Hacker News new | past | comments | ask | show | jobs | submit login
WebKit Tracking Prevention Policy (webkit.org)
397 points by feross on Aug 14, 2019 | hide | past | favorite | 245 comments

One advantage of Google's dominance and their business model being so reliant on tracking, is that it's become the moat for its competitors: investing energy into tracking protection is a good way for them to gain a competitive advantage over Google, since it's a feature that Google will not be able to copy.

So as long as Google's competitors remain in business, we'll probably at least have some alternatives that take privacy seriously.

That's a very interesting point. But tracking-free services won't really have a major mindshare with the general public because you really can't compete with "free."

And there's nothing preventing Google from leveraging Youtube/Gmail/Search to push out other browsers which have tracking protection. Youtube already plays less well with Firefox. Gmail isn't exactly snappy on Safari either.

> Youtube already plays less well with Firefox.

In most other cases I could agree there may have been nefarious intent, but as someone who's followed web components for a while I think YouTube just made a bad technology bet -- that being rewriting their front-end in Polymer v1, which was based on Web Components v0. Jumping the gun on an unratified standard is risky, and this example shows why.


Yes, competing with Google is still a main challenge. Still, Apple seems to be managing by providing the browser for free as a value-add when you buy their hardware, and by preventing other browser engines from running on iOS.

Mozilla's financial dependence on Google is still a major challenge, which they'll hopefully be able to fix before push comes to shove.

Microsoft unfortunately did not seem to be able to financially justify the maintenance of their own engine - though then again, their bet appears to be on Windows integration rather than tracking protection.

When MS prevented other browsers from working well in Windows it was slapped with antitrust. Why is it ok when Apple does it? Is it because macos and ios don't have the same level of os monopoly that MS had back then?

I'm not saying it's OK when Apple does it; in fact, I've heavily criticised that in the past. I do think, however, that plays a role in Apple's ability to keep WebKit relevant, so it does have positive side-effects.

> Apple seems to be managing by providing the browser for free

Plus @icloud.com email service

> Mozilla's financial dependence on Google is still a major challenge, which they'll hopefully be able to fix

I honestly do not see how. Sticking to Safari for now.

Mozilla is looking into becoming more independent from Google by introducing paid services, such as ad-free content subscriptions using Scroll, Pocket, VPN...

Their approach relies on acquisitions (Pocket) or partnerships/experiments (Scroll).

The language used by them when referring to Google has changed quite a lot in the past year or so.

> by introducing paid services

The only ones I'd pay for is email hosting, search engine and paid clean browser app in iOS and Mac stores. Neither exists. Ahh, and paid uBlock Origin for Safari :)

But by doing so are at risk of becoming that which they hate.

How so?

> And there's nothing preventing Google from leveraging Youtube/Gmail/Search to push out other browsers which have tracking protection.

Nothing except antitrust laws...

yea... maybe not, because its profitable nonetheless

I think Apple is pretty clearly able to "compete with free" and has shown it's possible to make great money by bundling some costs into the hardware + offering good cloud services with low-friction payments.

Actual link to the policy: https://webkit.org/tracking-prevention-policy/. One thing that I found interesting was these two quotes:

> Our current anti-tracking mitigations in WebKit are applied universally to all websites, or based on algorithmic, on-device classification.

> If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.

Is this trying to say that WebKit will now apply restrictions to specific parties that the project feels is circumventing tracking prevention? I'm all for these features, but only if they're applied evenly and in a clear way. The solution to circumvention should be mitigations against bypasses, not selective enforcement :/

We're willing to do specifically targeted mitigations, but only if we have to. So far, nearly everything we've done has been universal or algorithmic. The one exception I know of was to delete tracking data that had already been planted by known circumventers, at the same time as the mitigation to stop anyone else from using that particular hole (HTTPS super cookies).

This is in contrast to Mozilla and Edge tracking protections, which are based on block lists to a significant extent. The disconnect.me list is likely to be trustworthy, but ultimately it is manually curated. We've tried to stay away from using lists like that.

It’s hard to swallow but after switching from Windows to Debian to Macbook, from Android to iOS, I'm now an unwillingly Apple Fan.

Knowing Apple is willing to protect my privacy is one of the main reason I stick to it and not to Android (despise the fact I love the unix/linux like ecosystem) or (f@ck@ng) Windows.

Thank you for doing this work. I don’t know what effect it has on Apple as a whole but for customers like me it reinforces my loyalty to Apple.

Totally true. Thanks.

This is all good, but I'm not a fan of my browser being remotely controlled by anyone to modify any of its expected behavior to do special/specific things on different websites without my informed consent.

Even the browser vendor has to be held to the same high standard (or even higher) of being completely open and transparent about what they and when they do it.

Your requirements are already not being met. All the major browsers self-update, employ lists of sites for special handling, and fail to ask you when those are updated.

Of course, you can disable auto-update, and then you're likely to be remote-controlled by someone you didn't choose.

You're manually curating a specifically targeted mitigation list, but it's non-public. Mozilla/Edge's approach seems preferable, not problematic

We are not presently manually curating a specifically targeted mitigations list. Just saying we might in the future. We did do a one shot rollback of HSTS super cookie abuse in the past, but that’s it.

But it needs to be public. “Trust, but verify.”

OK, that's good feedback if we ever need targeted mitigations in the future.

Why does it NEED to be public? So the bad actors can know how they are being caught and mitigated and can circumvent again and again?

The bad actors just need to open their own website in webkit to check if they are being blocked in some way. They will always know if a particular tracking strategy they are using is not working. So there is no harm in making the list public.

The benefit of making the list public is that blocking tech is in some sense of the word censorship. The public needs to know who is being blocked to ensure transparency and to ensure that WebKit is not using their blocking technology nefariously.

Isn't WebKit open source though, including this tech?

An open-source program can easily use a closed-source blocking list. For example, the blocking list could be distributed as a list of hashes, and the program hashes the domain name to search for it in the list.

This is roughly how the Google safe browsing list for anti-phishing/malware is distributed (except with chunks and multiple levels of hashing).

Sure but that's why I asked if the blocking tech was open source as well, but I probably didn't ask it very clearly. I couldn't tell from the linked page whether the tech (whether lists or algorithms) were closed or open, but if it's the latter wouldn't that be enough disclosure?

The linked page is primarily based on tech in the WebKit open source tree. However, some protections depend on support in underlying layers. WebKit's strategy is to use the platform-native versions of things like the network stack and font loading.

It is worth reminding that Google Chrome and Chromium no longer use WebKit but Blink.


Wow, thanks. Somehow I missed that. Things move so fast.

Google forked WebKit (itself a fork of KDE Konqueror's KHTML). Blink is from 2013. [1]

I wonder how source incompatible these are? Is it difficult to backport? Because KHTML was LGPL the source must remain available. Or is it just that these are API incompatible?


After the fork both WebKit and Blink were able to delete large amounts of no-longer-shared code. Not half the codebase, but still quite a lot. The fork was a recognition of their having been growing apart for a long time.

Both groups still watch each other's changes, but it's very rare that a patch would apply cleanly.

It is still possible to make changes that are mostly reusable for both, but it takes some effort, and some parts (JS engine, multiprocess architecture) are so different that you just have to write it twice.

Wow, it's been 6 years??? That's surprising.

Blink and you'll miss it.

A first party is a website that a user is intentionally and knowingly visiting, as displayed by the URL field of the browser, and the set of resources on the web operated by the same organization. In practice, we consider resources to belong to the same party if they are part of the same registrable domain: a public suffix plus one additional label. Example: site.example, www.site.example, and s.u.b.site.example are all the same party since site.example is their shared registrable domain.

A third party is any party that does not fall within the definition of first party above.

This policy doesn't distinguish between companies that own multiple top level domains. I understand that it may be technically hard to figure out but at the policy level are two domains owned by one company really third party to each other?

Are example.com and example.us really always different first parties? What about apple.com and iCloud.com? Or those redirect chains that happen after logging into google such that login cookies are set on youtube.com and whatnot?

It does say 'in practice' but I feel like this is mistaking a technical limitation that it's hard to know if two TLD's are controlled by the same legal entity for a policy.

We have mixed feelings about this. Most people could probably figure out that google.com and google.co.uk are owned by the same entity. And probably many people are aware that youtube.com and google.com are related. But some entities own hundreds of domain names with no clear lexical relationship. I doubt a lot of people would expect TechCrunch.com and huffpost.com to be related and would not really expect to be tracked between the two. So common ownership might not be enough to give users a reasonable expectation of a cross-site relationship.

Also, a tracking service could just ask to be CNAMEd to a random subdomain and become everybody’s “first party”, couldn’t it?

It could, but access through these various CNAMEs would not give it stateful cross-site tracking ability, since each would be a different Origin. It would be providing a hosted first-party analytics/ads/whatever service within the storage space of the first party.

Additionally, people who own the sites can use them together via methods like this, while third parties will have a more difficult time. Bravo.

This has been a feature of Adobe Analytics for over a decade. Google Analytics doesn't currently offer this as a feature, but some enterprising individuals have explored how to hack it in after ITP 2.1 was announced.

"We have mixed feelings about this."

No need.

Anyone choosing to mix and match also has the resources for some minor duplication of effort.

Or they could just do it all service side.

I think that's a problem for companies that owns multiple domains and want to track users between those. Browsers shouldn't have to help with that, but rather implement the most simple and efficient way of protecting their users, as long as it doesn't make the users' life more complicated. That's what should matter: users, not companies.

How to know when unrelated domains are actually part of the same site is a hard problem. The Public-suffix List approach works okay-ish for cookies, but no one's really happy enough with it to trust for riskier features, and it doesn't help organizations with multiple names (apple.com and icloud.com, google.com and youtube.com, facebook.com and fb.com, etc). As that example list shows at least two major browser vendors have a vested interest in making this work while preserving security.

One conversation-starter folks are discussing is https://github.com/mikewest/first-party-sets

coca-cola.dev is not owned by Coca-Cola, even if coca-cola.be, cocacola.be, cocacola.fr and coca-cola.fr is owned by Coca-Cola.

The same way with bosch.com and bosch.dev. One is a famous tools manufacturer, the other is a web developer.

It is impossible to guess the entity behind domain names by only the domain name.

Related to the way they classify between first party and third party (based on domain names, with its subdomain being the same party), the Public Suffix list [1] is a resource of great value. It allows to know when subdomains actually refers to different parties (e.g., xxx.github.io is neither the same party as yyy.github.io nor as github.io).

[1] https://publicsuffix.org/

The public suffix list is a gross hack. The public-ness of a particular domain level ought to be returned as part of the DNS response instead of being looked up out-of-band.

I understand your point, but the problem is that anybody can make their DNS response say whatever they want. And you can't even rely on crypto signatures (e.g. DNSSEC), as the people controlling some DNS records are not necessarily the same as their users.

For example, GitHub controls DNS for *.github.io so if they wanted to track people across all GitHub Pages, they could.

Also, the Public Suffix list isn't something that needs to be polled every time. It is reasonable for browsers to cache it for several days even.

I don't think we'd in practice see people lying one way or the other about a particular name level being "public". If GitHub wants to track people across all *.github.io pages, it can, trivially. It controls the infrastructure, after all.

> If GitHub wants to track people across all .github.io pages, it can, trivially. It controls the infrastructure, after all.*

If WebKit fully implements what they're describing here then GitHub should not be able to use their control of *.github.io to track people across those pages.

quotemstr was talking about the infrastructure that they control. It's true that they can track visitors server-side if they want to.

With what WebKit describes here GitHub won't be able to tell the difference between:

A: a browser visits both foo.github.io and bar.github.io

B: one browser visits foo.github.io, another visits bar.github.io

Both should look identical to github.io, client side and server side.

(This is not the case today, but my reading of the policy is that they consider all the ways in which it is not the case to need fixing.)

What about the IP address and the other information that leaks at network levels that are lower in the stack than what the browser controls?

Many people are behind NATs and so share IPs. This can be millions of people; see Wikipedia's documentation on IP banning: https://en.wikipedia.org/wiki/Wikipedia:Blocking_IP_addresse...

What are you thinking other than IPs? Everything else should be under the browser's control.

I don't know. I just suppose that it's not that simple. It is never a good idea to assume something is safe for good. The TTL of the packet could also be used maybe?

Also, there are also many people that are not behind a NAT. I've always had a public IP address at home, for example. Plus NAT may become less used because insert rant about NAT and IPv6.

Anyway, it's good that browsers make all they can to ensure privacy :).

> For example, GitHub controls DNS for .github.io so if they wanted to track people across all GitHub Pages, they could.*

The public suffix list historically has been opt-in. If you look at the (human readable) https://publicsuffix.org/list/public_suffix_list.dat you'll see:

    // GitHub, Inc.
    // Submitted by Patrick Toomey <security@github.com>
Major companies have historically wanted to list their user-content domains on the PSL because it helps protect users cookies from other users. It's possible that this announcement changes things, but I think it mostly doesn't.

The main problem with a DNS-based system is just that you would need to get everyone to switch to it, and figure out what to do in the mean time. If ".io" or someone doesn't set the DNS flag then that's a major security issue for everyone under it.

Wow! That list is surprisingly incomplete for TLDs. I should think twice before buying strange TLDs!

I found .co.de, (co|com).cc, and .pro.aw missing after a minute of searching. Going to try to find more after work. Instead of having a nice free lunch break now I have to email some people...

Fortunately, they have an issue tracker and a documented update process: https://github.com/publicsuffix/list/wiki/Guidelines

Would "Sign In With Apple" be considered a "Privileged Third Party" if they make sure it works but break other Single Sign On providers as an "Unintended Impact"?

I'm not sure what you mean by this; WebKit Tracking Prevention doesn't break third-party login. Third-party login works by handing a token back to the first party, who then stores it directly and validates it on the backend. After the initial login with the third party, the third party isn't involved anywhere that the browser can see. And the initial login happens in a browser window that's navigated directly to the third party, making them the first party for the login form (and therefore able to access any saved login data from previous logins).

In fact, this WebKit Tracking Prevention Policy explicitly states that third-party login is implied consent for the third party to identify the user as having the same identity in these multiple places.

TBH a browser prevents Medium from showing a Google iframe in the top-right corner with "Hi geofft, I know your name is geofft, please click the login button geofft," that would be delightful....

I’m not quite sure about this, but I think Safari will prevent cross-site tracking in this case until you interact with the thing.

If you logged into Medium with that account, then Medium would know, and could tell the I frame. But if you didn’t, then the iframe shouldn’t know your user ID unless you click and allow access, at least in Safari.

You can achieve that with firefox containers or - if you want a bigger hammer - first-party isolation.

Sign In With Apple has the same level of access as any other OAuth-based federated login scheme. The popular login services from Facebook and Google work fine in Safari. As others have mentioned, the way they are built does not require cross site tracking.

Is there a specific list of the web features that are being restricted? I couldn't find it in the document, and to me pretty much any web feature could be used for fingerprinting. It would be good to have a roadmap for workarounds developers will need to implement to keep legitimate applications working on Webkit.

Parties that are motivated to do tracking on the web are very creative. Too creative to list every feature they could use. That said, our goal is to as much as possible remove tracking without removing capabilities for non-tracking use cases.

I appreciate the efforts, and thanks for replying. My fears are mostly for performant web apps (e.g. games, 60hz+ refresh) where timers are inexplicably inaccurate on one web engine with no documentation explaining why. I hope the restrictions are more subtle, and I understand the desire to keep them somewhat secret this early on.

The limitation on high precision timers isn't due to privacy, it's because of the Spectre/Meltdown family of attacks. We'd like to lift those restrictions, at least conditionally, and are looking into it. I appreciate the note about your use case.

(BTW requestAnimationFrame should give you precise callbacks at the screen's refresh rate, and is probably better than using timer-related APIs.)

Fundamentally Spectre is a privacy issue, just not in the tracking sense here, right - it's a side channel by which memory can be leaked.

Anyway, the reason I brought up timers is that things like getting the screen's refresh rate, or measuring how long a canvas render takes with a particular font, (etc.) are all data points that can be used in a fingerprinting profile. I worry about the negative impacts of mitigations against those kind of measurements. I don't think it's possible to catalog all the various routes by which data could be inferred by timing. If things like this are in the scope of what Webkit is trying to prevent, I'm fairly nervous.

Off topic, but just for some game industry perspective: often we don't want to sequence exactly at the refresh rate (especially if it's variable or frames are being dropped) in contexts like logic loops or physics simulations that need to happen at specific frequencies regardless of how quickly frames are drawn. For example, synchronizing a client "tick rate" with a game server's requires millisecond precision.

Thanks for the info. For dual use technologies we are considering a machine learning approach to identifying fingerprinters (as opposed to legit clients). Also, to my knowledge, screen refresh rate is not currently a top fingerprinting vector.

As for Spectre, we treat it primarily as a security threat. It can admittedly be privacy invasive but it would be awkward to use it for tracking.

Are there plans to list new limitations and why they are being implemented?

We're working on a list of mitigations that we already have in place. We'd try to keep that updated as we add new ones. The main change here is explaining the conceptual reasoning behind our existing mitigations, and how we will decide on future privacy protections.

More explanation of the decision process is a positive in my book :)

I expect that tracking will just move to being proxied server side. It will be more annoying for the people setting it up but services will spring up to help. Little will change in the advertising and tracking space.

It's actually pretty hard to do this. You still need some way to consistently identify the same user across different sites. Stateful tracking, fingerprinting, and link decoration are the only ways we know of to do this and we have our sights set on all of them.

Isn’t link decoration an intractable problem? Ban query params and people switch to matrix params. Ban that and they subtly include it in the seo friendly text, band that and…

It just seems somewhat wrong that a browser with a huge market share doesn’t use any standards / rfc process and invents new ways of blocking tracking / breaking agreed upon specifications from release to release in isolation.

We have a partial mitigation and it does not involve stripping query params.

We'll be doing more stuff in standards first / in parallel now that more browsers are actively engaged in reducing tracking.

A lot of the more extreme thing we'll only do for sites that we've classified as a tracker. Other browsers put identified trackers in all kinds of penalty boxes that aren't fully defined by standards yet. (We happen to do the identification using machine learning instead of a curated block list.)

I guess this is what the article’s main point — putting sites on notice that no matter how much they obfuscate their cross-site linking practices, WebKit can always hard code mitigation’s for that site.

If social.example links to blog.example, limit cookie storage to 24 hours, no matter what is in the link.

That annoyance may be enough to keep many actors from just plugging 10 random trackers into their sites, especially when it means running code from less-than-trust-worthy parties on their own servers instead of their user machines.

At the very minimum it aligns incentives better for developers to think about these things.

And with IPv6 privacy extensions IP addresses will also be less useful for server-side tracking.

> especially when it means running code from less-than-trust-worthy parties on their own servers instead of their user machines.

But most will be OK with their servers running Google, Amazon, Oracle BlueKai and Facebook code, the scariest ones by amount of data.

"IPv6 privacy extensions...."

I recall these extensions are just optional. How many implementations actually implement these extensions? I recall Windows 10 had this broken for a year and almost nobody noticed...

They were broken in the sense that the preferred address would revert back to the permanent address. IPv6 still worked.

If the address reverts to the permanent address, than the IP can still be useful for tracking, right?

Yes, that was the issue that was fixed.

They didn't have to run the code, e.g. example.com just has to run a proxy that accepts payloads at analytics.example.com and forwards them to the third party tracking providers.

Could you elaborate on how "tracking will just move to being proxied server side" works vs what we have today? I'm genuinely curious what those services will entail. Thanks.

Just want to say thanks. I use Safari by choice and feel good about it, and this ongoing effort is part of the reason.

So what is going to happen when Apple succeeds in making it impossible to make any money off advertisements shown to iOS users on the web?

I'm currently imagining a future where publishers start to just redirect iOS traffic to install their app, where they can actually make money. Good news for the walled garden, I guess?

Didn't people make money off internet advertising before the modern surveillance-marketing complex? What happened to it?

I mean, maybe the answer is that those ads were only profitable because of the novelty factor and now that we have metrics we know they don't work, or at least don't work anywhere close to how much they cost. But I do miss things like the webcomics running their own ad network, Google's textual ads based solely on the search query, even the text ads on Read The Docs from a few years ago, etc.

Also I assume / hope that iOS ads aren't tracking people either; third-party cookies simply have no equivalent in the iOS app sandbox design. (And in-app ads tend to be abysmally targeted in my experience, at best "You're playing a mobile game? Try this other mobile game with even more in-app purchases!") So why wouldn't similarly untargeted web ads work too?

From what I can tell, the pre-surveilence norm was businesses having to find a website with an audience they wanted to advertise to, or a website finding a business that might want to market to their users, and then every website having to negotiate contracts with every business that wanted to set up ads.

Basically the print magazine model.

But as businesses wanted to advertise to larger populations (we want to do a $10million ad spend, how many little phpforums are we going to have to reach out to before spending all this money?) and websites grew larger audiences (how many companies are we going to have to reach out to before we start making a profit?) the overhead was too high.

The model now is, any company can fork over whatever budget they have to an ad network, and websites can serve as many ads as they want and everyone gets the reduced overhead of just dealing with the middle man.

So that's what I think happened.

> Basically the print magazine model.

And also TV, as it is still today. Oh, and every other form of advertising basically. If advertising without invading user privacy is so bad (as the perpetrators are rationalizing it), how come all other forms of advertising are still a billion (trillion?) dollar business worldwide? Just makes one wonder.

Broadcast TV, not Internet TV. It’s valid for broadcast antenna and cable TV, because those can’t be tracked, but it’s not valid for smart TVs, smart cable boxes, or almost all Internet TV sources — as those are all generally subject to the same level of invasive tracking using the account credentials.

You're right of course. I was indeed talking only about the old-school TV.

I think that at a minimum, we need to get back to that model. What "reducing overhead" really bought us is tracking and behavioral targeting with all its failure modes. All because companies wanted and could externalize the costs of actually curating and targeting the ads they serve themselves.

It was more profitable, especially for small sites. I used to cold email businesses and ask them if they wanted to buy a static banner on my blog, back in the 2000s. I made a few hundred a month on a site that had 30k views per month.

You're lucky to get a fraction of that now. Advertisers get a much lower cost through AdSense and a ton of metrics.

I was in similar boat as you, but I think we look at the past with rose-tinted glasses.

You forget to factor in the time you spent to build the e-mail list, write a nice e-mail and send it, and repeat that every once in a while when people cancel. And you have to track payments, see if someone's credit cards runs out so they fail to renew the subscription, etc.

And let's not forget the fact that there was almost no competition - for businesses who didn't want to spend the time to research the Internet, the decision was most likely between advertising on your website or not advertising online at all.

BTW, you can still do that. I still go out, research and get people to advertise directly. I split the ad space on my website into premium and "regular" sections depending on page traffic and actual place on the page (header, footer, etc.). Premium has banners manually checked and contracted, hosted on the same domain as the rest of website's content, so no ad blocking and content very relevant to the website. The rest of space is filled with Google Ads. Premium banners earn about 5x more than Google Ads, but require that I maintain it. Google Ads just run without me having to do anything.

And all I want my browser to do is make sure that is what online advertising returns to.

> Didn't people make money off internet advertising before the modern surveillance-marketing complex? What happened to it?

Non-contextual advertising still exists, but it's perceived as less effective, so there's a lot less money in it. I don't know if that perception is correct, but I do remember back when a common complaint from people was that the ads they saw weren't relevant to them.

It's also not just targeted advertising that will be affected. Without any sort of user tracking, it will be even harder to prevent fraud. No one wants to spend money showing ads to bots.

> Also I assume / hope that iOS ads aren't tracking people either; third-party cookies simply have no equivalent in the iOS app sandbox design.

You might want to look into the Apple Advertising Identifier.

> Non-contextual advertising still exists, but it's perceived as less effective, so there's a lot less money in it. I don't know if that perception is correct, but I do remember back when a common complaint from people was that the ads they saw weren't relevant to them.

As far as I’m aware, the current state of advertising is people either being too creeped out by ad suggestions to buy anything or still feeling like they’re getting bad recommendations.

Back in May I was looking for a new apartment. Via what’s app I requested the agent ask the landlord to put window restricters on the windows as they do not have window grills.

I never googled it searched or said anything in Facebook. Since the day after I requested this from the agent. I’ve had window restricters and grills show up in Facebook advertising.

I find it creepy that what’s app is meant to be private and encrypted when clearly it’s not.

> As far as I’m aware, the current state of advertising is people either being too creeped out by ad suggestions to buy anything or still feeling like they’re getting bad recommendations.

Given the massive revenues that advertising generates, how could you think this judgement (which I'm sure accurately reflects how _you_ feel) applies universally?

There's an old saying in marketing that half of your advertising money is wasted, you just don't know which half.

It's entirely possible for most people to find advertising either useless or creepy and for significant amounts of advertising revenue to nonetheless exist. And even if ads work some small fraction of the time, they can still be genuinely profitable for the advertisers.

For me, absolutely.

> No one wants to spend money showing ads to bots

Bots can watch TV, somehow TV ads work. Newspapers have audited circulation, it wouldn’t be that hard to have a website visit audit company to verify “circulation.”

Auditing of TV and newspaper ads is done largely on the receiving side, not the sending side - companies monitor what's actually shown in the stations broadcast and papers sent to real people, they pay people to install monitoring devices to see what they watch, and they contact people to find out what they're reading. The internet equivalent isn't really possible on iOS without doing some kind of Facebook-esque end-run around Apple's walled garden and paying people to install non-Apple-approved monitoring apps - and even that would probably only work for really massive, broad advertising campaigns.

I don't know about the US but at least here in northern Europe on the broadcasting side this used to be true. Now the monitoring of what people are watching is done through the setup boxes as well as the web streams. When it comes to what commercials being broadcast it's usually done through logging in the software that handles the playlist (for linear tv) and then reported back to the advertisers. The advertisers probably have different systems in place to verify it as well however.

There is less money in that advertising because the invasive advertising exists. If browsers ensured it didn’t exist, money would return for static/untargeted/context-based advertising again.

If I am reading Daring Fireball - list ad price $6500 a week for an ad at the beginning of the week and a thank you at the end of the week - doesn’t that automatically tell you something about me?

> Didn't people make money off internet advertising before the modern surveillance-marketing complex? What happened to it?

And to take the exercise one step further: "Didn't people make the internet worth being on before it was feasible to make money off of it? What happened to that?"

There is also the ongoing escalation between adverrtisers and fraud. Creating an incentive to collect ever more data to detect ever more sophisticated forms of fraud.

How is fraud handled for TV advertising? Or print? This isn’t some weird new problem. The truth is that ad-tech wants to track you to make your profile more valuable, however, a less valuable user doesn’t mean advertising doesn’t work, it just means the bottom-feeding middlemen get a less profound payday.

Why not just flip the model from eyeballs and clicks to actual ad effectiveness? Newspaper car ads have this down to a science. They don’t count “clicks” of their newspaper ad — they see how many customers come in asking about a car in the ad.

If I have an airplane website and someone wants to advertise to people who like airplanes. I can suggest a price of $1000 and if the advertiser wants to spend the money, they do. I might charge $1000 because I have a lot of visitors or just because I want to. That’s the price I set for whatever reason I set it. If an advertiser doesn’t want to spend that, they can choose not to. If they want to measure effectiveness, they can do it by offering viewers of that ad a discount code or something. When the code is used, they know they got that customer from my ad. Once they’ve validated that their ad “works” and the acquisition cost works, then they’ll keep paying my rate — no bot influence at all. No real chance of fraud because there wouldn’t be any money in it. Publishers would actually have an incentive to sell your product because they want to justify their ad rates. No need for tracking either.

Advertising works and it can be both more effective and privacy-respecting. Ad-tech has turned vast swaths of the Internet into a cesspool. It doesn’t have to be like that.

If you are a publisher and have actual content humans care about, ditch the ad networks and start selling your pixels directly to relevant advertisers.

The problem is that the incentives for fraudsters and publishers are aligned under the current model: more clicks equals more money, the actual advertiser who is selling something gets to pay that fraud tax. Perhaps advertisers should start seeking out relevant content and offering to buy space directly, refusing to deal with “networks.” Their acquisition costs would go down, that’s for sure. Harder to scale, but so what, you have a higher yield effort for a lot less money.

if you are a publisher and have actual content humans care about, ditch the ad networks and start selling your pixels directly to relevant advertisers.

Good luck with direct ad sales, unless you are a large company with a large ad sales team and correspondingly large budget.

John Gruber’s Daring Fireball and a few other sites seem to be doing okay without a large sales team. He is a one man company.

> Didn't people make money off internet advertising before the modern surveillance-marketing complex? What happened to it?

Yeah, the old web was in many ways better than the new web so I'd gladly lose ads and go back to the old web in the process.

There is a resettable device id (IDFA) that in-app (but not Safari based) ads can use for identification, but it doesn't seem to be as heavily utilized as cookie-ids in browsers.

AdTech bubble collapses, thousands of unviable businesses collapse, and the internet becomes a better place.

A man can dream.

It is not impossible to advertise without tracking users.

For some reason people just have an aversion to paying for stuff they use. Facebook's revenue per user is less than 7$, I don't use facebook, but do not mind paying that little for something I use instead of getting tracked wherever I go. Similarly Google's service that I use like gmail and photos are easily worth about 7$ per month. I would pay if they said they will stop tracking me. I don't know about youtube.

YouTube being the only one you've listed that has a premium option. The problem is people will say they'll pay but as soon as the option comes up, they don't.

Why would they if they can still not pay and get ads, which hurt less short-term (spending money can feel like losing hit points), and can be ignored either through effort or an ad blocker? Ten times more so if you still are going to show them ads.

You want people to pay, make them pay. If you worry about ad-driven competitors, then maybe this should serve as a good argument to advocate instituting regulations against funding services with ads.

Sure, but YouTube doesn't stop tracking you when you pay.

But what does that mean? YouTube keeps a history list, which I download and periodically reset. If it didn't I would need to add some sort of Firefox add-on that remembered which videos I'd seen.

What else are they "tracking"? Does YouTube have tracking on other sites (like Facebook, Twitter etc)? I haven't seen anything like that.

You can switch the history off, I presume that would work even without Premium, but it never occurred to me to even try it since I definitely want history.

Part of the answer is that YouTube algorithms optimize for engagement, not satisfaction. They don’t show me what they think I’ll like, they show me what they think I’ll keep clicking into. You can pay to subscribe, but that doesn’t change their algorithm.

if youtube isn't tracking me in malicious way, why would I pay them to stop them from tracking me?

but the error here is conflating a tool with a legal person. Google will track me no matter how much I pay them for any of their services, including YouTube.

the situation at the moment is that no-one believes that a corporation who offers a free service is going to not track you because you pay for the premium version. so (a) I'm not going to pay Google or Facebook to get the premium version since it is not going to be untracked and (b) Google and Facebook aren't going to detrack their premium services since no-one believes that's going to happen anyway - the value add is removing ads/playing with the screen off/etc not the absence of tracking.

the best you can do is pay a third party to offer you some service Google or Facebook offers for free, thereby reducing your exposure. for instance, Google surely knows the content of many emails sent to me, but not all of them, since I pay for email from another provider; or I'm strongly considering paying for a substitute for Google docs, except that I don't like unpredictable monthly USD payments.

Disclaimer: Opinions are my own etc..

I personally think a better way to sell YouTube Premium wouldn't be to focus on just the ads, yes that should be a part of it, but consumers have shown they want certain things in particular (via Patreon):

1. A way to support their favourite creators (adblock whitelisting proves people care more about creators than the downsides of ads - I do for sure)

2. A way to get exclusive content in return, or maybe just a shoutout.

Super Chat is one of the best things YouTube has ever done in this regard. It's amazing how much money flows through to creators when they do live-streams & premiere events.

A lesson can be learned from Steam's fight with piracy wrt ad-free versions. You've either got to:

1. Make it an easier sell to purchase YouTube Premium than to get AdBlock (not-likely)

2. Make a significant value-add for the premium offering "be a better service than piracy".

The problem is that YouTube's not been doing too well with option two, and they're simultaneously making their advertising products a worse sell for business customers.

I'm very interested to see how they adapt to the changing market though.

Well, for starters, now they're tracking that you are willing to pay a ransom. That's the same kind of knowledge value as spammers get when a user clicks the "unsubscribe" link in one of their emails.

I found the best method against spam is to disable download of remote images in email client. Having no viewing confirmation, spam slowly stops.

> You can switch the history off

And trust Google, Ad company, to erase it in its backend?

Tell that to Spotify, Netflix, Apple, all the other thousands of subscriptions based businesses.

People are maybe less willing to pay for something they’ve been using for free (with ads) for years.

The problem is that by doing that, you’re skimming the top percentile of your user base with the most purchasing power. You’re much less attractive to advertisers then.

The same argument could be made arguing against the launch of YouTube Premium.

YouTube has essentially monopolized video (especially being that Netflix has no adverts). YouTube knows that from that position, it’s competing only with adblockers.

Notice how the NY Times has subscriptions.

Which makes the New York Times very attractive to advertisers since they show adverts to their subscribers, meaning that they offer a pre-selected audience of people with higher purchasing power.

Google makes $21 on average per US user per month [1], almost all of which comes from advertising. Would you pay $21/mo for your Google services?

[1] https://mondaynote.com/the-arpus-of-the-big-four-dwarf-every...

I’ve bought zero products via google ads, except the case when I search for a company name and their official homepage is the top sponsored result. Which is insane.

And yet, my eyeballs looking at text with less text than a tweet is worth 21 USD. It feels like Google disrupted, but it’s far away from being optimal for companies.

Just because you've not bought something by clicking on an ad doesn't mean that the advertising has changed your purchasing habits.

...unless you are magically immune from advertising?

I saw a coke sign three hours ago outside. I’ve been surfing the net for one hour and don’t remember a single ad. I don’t use adblockers.

I’m not saying ads don’t work. I’m saying Google Ads are ready to in turn be disrupted.

Especially with bots running amok...

And now we get into magical, unprovable territory. You can't prove the ads don't work so we better continue the status quo!

$21 per user per month, on average, doesn’t imply $21 on you, every single month.

Other users react differently to that advertiser and/or you may click once every few years to bring in $1,000 advertising revenue for them on a very high-margin item.

well, I don't see Google ads so I don't know what the content is, but no-one knows that I bought a coke after seeing an ad for a coke at the train station. but it still works. the effectiveness of advertising is an empirical question.

I’d love to pay £20 a month for a search engine that had results as good as Google, didn’t track me, and behaved responsibly in encouraging a plural web.

Google optimized to help me instead of manipulate me, that would be worth probably $1k a year for me.

Contextual targeting is fairly kosher and can be genuinely useful. Let's hope changes like these make the current approach less feasible, cost-wise.

I believe Apple is doing a better job allowing monetization to continue than Google is.

They are working on ways to do anonymized personalisation/attribution/etc. The current Safari Technology Preview has someting called Ad Click Attribution API, for example.

> So what is going to happen when Apple succeeds in making it impossible to make any money off advertisements shown to iOS users on the web?

Then they start offering micropayments, and iOS users are such a gigantic market, who Apple already micro-charge for Apps, and who’ll pay good money, that every publisher jumps on board immediately.

Is there no money in roadside billboards? They are not highly targeted.

Removing tracking will take some profitability off ads but eyeballs are always going to be valuable.

> I'm currently imagining a future where publishers start to just redirect iOS traffic to install their app, where they can actually make money. Good news for the walled garden, I guess?

Some might? The situation has been getting worse for the past 1-2 years, so this is just another nail in the coffin. There are different strategies here: subscriptions, micropayments, premium/free content split, <stick anything that Guardian tried to do here...>

Less creepy, and genuinely useful forms of targeting exist (e.g. contextual targeting). There's just not enough momentum in the AdTech industry to shift. These could work just fine.

In other words, what WebKit is trying to achieve is good news for us.

Publishers so far seem to have given up on the higher CPMs coming from non-targeted ad calls on Safari. Additionally, they would be more than happy to skip ads completely if a different, stable source of revenue existed. There's a bunch of startups dealing with monetising publisher content without ads (Scroll, Blendle, etc...).

I’m way past the point of caring. Five years ago maybe I’d have been bothered, but targeted advertisement installs spyware on my computer, destroys its performance, and builds a profile on me that is begging to be exploited by hackers and/or the government. May it rot in pieces and to hell with the consequences, and if advertisers are unhappy that I’ve taken such an extreme position, they should examine how their behavior drove me to this point.

From my experience, the people making these decisions are incapable of examining their behavior. When many news websites tried to go paywall a few years ago I spoke to someone who worked at one of them and I tried to be diplomatic but eventually said, why do you need 26 pieces of malware to display less than a thousand words and why is the the size of any given page bigger than a Windows 3.1 install? I didn't even get a coherent response, it was basically, oh these guys in a meeting said we need to and we wanted the money so we happily signed up.

Ads without allowing tracking networks. You know, like print ads. And sites already annoy you to download their godforesaken apps. See Yelp, Reddit and Quora.

I don't know whether or when God forsook any particular mobile app, but I do know it the preposition "for" used as a verbal prefix with a negative implication, not the word and prefix "fore" meaning in front.

Such a high dependency on tracking is, if anything, advertisers being complacent, sloppy, or generally bad at their job. You absolutely don't need all these data to advertise to people.

perhaps they can just use advertising that doesn't involve tracking

The same thing that happens as more people install ad blockers.

Yes. The walled garden of AAPL. Spend money in an app, Apple gets a cut. As it is, Google and Facebook get the revenue instead.

As an end user I’d rather have it be this way though. At least under this model I can download apps and vote with my wallet.

And if every website becomes an app because that's the only way to make money, the distributed, decentralize web dies in favor of one giant app store.

Is that what you want? Most of human culture behind app based paywalls? No more archive.org content to preserve. Micropayments everywhere?

Can you imagine the cognitive burden of continuously, always, purchasing stuff? Of the effect on the have-nots for whom deciding to pay money for commodity content vs immediate needs is a much more important decision?

Apple gets no money from in-app advertisements.

I didn't say they did. I was talking about users making in-app purchases vs no user purchase and Google/FB relying on advertising.

Most of HN don't understand that the Advertising ecosystem is what is feeding the tech boom and their livelihood. Just like housing it is an entire ecosystem now with many people's jobs and livelihood is based on.

Hit that ecosystem and you get a recession. However it doesn't stop at the recession. Most VCs are funding hundreds and thousands of startups with the hope that one of them is going to get sold to Google or Facebook or Amazon or any of the Advertising Cash Cow business. Dry that tap and you'll have VCs pulling money from Tech.

Now, there is glut of Programmer supply and a severe lack of investments. Not dissimilar to 2008.

That's usually called "the broken window fallacy".

A kid goes out and breaks random windows in people's home; as a result, a lot of economic activity ensues - the glass producers, the people who produce glass cutters and specialized tools, the people who install windows, the cleaners who specialize in cleaning broken glass, etc ...

The ad industry is breaking everyone's windows. It does indeed produce a lot of economic activity; But it is more likely than not "misallocation and waste of funds" when looked at in a broader context.

Broken Windows is actually not a fallacy (classic Keynsian vs Hayek argument) If past decade has proven anything. Keynsian economic policies worked (printing money forcing people to spend) while a Austrian Austerity would have been disastrous.

Again, HN will not understand the side effects of destroying a major ecosystem. They all think they are much smarter and can stand on their own and VC money has no effect on their livelihood and it's their superior linux skills that keep them making tons of money

The past decade has proven that central banks can keep a system afloat for a decade. It remains to be seen if it proves anything else.

I think many HNers do understand this. I do and I am sad by the amount of waste it creates. The jobs in adtech are better left not done at all, and the manpower and money redirected to more socially useful jobs.

We could be working on distributed systems and analytics engines to - say - chew through all the protein mediated DNA/RNA expressions.

That would cost a few pennies in engineering skill and we might even find cures to things that might kill us or our loved ones.

But no, we’re throwing these opportunities away trying to be the next overvalued IRC skin.

Again, this is someone who doesn't understand economics

The sooner the ad nonsense stops, the sooner we can turn to finding profit in something more useful to humanity.

I came here to say exactly this. Most profits for online ventures come from retargeted ads, and most businesses lose money on cold audiences just so that they can build retargeting audiences. As a result, when tracking dies, so does most online ad spend.

I am really curious what the web itself (outside of apps) will look like in a world where the quality of content and services implodes because of the inability of publishers to generate revenue to pay for it. You may have your privacy, but you may also not have much left to do on the web. This is definitely a “be careful what you wish for” scenario.

Not to suggest offense, but I wonder how old you are? I may not quite be a greybeard just yet, but I remember being enraptured by the content on the internet long before it was caught in the stranglehold of advertisers. Big-budget affairs would be more scarce, but there would be no dearth of content.

Same here. Internet felt like a benevolent community where wonderful things florished. Now it’s becoming a giant tracking apparatus flooded with competing addictive garbage.

I am old enough to have seen the Internet emerge. You were enraptured by content and services provided by companies that lost billions of dollars, courtesy of investors, during the dot com era. Those investors provided that capital in large part because they knew how lucrative it could be if online advertising became as efficient and effective as it is today. You will not see that kind of subsidy in the post-ad world.

I'm old enough to have seen it all, from promising start to today's degeneracy.

Noone begged those companies to try to turn the Internet into a profit center, or to chew up enormous bandwidth and energy costs after being sold a foolish dream about targeting adverts.

The quality of the content was already being shared by millions of talented and thoughtful people. Because that's where the talent arises. Then your investors did for the internet what the music business did for music.

Oh, but that wasn't enough. After the ads, collecting and selling personal data to anyone came along. Regardless of millions of voices saying stop. Now the stream was not just full of trash, but flowed with multiple toxins.

A pox on all of them. I'd like to see all commercial interests limited to a very short list of TLDs. Then let's watch and see the mass migration. Let's call it 'choice'.

Can you be more specific about what sites you're referring to? As much as the dotcom bubble gets remembered by history, I personally wasn't frequenting any of the darlings of the VC world. My haunts were backwater forums hastily hand-coded in the 1999 dialect of PHP and other sites with totally ordinary text ads. These weren't billion-dollar overvalued companies, these were sites stood up in a server in someone's garage, and users made all the content. Even the biggest of the fish back then, Yahoo--fancying itself a media company--was relevant to me only because it hosted Geocities (again relying on user-generated content, and Yahoo was hardly one of the companies hemorrhaging money in this era).

> You were enraptured by content and services provided by companies that lost billions of dollars, courtesy of investors, during the dot com era.

What about the independent blogs?

Of course anyone who wanted to spend their time back then doing what we now call blogging, who wanted to pay for their own hosting, could have done so. However, I am not sure that the ability to read the thoughts of independent bloggers was a major driving force behind the mass adoption of the Internet. It was quality content and services, subsidized by investors who for the most part hoped companies could generate revenue from advertising, that drew the public to the Internet.

Yes, and the companies who are making products which are actually good own the whole ecosystem, end to end, like google and Facebook, and will be almost totally unaffected by this change or future changes.

It’s everyone else who makes click bait ad spam that will suffer; and frankly, why should we care?

Gmail isn’t going to disappear.

Kotaku or TechCrunch might... or maybe some of those spam cooking sites. ...but, seriously? The whole internet exist because of personalised tracking > big marketing spend?

Come on.

You’re vastly overstating the case here: yes, there would be some impact, no it wouldn’t really make a big difference at this point.

Maybe if you go back in time, it would, but you can’t, so it’s a mute point.

What’s important is where we want to go from here, and personalised ad tracking driving content farms of fake cooking videos isn’t really the ideal “endstate” for the internet imo.

...even if some spammy companies I don’t like end up going out of business, along with some companies I do like.

I often see this vague and unsubstantiated "quality content" mentioned in relation to this, but seeing this immediately after and counterpointed to independent, information rich blogs is even more puzzling. I see it mentioned, but I'm at a loss to what this financed quality content is.

> It was quality content and services, subsidized by investors

You're joking about the "quality content" part, right?

Quality should increase dramatically because the SEO spam networks will not have ads to make money, and the remaining sites will either have a solid subscription base or be from people sharing for the love of sharing.

The web as a knowledge disseminating medium will neither disappear nor suffer if or when the targeted ad industry wilts away. The physicists, mathematicians, programmers, computer scientists, biologists, chemists, ... of the world will still need and want to communicate and collaborate, not to mention the variety of hobbyists and people with odd but passionate interests. And they will do so freely, because this is the only way it makes sense. This is only beneficial for those who value knowledge and discussion since the interests are then actually aligned with those activities, instead of being only tangentially hitchhiked on top of something else.

What would fail is the likes of the fashion industry, such as Instagram influencers peddling Nike sneakers and cosmetics.

I think that quality services need not implode at the cost of more privacy on the web, if we collectively shift our mind to actually pay money for the services we use rather than paying in our data. But I suspect that such change will be not easy to come by.

Indeed. I think this effort to ban third-party cookies is fundamentally misguided. It'll only serve to entrench the current big advertising networks and make it difficult for new ones to emerge. Due to this market concentration, this move will reduce, not improve, privacy.

I agree. Even if subscription services exist and quality does not implode, the free services may have hidden agenda. Let's see how it goes.

I’m completely happy for the AdTech bubble to die in the same fire as 90% of free products, services (and associated jobs) on the web.

I am not caught up on browser engines, but WebKit is mostly just Safari and iOS browsers right?

WebKit is also used in a number of other places, such as GNOME Web and browsers for many consoles.

Indeed, the Gtk+ and WPE ports, as well as Sony's Windows port, are the most active after the Apple-maintained ones.

Sony's Windows Port?

Thanks to these comments today I am finally running WebKit on Windows for preliminary Safari compatibility testing purposes.

This blog[1] explains how to get Windows builds[2] from the WebKit Build Archives on S3 that require Apple Application Support[3].

[1] https://medium.com/@alSkachkov/how-to-load-the-latest-webkit...

[2] https://build.webkit.org/builders/Apple%20Win%2010%20Release...

[3] 7-zip the iTunes installer to extract & install just AppleApplicationSupport.msi https://www.apple.com/itunes/download/win64

They maintain a Windows port of WebKit as a reference implementation.

the browser in Steam client also uses webkit

No, it does not. Steam has been using Chromium Embedded Framework since 2010, so when Chromium moved to Blink (~2013), so did Steam.

My toy browser project (Alligator Browser) use the Webkit as engine. https://archive.org/details/alligator_20190717

I only with that with the advent of all these different anti-tracking movements, that there was a clear, documented way for "good faith actors" that require technology like localstorage.

We've worked really hard to implement a embedded experience via an iframe, but it's becoming increasingly difficult for our software to walk on egg shells as to not trigger it being labelled as a tracker (as it is definitely not, we only utilize localstorage for storing authentication details). Combine that with the fact that without using cookies, there isn't any way for us to support AMP sites, which often incorrectly labels us as a third party tracker.

edit: I do realize that the WebKit Tracking Prevention Policy essentially is a guide of how it works, I'm mostly interested in a "this is how to work within these defined walls to not be flagged as harmful"

Sounds like we need to expand WebKit's implementation of Storage Access API to cover LocalStorage.

The fact that this makes behavioural targeting even harder makes me very happy.

What makes me even more happy is that this helps to eliminate the argument stating that 3p cookies can be replaced with heuristics/non-deterministic targeting. So, instead of assigning resources to just another way of targeting users (e.g. hacks, fingerprinting) a developer/PM can already say that these approaches will be prevented in the exact same way. Any further work in this direction would be pointless.

Ideally, we'd put more focus on contextual targeting, which is arguably more useful, significantly less creepy and less dubious from the ethical point of view.

I just wish Microsoft moved in the same direction with IE. So far they've been more quiet on that subject than Google. That's wishful thinking, I know.

does anyone have insight to the webkit governance side of this? is this a case of apple fighting their ads battle against google in upstream FOSS?

Google hasn't been involved with WebKit since they forked it to create Blink.

Given the definition of cross-site tracking and the note on single-site analytics in Unintended Impacts, is it safe to say this will impact all site analytics tools served by a 3rd party (eg Google Analytics, but really almost all "drop-in" frontend analytics)?

Google analytics still works since it uses first party cookies but you lose data on repeat vs new visits.

There are ways to make GA work around these limitations, but it requires more work than just dropping it in.

Depends on whether these drop-in solutions track cross-site, and whether they strictly limit data collection to the context of the first party site.

That surveillance economy strongly reminds me Tobacco industry. It was cool and trendy until everyone woke up and regulated it to death, as it should be. GDPR is just the beginning.

Good thing Qt ditched awful WebKit for glorious Chrome. Tracking is "mm mm!" good. It also helps make sure Google's predatory non-compliance and Google-board optimizations continue to spread through all websites.


Strange for a page espousing anti-tracking [0] to load media in from apple.com. Granted Mozilla's page [1] is even a worse offender with google-analytics and newrelic embeds.

Really makes you think what really drives the underlying narrative for such initiatives at corporates if not sabotaging competitors? OpenDNS founder, u/davidu, pointed out that DNS over HTTPS, something that takes aim at trackers and advocates privacy, also, in fact, had support of BigAdTech [2].

The content blocker ecosystem has been fighting the dragnet for a long time without expecting anything in return save for examples like Brave and Adblock. It'd be a shame to see those subject to embrace, extend, extinguish.

> And we will create new web technologies to re-enable specific non-harmful practices without reintroducing tracking capabilities.

I wonder what this means. Another standard that AdTech can rally behind? Or, Apple's way of wrestling control away from AdTech? Remember, not long ago Apple disallowed 3p browsers for a long time, on AppStore...and they are likely going to act as gate-keepers here, as well?

> we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.

Where have I heard that before? [3]

And now... what about apps on AppStore? When do we get anti-tracking measures there? Pretty soon, would be really great, because that's a present and clear danger, in my eyes, wrt privacy... but one that hurts Apple's bottomline?

[0] https://webkit.org/tracking-prevention-policy/

[1] https://wiki.mozilla.org/Security/Anti_tracking_policy

[2] https://news.ycombinator.com/item?id=18257318

[3] https://news.ycombinator.com/item?id=20542656


Safari with ITP enabled blocks cookies on those font-related resources. But because of other browsers, it's not very nice to send cookies on those resources in the first place.

Thanks for taking time to reply. You've engaged with folks in this thread admirably and that makes me think the effort at curbing prevelant tracking is genuine... just that trusting BigTech with privacy has gotten a lot difficult over the years.

I'd wish Apple encouraged a secure plugin based ecosystem to flourish in the AppStore, so that folks could write content blockers that block apps from doing as they please [0]. I understand the security implications (for healthcare and financial apps, for instance) and the ability to get this right in face of spyware but in my own naïve way I feel this a decisive way to signal the intent that Apple is a privacy-first company.

[0] With VPNs a lot of content can be blocked already, but that's at the network level. It'd be great to have something at the runtime level, like WebKit here is trying to do.

The App Store requires apps to obtain user consent before doing any kind of tracking and only allows one method of identifying users (advertising ID), which the user can reset whenever they feel that apps are getting too creepy with their tracking. While there have been other ways to fingerprint users, Apple has been aggressively pursuing each avenue and closing them off.

Agree. iOS has much better story than Android.

> Apple has been aggressively pursuing each avenue and closing them off.

That is key. It is all Apple.

VPNs can be a powerful mechanism too, and you can see third party VPNs come up with solutions that are way more aggressive at blocking trackers than Apple [0]. And from what I know, Apple makes it hard for such VPN apps to flourish. Not long ago, they kicked Adguard and Malwarebytes out [1] (though they now let them back in).

[0] https://guardianapp.com/

[1] https://news.ycombinator.com/item?id=17667398

The problem with VPNs is that while they can enable privacy on a deeper level than Apple can in some cases, they also potentially pose a grave threat, as seen with Facebook’s “research” VPN which got shuttered not so long ago.

It’s a tough problem because there’s no way to verify what’s happening on the other end of the VPN during the app review process, and even if there were its too easy to change how the VPN operates to pass review and then flip it back afterwards.

If this tweet is accurate, Apple's choices here are pretty hard to explain as anything but "leverage / abuse mobile phone monopoly to kneecap competitors", especially because nowhere in this document does it actually describe how this makes users' lives better in any concrete, specific way


> Google Analytics

Website analytics should not rely on cross-site tracking. Breaking any cross-site tracking ability of GA is unambiguously good for users.

> Google Ads conversion tracking

Apple already proposed a mechanism of privacy-protecting click attribution. If Google doesn't want to use that, it's because they don't respect your privacy. Again, unambiguously good for users.

> Using same login across different sites like Gmail & YouTube

The only way this is "broken" that I can see is the user has to log in separately to each site. Which seems fine to me. In fact, this is a good thing; just because I log into Gmail with one account doesn't mean that's what I want to use for YouTube.

I don't disagree with your note on cross-site analytics (though there are some in my mind valid use cases, such as tracking conversions when the payment process occurs on a separate domain), but the tracking policy is fairly vague as to the impact on single-site.

Our goal is not to break single-site analytics, and if it gets affected as an unintended consequence, we will try to come up with alternate solutions.

Noted--thanks for the reply, both here and to my other comment.

Also I thought that the way Google solves the shared login problem is that completing the login process on accounts.google.com redirects you to YouTube briefly (as a top-level navigation), which sets a first-party cookie for itself and sends you back to Google.

From the policy:

Interactions with other parties are considered third-party, even if the user is transiently informed in context (for example, in the form of a redirect). Merely hovering over, muting, pausing, or closing a given piece of content does not constitute an intention to interact.


Navigational tracking is tracking through information controlled by the source of a top-level navigation or a subresource load, transferred to the destination.

It sure sounds to me like Apple intends to block YouTube’s trick. Transiently redirecting to a domain to install a first-party cookie seems like an unambiguous attempt to circumvent third-party cookie restrictions.

That click tracking spec is useless for advertising at scale. It only supports up to 64 campaigns is what I remember as the worst offender, somewhere in my comment history is a bit more when I first read the spec.

It offers 6 bits of campaign ID with the intention that campaigns need to be bucketed. Maybe it could be a bit more, but if it was, like, 32 bits, it could be used as a user ID.

I find it easy to explain that Apple is not using a mobile phone monopoly to X, for any X, by virtue of the fact that Apple does not have a mobile phone monopoly, not even close.

If I want Google ad tracking on my phone, I have a bewilderingly large selection of Android phones to choose from, all of which run on the same mobile networks as my iPhone, work with the same Internet, and all of the apps I consider part of my mobile workflow, like my PagerDuty and my banking app, are available on Android as well as iOS.

I’d say it’s hard to use the words “monopoly” and “Apple” in the same sentence. They don’t have a monopoly in phones, tablets, laptops, desktops, wearables, streaming music, data storage, messaging, calendars, productivity apps, or anything else that I can think of.

Yes, Apple is not a "monopoly" in a strict sense, but it has a very large captive audience and is definitely using that audience to serve its own needs. Getting Apple's tentacles out of your life can have significant side effects to your social life, as evidenced by the green bubble thread from the other day.

Monopolies abuse their power. Apple abuses its power. This doesn't make Apple a monopoly but it isn't any less of a problem.

I find it very easy to use "Apple" and "monopoly" in the same sentence.

Apple has been consistently making it harder to make money off iOS users without sharing that revenue with apple. Furthermore, they don't allow side loading of apps, their own apps have special api's that their competitors can't use, etc.

I could go on and on.

Luckily for this discussion, the word 'monopoly' has an accepted definition, which is:

> The exclusive possession or control of the supply of or trade in a commodity or service

Since Apple has, at most, below 50% market share in developed countries (and a much lower market share in developing countries), they do not possess a monopoly on the smartphone market.

By your given definition, Google isn't a monopoly either as there are clear alternatives to them in every sector that they are in.

Although the definition the other user posted was too strong, it was mitigated by the observation that Apple is barely 50%.

If we compare Google's marketshare in end user email, video hosting and search, we can see Google is a lot stronger in many markets, than apple is in their best market.

(I wish I could use an iPhone, but having to use Mac OS for development is a real turn off, considering how sucky Mac OS, in my view, has ever been.)

>(I wish I could use an iPhone, but having to use Mac OS for development is a real turn off, considering how sucky Mac OS, in my view, has ever been.)

Buying a mobile for your personal use means you have to develop for it?

That tweet is misinterpreting the “Unintended Consequences” section. Those are things we want to keep working, and if we break them, we will create alternate solutions (like Storage Access API for social embeds, and Private Click Measurement for as attribution).

Preventing Google ad tracking? Nothing of value is lost. Besides, Apple has had a built in content blocking framework since iOS 8 that allows third party ad blockers. I’ve been blocking Google’s ads for years.

Unfortunately, under the current interpretation of US anti-trust law (thanks Robert Bork!), leveraging monopoly to knee-cap competitors is a-OK if it doesn't directly hurt consumers.

The chances of anti-trust law returning to an interpretation that protects competition under the current judiciary are nil.

How is Apple blocking an ad network “anticompetitive” when Apple’s only ad platform is within the App Store?

Well, how does a competitor make money on iOS without giving Apple a 30% cut of app installs and in-app purchases and/or using their ad network?

Simple, the same way that Spotify, Netflix, Amazon (Kindle), DirecTVNow, Sling, and a bunch of other companies do - force people to pay on their own websites to use the app....

Apple doesn’t have an “ad network”.

why can't they do it on their app?

Can I pay the manufacturer of a good directly and walk into a retail store to pick it up?

But let’s not be overly idealistic, the vast majority of revenue in either App Store is from games and most of that is from in app purchases of coins, gyms, loot boxes etc.

Can I install another store in Mobile eco system. Yes I can.

But what you say is correct having another store would dent apple revenue would be loss of investors.

Only catch here is that Apple also takes a cut of such subscription revenue if it goes through an app [0].

Individually, I support Apple's decisions around enforcing privacy on the web. However, Apple's decisions when taken as a whole is making it incredibly difficult for a company to generate revenue from iOS users without sharing some of that revenue with Apple. Whether this makes Apple a monolopy I do not know, but it's certainly less clear of a good thing than their privacy efforts.

[0] https://www.theguardian.com/technology/2019/mar/13/spotify-c...

No, they only take a cut if the subscription is originated on the app.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact