Summary: Apple introduced PCM [1], and to keep people from using it for cross-site tracking it limits the bits available to a single site (as defined by the PSL). If shop-a.retail.example and shop-b.retail.example are completely separate, and don't want to compete for bits, Apple will still treat them as a single site unless retail.example is on the PSL. Being on the PSL is a big change (partitioned cookies, etc) but could be appropriate for different shops.
FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...
1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.
2. Sites that want to abuse an eTLD to do something like give all users on their social network a custom subdomain so that they're not polluting the same pool.
--
I think it was actually reasonable for Apple to consider the PSL as it's basically the most comprehensive eTLD list that we have and would allow them to match browser behavior.
The problem now is that case (1) is sending a bunch of requests at once as something will now actually break for these sites. Before now it was really just them being lax with security and not considering that cookies should be siloed. This isn't a unique situation btw, PSL also saw a large increase in inclusion requests when LetsEncrypt added rate limits based on eTLDs.
(2) is obviously bad and there's really no other justification for these sites being in the PSL.
Therefore I think it's reasonable for PSL to deny inclusion requests that are solely for PCM reasons.
This all being said, the PSL is a massive hack [1] and really needs to be replaced by something else. It probably is about time for these companies to invest in a replacement.
> Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?
The idea is to be able to use it without a network access, such as looking for unstructured URLs in text (e.g. "get a discount code at example.com/hn-reader"), formatting a URL in a browser bar (e.g. put the non-eDLD+1 in bold, or at least show the site name properly and not abbreviate all UK sites to "co.uk") or managing the cookie name properly (again, so everyone in co.uk doesn't share the same cookie).
Presumption is that the eTLDs are a tiny fraction (by orders of magnitude) from the domains registered under them so this db doesn't have to get too large.
I am not sure how to manage these strings automatically without them being spammed. They aren't all under the control of the TLD administrators (com.au is but cheapo-shop-hosting.com.au is not).
1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.
uff, well I did not know about that list and we have a domain that uses multi-tenacy.
I mean I'm unsure to include it but it probably adds a security benefit, so that it is impossible to add bad cookies from subdomains.
edit: can't add it anyway I'm not sure but our provider only allows to renew for 1 year (I'm not sure if that is a tld limit, since I also do not see other additional domains with de inside the list)
That thread between FB & Apple is fascinating. The potential solutions being discussed have significant implications:
1. Apple: "not support eTLDs in PCM and only support TLDs" - so no more ad attribution for multi-tenant domains.
2. Facebook: "some sort of vetting process to determine who is using subdomains in a way that is aligned with the intended purpose of the PSL" - so Apple takes over the PSL inclusion process and institutes strict vetting to prevent abuse of PCM, which would presumably take months to implement.
This looks like a serious design problem with no solution that could be implemented before ATT drops.
> That would cause tremendous harm to all the small businesses who operate on subdomains of TLDs like myshopify, and for what?
This was the giveaway that it was an FB person. Parts of that comment is verbatim from FB propaganda ads[0]. Maybe that awkward video from ~last month[1] was targeted more at aligning FB employees internally around the message, not the general public.
I mean, they also say "Facebook finds itself in the position of trying to help advertisers navigate Apple’s ATT changes - answering a wide variety of questions. We ..." I think everyone involved knows this is an issue from FB?
These people believe they’re lucky to work at a place like Facebook, and after reading some of these asinine comments, I'm inclined to agree.
The idea that they shit in the pool and get the swimmers to defend them sounds crazy, but people do defend Facebook’s doo-doo, and it makes sense that if you’re already covered in shit, it’s probably easier to pay people like this to walk around with shit all over themselves and say with a straight face “Apple should pay for our shit” than I ever thought.
After limited reading on the subject only the quoted issue.
Maybe shops like Etsy or Shopify should make tracking a premium benefit that is possible when getting your own domain :) Feels like a upsell opportunity to me
> A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.
> The Public Suffix List is an initiative of Mozilla, but is maintained as a community resource.
> It is inappropriate for presence or absense in PSL to be used by Facebook as a means to include or reject entries due to the IOS14 change, as PSL is not any form of security screen whatsoever, and the volunteer team maintaining the PSL is receiving the burden of being a sieve for the changes on interaction between those systems, which is taxing our resources.
> The ONLY validation performed by PSL volunteers and Github process to add listing in the PSL is to check that a DNS entry is added by the domain administrator that can be tied to, and this can be completely illusory and lite in reality in contrast to perhaps the deisred level of security that had been intended between Facebook Pixel and Apple.
> We are freezing the approval of new submissions that cite the FB / IOS 14 interop issue in order to provide Facebook or Apple, with a much more robust set of resources, the opportunity to sort this out amongst/betwixt themselves.
~~Seems like FB was abusing the work of volunteers here as a reaction to changes in iOS 14.~~ I don't see why they can't run their own PSL a la NTP servers.
edit: Seems like Apple was the one to declare PSL as canonical.
Apple is the company that declared this the canonical Public Suffix List. Facebook is just directing their customers towards it. "If you need to be considered a public suffix for Apple's new policy, you'll need to send your pull request to this repo."
Apple should be officially supporting this project and turn it into an independent, but full-time gig. If the maintainers decline, Apple should hire someone to manage their own.
The existence of multiple independent definitions for eTLD+1 would be very likely to create security holes, via a Confused Deputy-type scenario.
If I was a security researcher, or a blackhat, and I found that bar.example is on the Mozilla PSL, and so Firefox considers foo.bar.example and quux.bar.example to be separate sites - while it isn't on the Apple PSL and so Apple's APIs treat foo.bar.example and quux.bar.example as parts of the same site (or vice versa), then I know I'm going to find weird bugs where Apple and the Firefox browser understand things about these two names differently and I can likely exploit that.
The preference from PSL team members is to do less with this hack over time, to put it behind us. But alas instead it motivates people to turn a hand-wavy notion "You know, a web site" into further reliance on the PSL instead of actually building a robust solution to their problem.
This is particularly inexcusable from Apple because it's not like Apple is hurting for resources. If they actually wanted to solve problems, they could put the work in; so I think we can conclude they weren't much interested in solving the problem, only as usual in ensuring somebody else takes the blame.
>edit: Seems like Apple was the one to declare PSL as canonical.
Dependency on the Public Suffix List is already baked into essentially 100% of the global browser market for purposes like control of setting cookies - I'm not sure Apple made it any more 'canonical' by depending on it here.
It kind of reminds me of the manually-shared HOSTS.TXT list of domain names before we had DNS, and seems like a problem we also need formal infrastructure to solve long term.
This is a result of Apple limiting the entropy of marketing data that can be received from a domain (defined as an eTLD+1) to 6 bits.
This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.
This solution? Leverage the "public suffix" list to define your domain as an eTLD and give every seller a separate subdomain so that everyone gets their own data entropy namespace.
Now every hosting provider or online marketplace is scrambling to re-architect their site into subdomains with public suffixes to maintain the status quo.
There's probably a decent number of sites that get most/all of their traffic from impulse purchases off of Facebook ads, and who have no actual branding. Obviously they should go ahead and just get a domain name, but they likely haven't had any reason to care up until this point either.
This is a good point. It looks like google treats subdomains as internal links to the main domain. No idea if they treat myshopify.com this way.
FWIW, it looks like a 301 to a new domain should transfer the seo juice. If the site is valuable, a new domain should stand up pretty well. It also decamps from myshopify.
This all seems more valuable to the store owner, but I get why people would want to avoid all those changes and just try to figure out the thing "Apple is making them do."
Just suck it up and buy google-calculatorstore.com or whatever - if you're happy with the myshopify domain you clearly don't care _that_ much.
Of course, that specific example, since Google is trademarked and well known might get you on the wrong end of Shopify's ToS or a UDRP request either way.
> This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.
> One thing that will not change is the existence of small businesses; in particular, small merchants who do not have their own eTLD+1 registered. Registering an eTLD+1, and hosting a website specific to a your business is a pretty high bar to demand of all businesses.
Benjamin savage is with FB I assume...? Registering a domain name should be table stakes if you want to run a business and have ad tracking with increased entropy online.
Is it reasonable to deny access to individuals without a phone number but unreasonable to give less ad tracking entropy to businesses without their own domain? Something about mosquitoes and camels there, no?
If a business cares more than 10$/year, registering a domain is a nobrainer. “Small businesses” are just being pawns in the chess game here - I’m yet to see an legit “small business” owner who cares or thinks this is an actual issue
While it does have quite a bit of details, this followup issue is clearly written by someone from FB or one of the other AdCos who wants to point the finger back at Apple. The tone and wording used here is rather rich and entitled.
>Who will vet such a list continuously at a global scale?
>Apple should.
>Apple created this issue in the first place. The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because Apple's planned ATT enforcement.
The quotes are entirely appropriate because adding some domain to the PSL makes the subdomains siloed cookie-wise so they can't share cookies and the PSL cannot use cookies anymore.
Since they can't share cookies you can't track across even the same domain when added to the PSL.
This is a feature needed for sites like Rakuten, Shopify, Alibaba that have multiple merchants under the same domains.
Apple literally built a feature that requires addition to PSL to support a usecase that was addressed multiple times in the PrivacyCG meetings. How is this entitlement, they are following the Apple requirements.
If you're at the point you're spending money on ads and need to track them, you can spend $10 on a domain name? Lots of these platforms also give away free domain names.
It's not about whether or not it's foolish - the point is buying and setting up a subdomain, handing SEO, etc. is often more complex than some small business owners want to deal with.
Seriously. I can see reasons that aren't entirely altruistic for Apple in trying to increase these privacy protections but trying to offload it back to Apple as if Facebook's abuse of consumer data isn't the real reason for this is ridiculous.
This is fascinating to see Apple and Facebook engineers politely yet publicly arguing over potential technical implementations of Apple's privacy policies.
You're right, it's not that polite. "If Apple can develop a scaled process to review the millions of apps submitted to the Apple store, surely it is also capable of reviewing the few dozen multi-tenant domains that exist on the internet" is very passive-aggressive.
The linked discussion makes me wonder, how much of our existence on the internet is just an unintended consequence of some minor engineering decision?
Whim of an unknown engineer creating or destroying million dollar industries down the line...
Seems like the right move from a volunteer run project, what will the future will hold though? Artificial scarcity is always a problem.
On another note, for just 20k$ I can offer you exclusive use of the xxgfzrf.dinglebop.me Public Suffix so that you can keep tracking your users. Please reach out to sales@example.com if you are interested.
To make things worse, it's basically impossible to remove a domain from the PSL as no one knows how software built against the PSL would handle it. A removal could break tremendous amount of software that people rely on.
It doesn't really propose an alternative to the PSL for 'same site' behavior, instead just pushes for 'same origin' (aka exact match) behavior.
I would agree that e.g. Apple would be better to support both same-site and same-origin, and say, clobber PCM if it receives a request for one after it has already received a request for the other.
PSL is used to determine the level that a unique domain is registered at. This restricts cookies and privileges to that domain. It’s just a simple list because both .com and .co.uk are valid suffixes. Ios14 is using this list to prevent apps from tracking you across sites by limiting the data that can be stored per site. If you can get your domain recognized as a suffix as mysite.com then you can split information between all higher level domains. client1.mysite.com and client2.mysite.com. This allows you to store as much information as you want.
The PSL has always been a giant hack and totally unmaintainable in the long term. It's only a matter of time before someone mistakenly relying on it for security purposes gets owned by a rogue PR. Also, as mentioned in some of these issues, browsers don't even update it on any sort of guaranteed schedule.
Isn’t the easiest solution here for companies to register their own domain? Why be company.service.tld and not just company.tld? What are these businesses doing for email?
In this case I think the issue is trackers. If you owned a retargeting or tracking service, you might have customer1.retargetting.com and customer2.retargetting.com. Apple will now see these as being the same site, unless individually registered in PSL. This limits the amount of data that can be aggregated by retargetting.com, unless each subdomain is added to PSL.
I think this is it - the only "small businesses" I see being actually hurt (as opposed to slightly inconvenienced) by this would be retargeting and tracking companies.
I work on digital advertising for a franchise where each individual store manages their own shopify site at location.franchise.com. Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.
I understand the PSL managers' position that this is an unfair burden to place on them though.
Yeah, I didn’t quite understand it correctly at first. That’s a really good example of a legit use case that’s collateral damage from Apple vs Facebook.
I can think of other issues now too. For example, I think government services should be structured as subdomains instead of each department registering a separate domain. This will encourage the use of separate domains if they need to track effectiveness and that’s bad IMO. We don’t want to normalize stuff like irsonline.com because of the boost it gives phishing.
Yeah, but if they’re talking about physical location franchises individually owned by local residents (there are a lot), the tracking they want to do probably isn’t nearly as pervasive as Facebook as a whole.
For example, each location might want to track the effectiveness of ads for their locality. Facebook is probably a decent place for them to run ads too.
The big problem is that Facebook has earned a reputation of abusing all the data they collect, so most people are going to say the same thing as you and not have any sympathy, but it probably screws over the poster you’re replying to pretty bad.
In principle, you can know that an ad click resulted in a purchase without knowing who clicked the ad and who made the purchase. Apple supports these kinds of measurements for its own Apple Search Ads product.
The “entropy limit” you see people talking about elsewhere in the thread is one means that attempts to allow ads to be measured like this without revealing information about the users. But if every store *.shopify.com is in the same entropy pool, there won’t even be enough information to tell which ad campaign led to a sale on which store.
How can you give every subdomain in *.shopify.com their own entropy pool without also giving domains the ability to serve a distinct subdomain for each user (eg, user-1.example.com & user-2.example.com) and therefore bypassing the restrictions Apple is seeking to implement?
That’s the debate happening in the GitHub issue. I think a natural answer is with carrots and sticks. Shopify will police their platform if that is what’s necessary to prevent Apple from destroying its business by cutting them all off.
There aren’t that many “build your own store” SaaS platforms, so it is feasible to maintain a whitelist.
It may sound strange at first to propose that Apple should be essentially auditing the behavior of other companies, but they have shown a willingness to pick up that
mantle. Apple has already undertaken the huge effort of regulating the business practices of anyone on the App Store with the privacy label and other areas such as payments for digital goods. In this case, they’ve sort of delegated responsibility to a volunteer effort, which is understandable given how the situation evolved, but doesn’t seem sustainable.
If they know somebody clicked the ad and made a purchase, but they can’t know it was you, why are you bothered? Is it about something other than privacy?
Apple is doing some cool things to make personally identifiable tracking from Facebook ads much less pervasive, while still providing advertisers/businesses data about whether or not their ads are working. These things include sending batches of data every 36-48 hours instead of data as it happens, etc. But in order for these tools to work, Apple is asking Facebook to rely on this list to see if subdomains would be able to set up conversion events to collect this anonymized batched data.
This system will make ads worse, but I think it's an alright balance. Not being able to have any conversion tracking will make ads dismal.
I wish that Apple would work to maintain their own list that served this purpose, or provided support to the volunteers that were tasked with keeping this updated.
I think that's precisely according to intentions. Either they're separate entities with separate domains, or they're run by the same entity and get the same entropy.
> Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.
They still can, though, right? Just that they don't get more bits than if they had everything on one site. It's just that they can't "eat the cake and have it".
As an aside, it's insane that decisions of such import are being made by folks working at a couple of large US companies. This is going to impact users and small businesses across the world. Where is the representation from African/Indian/Chinese businesses and technologists? This would require the big tech cos to truly be interested in "diversity" of course, instead of the lip-service they pay to it in practice.
It's past time we use a better solution for the PSL side-effects (cookies partitionning, TLD detection) than a centralized list. A dedicated DNS record comes to mind.
That's not the issue; addition requests volume has suddenly gone way up because of this new Apple policy, and the volunteers that run the PSL are not prepared for it.
To be honest Facebook should offer a tracking free version with paid subscription. It is not acceptable that the only way to use Facebook and contact your family is to sacrifice your own and theirs privacy.
When are we going to have a regulator step in and tackle this?
It doesn't seem that GDPR has helped much, so I think more radical steps are needed.
Such tracking that is being done online would be illegal offline (stalking), so I don't see how long this is going to go. It's not sustainable.
I don't think that such a paid subscription would be feasible. Facebook currently earns more than 150 $/year on ads for each of their US/Canada user on average; and iPhone users who would be willing to pay for such services probably are worth more than the average, so the appropriate market-determined fee to replace invasive ad targeting would be quite large.
I don't think people would be willing to pay for tracking-free Facebook more than they pay for Netflix.
I don't think profits of a private company should be a justification for such invasion of privacy. There is plenty of ways they could make it work, but we need a legislation to compel them to do so.
That option should be mandated by law even if it turned out to be niche.
iPhone users are probably among Facebook's most valuable advertising demographic (ie. lots of disposable income). Apple's decisions to block tracking are hurting them in a big way, and offering a paid subscription probably won't seem attractive to users if Facebook prices it at the full value lost.
We've trained people that everything is free. We can't get away from that now that the genie is out of the bottle. Furthermore, people might just decide Facebook isn't worth it for them at the level of functionality they provide. As more churn happens, the overall value of the network decreases.
This has nothing to do with tracking to target ads. Facebook doesn't need Apple to execute that, people share data with FB voluntarily.
This is about measuring the impact of advertising while following a standard published by Apple itself and covering the usecase of big marketplaces with sub stores in it.
I’m just here to point the finger at Facebook, or anyone, for finding this workaround of declaring your legitimate website as a domain suffix just for tracking entropy purposes this is so laughable. like my ford fiesta identifies as an apache attack helicopter
>PSL is maintained by volunteers and there should be zero expectation of turnaround times on PR (and a respect for the labor burden shifted onto them by orgs using PSL as a bozofilter)
What is to stop Facebook from assigning an engineering team to act as volunteers so the turnaround time drops to zero?
Um, because those engineers don't have commit access to the repository? You can't just hire an engineering team and take over any open source project you want.
Oh, I was assuming the engineering team would lie a pretend like they did not work for Facebook. I assumed they would slowly work to gain the confidence of those in control and little by little they gain the access they required themselves. Maybe they could pretend not to know each other and use that to their advantage. Surely a company with the resources of Facebook could manufacture fake alternate lives for the engineering team to make them look completely legitimate and harmless.
No, Facebook. Facebook is telling companies to use the PSL. The PSL people are saying, “we give no guarantees about how long it will take us to add a domain to the PSL”. They could drag their feet so long as to make the PSL useless. To make sure it works, I could see Facebook wanting to get some of their people into position so that they can immediately approve PRs on the PSL.
I can’t think of any reason Apple would want to support the PSL.
FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...
[1] https://webkit.org/blog/11529/introducing-private-click-meas...
reply