for several days. The only thing it seems to achieve is good PR for Apple, who will get a bunch of stories from credulous reporters about how they're trying to improve user privacy and the evil adtech industry is thwarting them because it wants to know everything about you.

Yeah I don't think this whole proposal works at all, and shows these people have very little experience with the actual adtech industry. To me it seems like they could only get a proposal this wrong if they did not even consult a single industry expert.

Yeah let's not even mention the super low count of campaigns and conversions an advertiser can have at any given time.

Some of the advertisers we work with have pretty small budget, i.e. less than 50k/month and even them will probably max out the 64 campaigns.

I'm all for having a privacy minded advertising industry but this proposal misses the mark big time.

The way I see it, the ad industry “survived” just fine when relying only on print ads and other mechanisms that had no concept of automatically-logged impressions. Ad companies do not have an inherent right to abuse tech just because tech exists.

Ignoring the advertisers for a moment, it's obvious that companies have a legitimate interest in knowing what portion of their ad spend is reaching people who eventually become customers. If the tech evolves to the point where that metric is knowable by some means that also respects consumer privacy, then that could be a net win.

It helps that Apple doesn't rely on advertisers for the bulk of their revenue, so they can actually pursue this sort of thinking without gutting their business.

Exactly this. If the industry has found there is no way to have solid and accurate tracking while maintaining user privacy, then the answer shouldn’t be the loss of privacy, the answer should be you can’t have that level of tracking.

This number doesn't necessarily have to remain 6 bits but note that if it got up to 32 bits it would be enough to contain a unique user ID (or even a unique ID for a specific click) which removes all privacy benefits.

  this completely fails to provide 
  attribution data that 
  advertisers can trust at all 
  because it relies totally on the 
  honesty of software installed on 
  end-user devices
Is that really much different from today’s world? Don’t many of these conversion tracking systems rely on links that could easily have spoofed data sent?

Not really. It’s a lot easier to heuristically validate link clicks when you can correlate them with a massive trove of other data about the visitor, which is exactly what companies like Google do.

We've started thinking about how to prevent conversion fraud. I think conversion fraud is possible even with current tracking pixel based conversion using a headless browser that scrapes the DOM of the purchase page. I also suspect fake conversions are only useful as a way to try to mask fake clicks, so if fake clicks can be detected, it might not matter.

>Like, as far as I can tell, this completely fails to provide attribution data that advertisers can trust at all because it relies totally on the honesty of software installed on end-user devices.

Which is great for Apple, since their bread and butter is locked down devices that users can’t tamper and they can presumable do a better job of filtering bad actors.

    Traditionally, ad click attribution has been
    done through the use of cookies and
    so-called “tracking pixels.”
No. Clicks are not tracked via cookies but via urls. The search engine in their example would send the user to someshop.com/someproduct?clickid=7e82jv927x748342

They say nothing about how they want to prevent this and other tracking mechanisms. Yet, they propose an overly complex system to send even more data to advertisers.

Also they do not say anything about the ip that their additional ping will send out. I definitely do not want my browser to communicate with an advertiser days later and without my consent.

Also, click tracking is not even a big problem in the first place. Tracking you wherever you go is. Even if you do not click on any ads.

We (WebKit team) know of major ad platforms that use cookies as their preferred mechanism to track clicks, in part so that a tracking pixel can work without requiring the merchant landing and conversion pages to include script.

We are also aware of tracking via link decoration (not just for ads) and our first steps at defending against it are described here: https://webkit.org/blog/8828/intelligent-tracking-prevention...

"Google can scan users' Gmails to see what items they bought," he said. "That is why Amazon removed the list of products from order confirmation emails and require the user to click and login to Amazon to see the order details.

Does Google do that? If so, only for a limited set of email senders, or globally? Would they, for example, read email sent between doctors and patients?

Google absolutely does that: https://myaccount.google.com/purchases

They scan your email and extract what you purchased, when, for how much, and when it was delivered. It appears to be as close to universal as they can get it — they’ve extracted info from some pretty niche retailers emails on my account.

There’s no publicly viewable equivalent for scanned health info but, internally, who knows. It wouldn’t be at all surprising if some of that data went into a training set for ad targeting, at the very least.

Wow, that's eerie. And I thought I had everything disabled.

Can this be disabled?

Yes. You can disable it by switching to Fastmail or a similar email provider.


And never send email to gmail accounts, and make sure nobody ever sends you mail from gmail accounts, I presume? That’s quite unworkable.

Of course you’re right; perfect privacy is impossible.

But at least we can pick the low hanging fruit and not give our own info to Google voluntarily.

Forgive the pessimism but isn't this article rewritten every year? It's always along the lines of "ad tech company begs apple not to enable X". Doesn't really seem to be that effective as there is always something to replace the newly blocked method each time.

That would probably be why the subheading is:

> Safari tech ready to be ignored by online ad giants like all other privacy proposals

Reading this made me think "The Register?"

scrolls up

The Register.

Simple reminder that this can't prevent browser fingerprinting, making this technique useless

We've done things to make it harder fingerprint Safari users. It might still work sometimes but will be less reliable.

So... the contextual advertising is not sticking uh?

> The proposal is consistent with Apple's attempt to occupy the moral high-ground of technology by championing privacy at the expense of the surveillance capitalism embodied by Google and Facebook.

Shouldn't this be "The proposal is consistent with Apple's attempt to disrupt the largest revenue stream of their main competitor Google." If Apple actually cared about "the moral high-ground of technology' they wouldn't be so desperately fighting right to repair laws.

If right to repair really was just about user rights that would be fair enough, but it’s also about requiring bigger, heavier, more fragile and more expensive products. As a user I’m all for user rights, but I personally doubt the advantages of the government telling companies how to design their products beyond things like health, safety and environmental protection.

I don’t think users should have to worry about products being safe for example, but I think the trade off between repairability versus other desirable attributes is something best left to user choice.

There are many kinds of right to repair. One proposal would be not to make any requirements on the hardware, but just to require that software cannot disable the device or otherwise prevent third-party repairs.

So if you get the screen replaced by a third-party, it might be illegal for software to try to detect that and refuse to work or update. This doesn't make any requirement that the screen be easy to repair in the first place.

Right to repair goes beyond the physical design of the phone. It has to do with purposely misleading customers to the 3rd party options they have available that would prevent them from having to outright replace the whole device (https://www.youtube.com/watch?v=K98JYRBGyrg). And preventing the import of refurbished parts for devices they no longer support (https://www.youtube.com/watch?v=WYgdtEsl_0c)

I was wondering why you were being downvoted, as the point seems pretty valid. Privacy is as big a concern to the vast majority as right-to-repair is. I suspect that right-to-repair occupies an even smaller mindshare than privacy does these days too. Eitherway, it's all sub-par, and that's a real shame.

Then I read the article, and realised the paragraph you're partially quoting is saying the same thing:

> The proposal is consistent with Apple's attempt to occupy the moral high-ground of technology by championing privacy at the expense of the surveillance capitalism embodied by Google and Facebook. Note this is for Western iThing users only, if you're a Chinese customer privacy is just a distant dream.

Unfortunately, while The Register's entire article is written in that tone, when a comment does it, it doesn't translate quite as well.

To-may-to, to-mar-to.

Google has a million ways of tracking us anyway, this is going to be just a minor problem for them they will solve sooner or later.

Does that mean people shouldn’t try to stop it?

No, I think we should try anyway, but it will be extremely difficult to do and a lot more effort should be put in educating people about what price they pay for "free" product handing over their and others' data into the hands of a single entity.

Actually there are ways to stop Google like pi-hole for example

I wonder how many people they have working to circumvent pi-hole specifically.

How would you go about "circumventing" pi-hole? I do not allow DNS requests going towards Google's DNS servers by firewall. The only option would be to use a DoH but it is also blocked on standard ports. The only option is to use a non-Google associated IP with a non-standard port which is not worth it at the scale of Google.

As roughly zero people who would click an ad use a pihole, I'd guess roughly zero engineers are working on the problem.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact