FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...
1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.
2. Sites that want to abuse an eTLD to do something like give all users on their social network a custom subdomain so that they're not polluting the same pool.
I think it was actually reasonable for Apple to consider the PSL as it's basically the most comprehensive eTLD list that we have and would allow them to match browser behavior.
The problem now is that case (1) is sending a bunch of requests at once as something will now actually break for these sites. Before now it was really just them being lax with security and not considering that cookies should be siloed. This isn't a unique situation btw, PSL also saw a large increase in inclusion requests when LetsEncrypt added rate limits based on eTLDs.
(2) is obviously bad and there's really no other justification for these sites being in the PSL.
Therefore I think it's reasonable for PSL to deny inclusion requests that are solely for PCM reasons.
This all being said, the PSL is a massive hack  and really needs to be replaced by something else. It probably is about time for these companies to invest in a replacement.
Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?
The idea is to be able to use it without a network access, such as looking for unstructured URLs in text (e.g. "get a discount code at example.com/hn-reader"), formatting a URL in a browser bar (e.g. put the non-eDLD+1 in bold, or at least show the site name properly and not abbreviate all UK sites to "co.uk") or managing the cookie name properly (again, so everyone in co.uk doesn't share the same cookie).
Presumption is that the eTLDs are a tiny fraction (by orders of magnitude) from the domains registered under them so this db doesn't have to get too large.
I am not sure how to manage these strings automatically without them being spammed. They aren't all under the control of the TLD administrators (com.au is but cheapo-shop-hosting.com.au is not).
uff, well I did not know about that list and we have a domain that uses multi-tenacy.
I mean I'm unsure to include it but it probably adds a security benefit, so that it is impossible to add bad cookies from subdomains.
edit: can't add it anyway I'm not sure but our provider only allows to renew for 1 year (I'm not sure if that is a tld limit, since I also do not see other additional domains with de inside the list)
1. Apple: "not support eTLDs in PCM and only support TLDs" - so no more ad attribution for multi-tenant domains.
2. Facebook: "some sort of vetting process to determine who is using subdomains in a way that is aligned with the intended purpose of the PSL" - so Apple takes over the PSL inclusion process and institutes strict vetting to prevent abuse of PCM, which would presumably take months to implement.
This looks like a serious design problem with no solution that could be implemented before ATT drops.
This was the giveaway that it was an FB person. Parts of that comment is verbatim from FB propaganda ads. Maybe that awkward video from ~last month was targeted more at aligning FB employees internally around the message, not the general public.
 Which I can’t find now
I mean, they also say "Facebook finds itself in the position of trying to help advertisers navigate Apple’s ATT changes - answering a wide variety of questions. We ..." I think everyone involved knows this is an issue from FB?
The idea that they shit in the pool and get the swimmers to defend them sounds crazy, but people do defend Facebook’s doo-doo, and it makes sense that if you’re already covered in shit, it’s probably easier to pay people like this to walk around with shit all over themselves and say with a straight face “Apple should pay for our shit” than I ever thought.
So if you fix it for small multi-tenant domains, nothing changes for Facebook and they still get all the aggregate data, right?
There’s going to be a lot of collateral damage before ads and tracking get fixed IMO.
Maybe shops like Etsy or Shopify should make tracking a premium benefit that is possible when getting your own domain :) Feels like a upsell opportunity to me
> A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.
> The Public Suffix List is an initiative of Mozilla, but is maintained as a community resource.
> The ONLY validation performed by PSL volunteers and Github process to add listing in the PSL is to check that a DNS entry is added by the domain administrator that can be tied to, and this can be completely illusory and lite in reality in contrast to perhaps the deisred level of security that had been intended between Facebook Pixel and Apple.
> We are freezing the approval of new submissions that cite the FB / IOS 14 interop issue in order to provide Facebook or Apple, with a much more robust set of resources, the opportunity to sort this out amongst/betwixt themselves.
~~Seems like FB was abusing the work of volunteers here as a reaction to changes in iOS 14.~~ I don't see why they can't run their own PSL a la NTP servers.
edit: Seems like Apple was the one to declare PSL as canonical.
If I was a security researcher, or a blackhat, and I found that bar.example is on the Mozilla PSL, and so Firefox considers foo.bar.example and quux.bar.example to be separate sites - while it isn't on the Apple PSL and so Apple's APIs treat foo.bar.example and quux.bar.example as parts of the same site (or vice versa), then I know I'm going to find weird bugs where Apple and the Firefox browser understand things about these two names differently and I can likely exploit that.
The preference from PSL team members is to do less with this hack over time, to put it behind us. But alas instead it motivates people to turn a hand-wavy notion "You know, a web site" into further reliance on the PSL instead of actually building a robust solution to their problem.
This is particularly inexcusable from Apple because it's not like Apple is hurting for resources. If they actually wanted to solve problems, they could put the work in; so I think we can conclude they weren't much interested in solving the problem, only as usual in ensuring somebody else takes the blame.
Dependency on the Public Suffix List is already baked into essentially 100% of the global browser market for purposes like control of setting cookies - I'm not sure Apple made it any more 'canonical' by depending on it here.
This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.
This solution? Leverage the "public suffix" list to define your domain as an eTLD and give every seller a separate subdomain so that everyone gets their own data entropy namespace.
Now every hosting provider or online marketplace is scrambling to re-architect their site into subdomains with public suffixes to maintain the status quo.
Seems someone would first effect to have a better branded site. As in, a decent TLD.
And that if anything, this is a kick in the pants of an ecommerce site to get its own domain(s) to deal with this.
Do I have that right?
FWIW, it looks like a 301 to a new domain should transfer the seo juice. If the site is valuable, a new domain should stand up pretty well. It also decamps from myshopify.
This all seems more valuable to the store owner, but I get why people would want to avoid all those changes and just try to figure out the thing "Apple is making them do."
Of course, that specific example, since Google is trademarked and well known might get you on the wrong end of Shopify's ToS or a UDRP request either way.
This is essentially https://github.com/privacycg/private-click-measurement/issue....
Effectively it boils down to, "how can you distinguish the seller from the website owner?", if you want to give both seller and website owner entropy.
Benjamin savage is with FB I assume...? Registering a domain name should be table stakes if you want to run a business and have ad tracking with increased entropy online.
Is it reasonable to deny access to individuals without a phone number but unreasonable to give less ad tracking entropy to businesses without their own domain? Something about mosquitoes and camels there, no?
If a business cares more than 10$/year, registering a domain is a nobrainer. “Small businesses” are just being pawns in the chess game here - I’m yet to see an legit “small business” owner who cares or thinks this is an actual issue
>Who will vet such a list continuously at a global scale?
>Apple created this issue in the first place. The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because Apple's planned ATT enforcement.
This is a feature needed for sites like Rakuten, Shopify, Alibaba that have multiple merchants under the same domains.
Nothing to do with entitlement.
On another note, for just 20k$ I can offer you exclusive use of the xxgfzrf.dinglebop.me Public Suffix so that you can keep tracking your users. Please reach out to firstname.lastname@example.org if you are interested.
Not really, in fact it can increase your ability to track users if it's (ab)used in specific ways - see use case #2 and #3 here:
I would agree that e.g. Apple would be better to support both same-site and same-origin, and say, clobber PCM if it receives a request for one after it has already received a request for the other.
The solution is to block all ads, or even better, ban them.
My best guess at the moment is Public Suffix List.
There could also be a setup / maintenance angle I guess. Specifying a big list of custom domains is more work than *.example.com.
I understand the PSL managers' position that this is an unfair burden to place on them though.
I can think of other issues now too. For example, I think government services should be structured as subdomains instead of each department registering a separate domain. This will encourage the use of separate domains if they need to track effectiveness and that’s bad IMO. We don’t want to normalize stuff like irsonline.com because of the boost it gives phishing.
There’s definitely two sides to this one.
Isn't that part of the purpose of the changes that Apple is making? As a user, this seems like a great change. Less tracking is a positive.
For example, each location might want to track the effectiveness of ads for their locality. Facebook is probably a decent place for them to run ads too.
The big problem is that Facebook has earned a reputation of abusing all the data they collect, so most people are going to say the same thing as you and not have any sympathy, but it probably screws over the poster you’re replying to pretty bad.
The “entropy limit” you see people talking about elsewhere in the thread is one means that attempts to allow ads to be measured like this without revealing information about the users. But if every store *.shopify.com is in the same entropy pool, there won’t even be enough information to tell which ad campaign led to a sale on which store.
There aren’t that many “build your own store” SaaS platforms, so it is feasible to maintain a whitelist.
It may sound strange at first to propose that Apple should be essentially auditing the behavior of other companies, but they have shown a willingness to pick up that
mantle. Apple has already undertaken the huge effort of regulating the business practices of anyone on the App Store with the privacy label and other areas such as payments for digital goods. In this case, they’ve sort of delegated responsibility to a volunteer effort, which is understandable given how the situation evolved, but doesn’t seem sustainable.
*I haven’t clicked on an ad in a decade so I’m probably not the target audience
This system will make ads worse, but I think it's an alright balance. Not being able to have any conversion tracking will make ads dismal.
I wish that Apple would work to maintain their own list that served this purpose, or provided support to the volunteers that were tasked with keeping this updated.
> Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.
They still can, though, right? Just that they don't get more bits than if they had everything on one site. It's just that they can't "eat the cake and have it".
I don't think people would be willing to pay for tracking-free Facebook more than they pay for Netflix.
We've trained people that everything is free. We can't get away from that now that the genie is out of the bottle. Furthermore, people might just decide Facebook isn't worth it for them at the level of functionality they provide. As more churn happens, the overall value of the network decreases.
Apple just checkmated Facebook.
This is about measuring the impact of advertising while following a standard published by Apple itself and covering the usecase of big marketplaces with sub stores in it.
What is to stop Facebook from assigning an engineering team to act as volunteers so the turnaround time drops to zero?
I can’t think of any reason Apple would want to support the PSL.