Apple adds a tracker blocker to desktop Safari (opens in new tab)

(techcrunch.com)

517 pointsAllvitende9y ago286 comments

286 comments

129 comments · 25 top-level

tptacek9y ago· 20 in thread

This is great, but unfortunately, until Apple ups its browser security game, Safari is a non-starter. On macOS, switching from any other browser to Chrome is in the top 3 things you can do to materially improve your security in ways that actually matter in the real world.

justinschuh9y ago

Just to add some context, on macOS you can look at the seat-belt policy as a rough analog of for basic sandboxing guarantees, where the fewer exceptions you have the stronger your sandbox is. From that perspective, Chrome's policy has around 1/10th the exceptions of Safari.

* Safari SB policy: https://trac.webkit.org/browser/webkit/trunk/Source/WebKit2/...

* Chrome SB policy: https://cs.chromium.org/chromium/src/content/renderer/render...

And of course, that's before we get into more complex forms of isolation that Chrome implements, such as the sandboxed GPU process, or ongoing work into things like network sandboxing, the macOS bootstrap sandbox, and site isolation (origin-bound renderer sandboxing).

tptacek9y ago

For anyone following, this is Justin Schuh of the Chrome security team (and co-author of TAOSSA, probably still the best book in all of software security).

Another thing Chrome does out of the box that Safari doesn't is U2F.

Still another is Chrome's industry-leading TLS management, including the pioneering of HPKP and the Chrome/Firefox pin list, and the aggressive policing of the WebPKI CAs.

I've been pretty aggressively terse in this thread, because I didn't even realize this was a live argument anymore. Safari is simply not as secure as Chrome, and it's less secure in ways that are meaningful to normal users.

Again: iOS, different story.

om29y ago

The question is a bit complex than a simple reading of these files. Mac OS sandboxing allows dynamic extension of the sandbox, which would not be reflected in the profile (I'd bet Safari does more of this than Blink though). Also, as you mentioned, it's relevant to look at what's factored into separate processes, and how those processes are sandboxed. Safari's Network process has been networked since 2013, so I don't think you can count Chrome's ongoing work to do so as a Chrome advantage.

If you add these things up, the difference in practical effectiveness is not as wide as one might think.

1 more reply

gok9y ago

(Your links are switched)

edit: they're fixed now

1 more reply

yladiz9y ago

Can you give specific examples why Chrome is significantly better than other browsers, including Firefox, Opera? Chrome is a non starter for me because of its resource usage and battery hunger.

One specific area where Safari is better than Chrome is in private browsing mode. In Safari, each tab is completely separate, and the cookies aren't shared (as far as I can tell) whereas in Chrome, it's only separate as a whole "private browsing session." They each have their pros/cons but I prefer Safari's model.

M4v3R9y ago

Me too, I only use chrome for its built-in Flash support when a site requires it.

1 more reply

dfischer9y ago

How is Chrome more secure than Safari on macOS?

tptacek9y ago

If you're interested in a detailed answer, read this:

https://medium.com/@justin.schuh/securing-browsers-through-i...

Then try to work back either Edge's or Chrome's approach to security to specific Safari features and design.

The Chrome security team is probably the most sophisticated software security team in the industry (lest you think I'm in the tank for Google, I'd say the iOS platform security team is a close 2nd --- and, to be clear: Safari is a different story on iOS).

2 more replies

cylo9y ago

I am curious to know why you say this considering Safari is just as sandboxed as Chrome?

tptacek9y ago

No, it isn't.

4 more replies

ocdtrekkie9y ago

While I'm not sure how effective they are on OS X, I have a hard time agreeing with any suggestion that Chrome is anything but the worst possible option for browser security right now. Chrome's official extension store is full of malware which collect not just your browsing data, but the contents of every page you view, and Google has shown almost zero interest in policing it. And a large percentage of malicious websites are designed to get users to install these malicious extensions.

Chrome may be relatively decent at preventing a webpage from compromising your OS, but in the modern era, a compromised browser is as bad or worse anyways, since that's where most of your sensitive activity goes.

While many HN readers will know to avoid the perils of this crud, I don't feel Chrome can be recommended over IE6 to the wider Internet while this remains so commonplace. Safe use of Chrome requires constant vigilance.

In light of Chrome's issues, I feel like a claim that switching to Chrome is important for security to require an exceptional evidence of vulnerability in the other browser.

euroclydon9y ago

So battery life or security, take your pick?

tptacek9y ago

I'm not saying it doesn't suck. But it's going to keep sucking as long as people are willing to pretend that Safari already has comparable security to Chrome.

1 more reply

dmix9y ago

Do they even try to break Safari at those pwn2own events?

Or is it just assumed to be an easy target/too niche/no money from Apple?

om29y ago

They do. Breaking out of the sandbox is not trivial though over time people have found ways to do it.

JumpCrisscross9y ago

What are the other two (for macOS)?

QuinnyPig9y ago

"Use a password manager, enable MFA" unless I miss my guess.

wolf550e9y ago

I guess password manager and U2F yubikey.

1 more reply

tobr9y ago

I didn't know that. What are the specific security problems with Safari?

draw_down9y ago

Fair enough, it's not exactly a security play though.

tannhaeuser9y ago· 18 in thread

Thumbs up for Apple distinguishing themselves by their pro-privacy stance, as opposed to MS, who don't have anything to win by Win10's excessive "telemetry" IMHO.

Vinnl9y ago

I recently realised that any company taking on Google (e.g. Apple, Mozilla, ...) that is afraid they won't be able to take them on in areas like machine learning or sheer size, is realising, rightfully so, that being pro-privacy is the one thing they can compete on with Google that Google will never be able to imitate. Pretty sweet, actually.

codyb9y ago

I think a big thing about AI with Apple is the fact that their stance on privacy makes it a bit harder to compete with the harvested data sets of Google. From what I understand though, according to the reactions on the papers they released a bit back, they're not doing so poorly.

That being said, and I've never used Cortana or Alexa, but I hear they're pretty decent compared to Siri.

1 more reply

alternativetoo9y ago

Hmmm.

https://arstechnica.com/tech-policy/2017/03/isps-say-your-we...

> CTIA is the main lobbyist group representing mobile broadband providers such as AT&T, Verizon Wireless, T-Mobile USA, and Sprint.

It doesn't just represent them, Apple is also a member:

https://www.ctia.org/about/our-members

donarb9y ago

You do know that Apple makes mobile devices, right? And so it would make sense that Apple is part of the group the supports hardware standards in the mobile device industry, they're not just a lobbying group.

1 more reply

alternativetoo9y ago

5 downvotes huh; anyone able to explain how the above is compatible with a strong pro-privacy stance? That's like saying you're a vegetarian, except for saturday noon.

2 more replies

mtgx9y ago

It's also a real shame they're doing this before Mozilla. Mozilla already has Tracking Protection but only for Private Windows.

It's like Mozilla can't even embrace its privacy stance fully.

ianlevesque9y ago

Like their entire revenue stream comes from search deals, who all depend on advertising.

Vinnl9y ago

In fact, Mozilla is working on that: https://testpilot.firefox.com/experiments/tracking-protectio...

> We believe these additions will help us take the next step toward shipping Tracking Protection in Firefox beyond Private Browsing Mode. Look for that study in late 2017.

newscracker9y ago

Not exactly the same, but there's Privacy Badger [1] from EFF that works on Firefox, Chrome and Opera. If you'd like to see a visualization of the tracking for your browsing habits, there's Lightbeam [2] from Mozilla. Both these have been around for a few years now.

[1]: https://www.eff.org/privacybadger

[2]: https://www.mozilla.org/en-US/lightbeam/

whoami_nr9y ago

You can enable Tracking Protection in Firefox for normal browsing windows in the settings->privacy tab

1 more reply

flukus9y ago

I didn't realize it was only activated in private windows. Now that you've made me notice I consider this misleading, on the settings page it says nothing about being private windows only.

1 more reply

real-hacker9y ago

Apple has every reason to do so, as their revenue doesn't come from ads. But I guess Google also has the motivation to enable this in Chrome, to make other ad networks less effective (and Google ads more effective). If it happens, what does this mean for the internet advertising business?

ch4ck9y ago

Internet Explorer has tracking protection since IE9.

miles9y ago

They are completely different beasts. Internet Explorer merely offers the option to enable[1] "Do Not Track", which websites and advertisers are free to ignore[2], while Safari's new ad tracker blocker "uses machine learning to identify trackers, segregate the cross-site scripting data, put it away so now your privacy — your browsing history — is your own"[3].

[1] https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...

[2] https://en.wikipedia.org/wiki/Do_Not_Track#Effectiveness

[3] https://techcrunch.com/2017/06/05/apple-adds-a-tracker-block...

2 more replies

ocdtrekkie9y ago

Going to my IE right now to activate it, I have to say this is a janky solution. It opens the Add-ons window, where you can see you have no Tracking Protection Lists. Then you can click to browse the add-on gallery for them, and then you have to scroll down and pick a list from a set of options.

While this is flexible, open, and that's all good, the lack of a common sense default and a multi-step setup process is probably why like... even I am not using this right now.

If Apple does this by default, it's gonna make a huge dent in Google Analytics' numbers, whereas probably almost nobody uses the feature in IE.

2 more replies

pippy9y ago

Most sites don't obey the do not track header. Edge on the other hand is much more nefarious, by default it sends all data sent by POST requests to Microsoft. I was surprised to find Bing sending data from people who use Edge on my site to try and improve their search results. There are so many security and privacy issues with this it's not funny at all.

1 more reply

cptskippy9y ago

You're joking right? Factory reset your iPhone sometime and note all of the prompts to share and access your data. The only difference between MS and Apple is that Microsoft made the mistake of presenting everything all on one screen instead of breaking it up over 5 or 10 prompts as you use the device.

dkonofalski9y ago

There's a huge difference between being asked if it's ok to share your data and just sharing it by default. Additionally, Apple doesn't offer any kind of way for anyone but you to decrypt your data.

2 more replies

tyingq9y ago· 13 in thread

The big question to me is whether it's enabled by default, and whether it blocks requests to Google Analytics. If so, that's an interesting shot across the bow.

tinus_hn9y ago

You don't need to block Google Analytics to make it more private. You just need to make the user appear to a new user to every site.

So Google may lose data because then they can't track you all over the web, but the websites don't because they still see you as one user.

tyingq9y ago

Maybe I'm overly paranoid, but I assume Google does all sorts of fingerprinting (documented and not) via GA. Why else would it be free if it didn't provide a big upside for Google?

2 more replies

dbbk9y ago

This is actually really concerning to me. If they blocked Google Analytics, it would severely damage that data. It'd be bad news for site owners who just want to quantify their traffic.

icelancer9y ago

....so? Site owners are not guaranteed this access; their script runs on the client computer.

I say this as someone who does a lot of analytical research and re-targeting and would be hurt if this was rolled out on a larger scale; I just don't think I have a right to the data.

1 more reply

Doctor_Fegg9y ago

The article says (my emphasis):

> segregate the _cross-site_ scripting data

So if you "just want to quantify your traffic", use self-hosted Piwik (i.e. not cross-site), as many of us do already.

1 more reply

draw_down9y ago

Welp. Sorry.

rimliu9y ago

Well, back to log files. Which may no longer work with the latest and greatest JS framework :(

Antrikshy9y ago

I hope it's not enabled by default so it doesn't ruin analytics data for web masters. I personally don't see any reason to turn it on either, so...

hoschicz9y ago

Does Analytics do some tracking by default? Or only if you enable the advanced demographics options, which enable DoubleClick?

tyingq9y ago

The fact that it's free for site owners suggests it has some benefit to Google, so I assume heavy fingerprinting and tracking.

magicalist9y ago

What would it block? The JS file? Analytics only sets a cookie on the site using it, not one that works across sites.

tyingq9y ago

Cookies are one way to track users. They are not the only one. Google Analytics is so ubiquitous...I can't see Google missing the opportunity to leverage it.

smitherfield9y ago

Speaking of shots across the bow, I'm surprised they've never put an ad-blocker in Safari.

hellofunk9y ago· 12 in thread

It's unclear to me how these "trackers" work? How do they track you, is it cookies, or what?

fjarlq9y ago

A decent overview: https://panopticlick.eff.org/about

Test your browser: https://panopticlick.eff.org/

hellofunk9y ago

That site is interesting, and it shows you that 1 of X browsers resemble a particular fingerprint ingredient.

I found this one rather interesting, it was the most unique of the ones listed:

HTTP_ACCEPT Headers

One in several thousand have the same headers as me. But the headers themselves are quite a small little string, I'm surprised it is that unique.

bauerd9y ago

Probably most (if not all) fingerprinting sources are showcased by fingerprint.js: https://github.com/Valve/fingerprintjs2

Cyph0n9y ago

For a second I thought "why in the world is Valve maintaining this". Confusing username to be frank.

throwaway20489y ago

It is essentially impossible to enumerate all the ways browsers leak fingerprintable information.

2 more replies

TallGuyShort9y ago

In practice, User-Agent strings (which are just HTTP headers) have been shown to be pretty effective at uniquely identifying and tracking most people. So even disabling JavaScript and Cookies only goes so far.

gruez9y ago

Source? Because the only information contained in user-agent strings in modern browsers are browser version (realistically limited to vendor since browsers auto-update) and operating system version. So basically all you're going to get is (Chrome/Firefox/Edge/Internet Explorer/Safari on Windows/Linux/Mac), which isn't much.

4 more replies

Pete_D9y ago

Maybe the next frontier in browser anti-tracking is to stop sending a User-Agent header, or to build in functionality like one of the browser add-ons that randomly pretend to be different browsers.

Sir_Cmpwn9y ago

There are a number of ways. Cookies are one, but you can also collect other kinds of data from a web browser to uniquely identify a user across multiple sessions. Generally speaking, if you can run JavaScript, you can track the user. This is done by all advertisers and most little widgets like Facebook or Disqus comments, like and tweet buttons, etc.

amelius9y ago

> This is done by all advertisers and most little widgets like Facebook or Disqus comments, like and tweet buttons, etc.

Why isn't this illegal already?

2 more replies

frio809y ago

It's cookies and the change isn't really earth shattering but it does close the "redirection trick" loophole that some companies were using to track you across domains. See my example here for more specific details: https://news.ycombinator.com/item?id=14493373

om29y ago

Most trackers use cookies or other client-side state to track you across the web. There's also various fingerprinting techniques but they are less reliable.

code4tee9y ago· 11 in thread

Sounds like this is more in line with what they did with ApplePay vs traditional credit cards--I.e. They give you randomized IDs each time so the other party can't track you from transaction to transaction. Adds can still appear but they won't know who you are, so it's a direct shot at Google and others looking to give people "targeted" adds based on user behavior. I agree it's an issue that needs addressed. Just because I searched for X two days ago doesn't mean i want to see adverts on X for the next two months.

abalone9y ago

Apple Pay does offer enhanced privacy by not transmitting your name along with your card number, but it doesn't randomize the number with every transaction. In fact you may not want that as it would disrupt email receipt systems and loyalty programs (absent some parallel mechanism).

Apple Pay does something called tokenization, and the goal is more fraud protection than privacy. It generates one new number at card enrollment and uses that exclusively. By using a unique account number which can only be issued by Apple Pay devices, it means it doesn't matter if someone hacks the merchant and steals your number. They can't use it without the associated Apple Pay generated cryptogram, secured by your PIN / fingerprint.

Honestly the enhanced security of Apple Pay is underhyped. It's really great.

ianai9y ago

I think I just inched toward using Apple Pay. I've been very skeptical until now.

1 more reply

digi_owl9y ago

Sounds to me like they basically transferred chip-and-pin online.

Maybe it is magical in the American sense, but i can't say i get the big whoop from the European side of the Atlantic...

1 more reply

Artemis29y ago

Note regarding Apple Pay: due to the way credit card networks implement network tokenization, online merchants can actually track you across multiple transactions. You get a per-device ID, of which you can have at most 10 per card (for Visa). Ideally, unique payment tokens would be derived from these IDs for each transaction. In reality, the ID is sent along with a random cryptogram for each transaction, leaving tracking possible (on the same device only). This is because these tokens have to be in the same format as card numbers, and the ranges available to issuers are rather limited.

danudey9y ago

I've had that problem before as well. My wife was going to Mexico and looking for a new swimsuit, and so I was hitting up the SwimCo website. Cue three months of women's swimwear ads from SwimCo – and nothing else. Almost every single ad on every single page was the same ad in different shapes, all of them for SwimCo.

Recently too I've noticed that Amazon is putting ads in my Instagram feed for specifically things that I've looked at on Amazon within the last day or two. I'll literally click a link to a book or do a search, and then four hours later it'll show up in an ad in the app.

Aside from being kind of pointless (I already know about these items, why are you showing them to me later that day?), it's also all kinds of creepy and unsettling to see Amazon advertising six things I've seen recently, and not even on the same device I was viewing them on.

weavie9y ago

Whats worse is when colleagues at work can look over your shoulder and see everything you are considering buying. Luckily for me my purchasing habits are pretty mundane, but I can imagine this could get quite embarrassing for people shopping for more risky items.

1 more reply

Darthy9y ago

That's actually not how ApplePay works. You get a new randomized credit card number, but only once. Shops can still track you by checking for the number. You can check that yourself by looking at receipts when you pay with ApplePay - each receipt features the same numbers (most receipt only show the last 4 digits, but they are always the same when you pay with ApplePay).

jarcoal9y ago

Indeed, I observed this because our local grocer asks for your email address when checking out so it can send receipts there. After providing mine it never asked again.

It would be really cool if it generated new numbers each time and had an amount coded to that number. So when I wave my Apple Pay device over the reader it would display the amount on the device, I would approve, and then a number would be handed back that's only good for that amount.

ljoshua9y ago

Is it a randomized number per card per merchant, or just a randomized number per card?

2 more replies

needusername9y ago

Nothing about the new PAN is randomized. It's valid PAN pointing to a dedicated, valid BIN range and has a valid Luhn checksum.

MadWombat9y ago

"Just because I searched for X two days ago"

But would you rather see ads for something you might be interested in (however tangentially) or something completely random? Personally I prefer the former, as long as there is some basic sanity filtering involved.

vim_wannabe9y ago· 6 in thread

>“It’s not about blocking ads, the web behaves as it always did, but your privacy is protected,” he added.

Does this mean browser fingerprint is somehow scrambled before it is sent to the tracker instead of blocking?

3pt141599y ago

Stopping fingerprinting right now is essentially impossible for a motivated attacker. It's enough to block the dumb trackers, but as long as performance is a consideration caches will exist. And as long as caches exist, so will fingerprinting.

Darthy9y ago

I doubt the next Safari also addresses browser fingerprinting. Otherwise, Apple would have mentioned it. Most likely, ad networks will adopt browser fingerprinting over the next few months, and then Apple will introduce some solution to that in a year or two.

oliyoung9y ago

It looks like the same pattern as the way Apple scrambles Bluetooth MAC addresses and credit card numbers

ceejayoz9y ago

> Does this mean browser fingerprint is somehow scrambled before it is sent to the tracker instead of blocking?

It might be homogenized instead of scrambled. Every iOS device could be given (barring IP etc.) the same fingerprint.

pmiller29y ago

I don't think that's even theoretically possible. How do you block JS font enumeration without crippling the browser font API?

6 more replies

rapind9y ago

But then sites could easily identify and choose to react to that fingerprint. (But maybe that's OK)

binthere9y ago· 6 in thread

Later they demoed they can track your interests in what you've read on the web to show you personalized news on their news app and keyboard autocompletion.

andreyf9y ago

Which would be super creepy if they were a company which is beholden to advertisers for their revenue. But alas, they are not.

oculusthrift9y ago

neither is MS but every thread about them seems to have a top comment crying about telemetry

1 more reply

draw_down9y ago

They're also very careful to specify that this computation takes place locally on the device.

ocdtrekkie9y ago

And if this is true, this is a huge plus, because nobody else is doing it. Because Windows is cloud-based for this stuff, just like Google. None of the 'smart' features of Windows 10 work unless you enable what amounts to a keylogger and the ability to send a lot of extra data about what you do to their cloud service. (Well above and beyond the telemetry most people worry about here.)

ceejayoz9y ago

That'd be first-party tracking. If I'm using an Apple app I expect Apple to know it, but I don't necessarily expect Mixpanel or Google Analytics or Segment.

ksk9y ago

The net result is the same regardless of whether it's an expectation in one case versus an outrage in the other.

frio809y ago· 4 in thread

Looks like this will stop (after 24 hours) some companies from doing an initial redirection to set cookies for tracking purposes... Example:

1. Search Google for hockey sticks

2. Click on search result hockeystick.com

3. hockeystick.com issues a 302 to adcompany.com which then issues a 302 back to hockeystick.com

Why the 302? Because in Safari, you could only access cookies in a 3rd party context if you've seen a domain in a 1st party context. Setting a cookie in adcompany.com in a 1st party context gives you the ability to read that cookie in a 3rd party context which could be used for tracking purposes.

YPCrumble9y ago

Woah - is this what companies that "rent" other companies' pixels like perfect audience are doing to get the pixel data?

flukus9y ago

Won't the browser show an error about a circular redirect? Or does that take a few bounces?

frio809y ago

The URLS would be different. Companies also rewrite internal links as you're navigating a site to accomplish the same thing. Example: https://baycloud.com/thirdparty-redirect

styfle9y ago

It wouldn't be circular if the URL was different, for example:

website.com

ad.com?u=website.com

website.com?loaded

ghughes9y ago· 3 in thread

Here's the official blog post explaining the feature in depth: https://webkit.org/blog/7675/intelligent-tracking-prevention...

aaronbee9y ago

This suggests that Google/Facebook/Twitter will still be able to track you, assuming you use their websites regularly, but advertising companies that don't have pages frequented by the average internet user won't.

Eridrus9y ago

This is going to be a pretty interesting case study in deploying ML in adversarial contexts :)

majewsky9y ago

If I understand this correctly, the obvious counter-measure is for all links on example-recipes.com to go through example-tracker.com, which then immediately redirects to the original website with the linked-to content. Sort of like the weird link URLs in Google's SERPs.

theprop9y ago· 2 in thread

I read https://webkit.org/blog/7675/intelligent-tracking-prevention... which details this.

They're just being a little sophisticated in how they block third-party cookies. This will hardly stop other tracking scripts, tracking images, widely-used fingerprinting techniques and related js calls. So nothing remotely close to even Brave let alone a TOR or the Epic Privacy Browser.

om29y ago

We're trying to do the most extreme thing we can do short of blocking ads. To be more effective, you end up blocking ads, whether intentionally or as a side effect.

This blocks more than just cookies by the way, it affects all client-side state. And client-side state is still the primary and most reliable tool used for tracking, even though other methods exist, such as browser fingerprinting, behavioral fingerprinting, and IP-based tracking.

dzhiurgis9y ago

And something says me that ability to completely block third party cookies is going to just as magically disappear.

flukus9y ago· 2 in thread

Advertisers will finally move their tracking behind their CDN's, which was always the end goal for them and why they were free in the first place.

Then we have a problem where the industry is reliant enough on CDN's that browsers can't simply block access.

yborg9y ago

https://github.com/Synzvato/decentraleyes

eklavya9y ago

Not available for Safari though.

quotemstr9y ago· 2 in thread

Do you want crappy ads? Then go ahead, make tracking more difficult. Tracking helps you see ads for things you actually want to see. It's not some kind of grand conspiracy.

kalleboo9y ago

I have yet to see the supposedly relevant ads that all this targeting is supposed to get me. The closest to targeted I've gotten is seeing stuff I already just bought on Amazon.

greglindahl9y ago

I prefer crappy to creepy. You're welcome to embrace being tracked if you like the reverse.

josefresco9y ago· 2 in thread

"the web behaves as it always did"

Uhhh, not really. Even if the behavior is unwanted, the web will not "behave" the same - otherwise the feature does nothing.

ceejayoz9y ago

They pretty clearly mean that the web behaves the same from the user's perspective.

josefresco9y ago

For example: The user will no longer see the ads for items they may have previously searched for (even if this is unwanted/unpopular) - that's a a change. Sorry to be so pedantic but it's not accurate to say nothing behaves differently.

mmanfrin9y ago· 1 in thread

The cynic in me sees this as cutting off Google, and then tracking within the browser so they become the source of cross-internet tracking. I'd be on the lookout for any new 'personalization' feature that comes in to the browser. E.g. WWDC 2018: 'Today we're happy to announce Siri integration with safari! She will provide personalized recommendations and results by applying machine learning to your documents and data!'

atestu9y ago

They showed this on iOS Safari today:

> Siri now suggests searches in Safari based on what you were just reading. And when you confirm an appointment or a flight on a travel website, Siri asks if you want to add it to your calendar.

Search for "Smarter about you." on this page: https://www.apple.com/ios/ios-11-preview/ Looks like it's done on the device though, End-to-end encrypted with your other devices.

jasonkostempski9y ago· 1 in thread

Does Apple have access the data? Because that wouldn't be any better.

matt_wulfeck9y ago

Almost everything in the keynote happens on device (deep learning, etc).

webuser3219y ago· 1 in thread

Meanwhile Apple is tracking users 24/7.

There is no option to turn off phoning home to Apple in Apple's pre-installed operating systems. Every user of iOS is constantly pinging Apple servers all day every day.

Connect an iOS device to the internet and watch the network. The user is given no control over this. All users are assumed to need Apple's help setting the system time.

The networking functionality of NeXT/Apple's operating systems is based on open source BSD operating system code.

But BSD does not phone home to some organization when you install it. Why not? Surely Apple's approach is the best one for all users, right?

It is amusing to watch these companies proclaim they will block others from tracking and serving ads while continuing to siphon user data themselves, often in ways that are all but transparent to users. Apple can block everyone else, then I can block Apple. OK by me.

Someone in this thread made some comment about Microsoft Edge not tracking users. Do people seriously believe nonsense like that? MS was dumping debug output via DrWatson to the network long before collecting user data for profit was even a strategy.

Connect a Windows computer to the internet and watch the network. All on by default. Unlike Apple, they have no prepared explanation/justification why they need to do this.

And even if they did, who cares? Users prefer not to be tracked. Companies are admitting they know this.

Users could opt-in to tracking if they believed they were getting some benefit.

But that is not how this game works. There is no "opt-in". It is on by default. There was no intention to make tracking a "choice".

Probably because companies know what the choice of users would be and it would not be favorable to the company.

But that is not something we are allowed to discuss.

macintux9y ago

"But that is not something we are allowed to discuss"

I suspect you'd have fewer down votes (and thus perhaps some discussion) without this. Congratulations on the self-fulfilling prophecy.

1 more reply

floatboth9y ago

Firefox (Nightly at least, I don't follow stable :D) also has built-in tracking protection, only in Private Browsing by default (about:config to enable everywhere).

Eric_WVGG9y ago

It says a lot about the state of the web that both Apple and Google are looking at publishers and saying "Look, if you won't fix your websites, we'll fix them for you" (Google in the form of AMP on mobile devices). However, as one of those who subscribes to the opinion that AMP breaks the web, I greatly prefer Apple's approach.

It makes me wonder how many publishers at national newspapers and magazines are even aware of what’s going on.

webuser3219y ago

It is well-known that Apple uses Omniture (acquired by Adobe, aka SiteCatalyst, aka 2o7.net, etc.).

As in 192.168.0.2o7.net. Remember, "SWF" stands for Small Web File. Yes, they actually tried to get users to swallow this when Shockwave Flash started to be used in devious ways, such as to track users.

Omniture's business is third party tracking cookies similar to Google Analytics or KISSmetrics. Not sure and don't care whether Flash is used so much anymore. If too young to rememeber search and ye shall find information about "permanent, Flash cookies" that could not be removed.

Apple is not saying "We will not engage with companies selling third party tracking cookie services." Clearly they are not opposed to third party tracking cookies in principle.

Instead they are announcing some change to their browser. Wow, exciting. It is not clear what exactly this announcement accomplishes for users. Probably nothing. If you are trying to avoid ads and tracking, popular browsers (without extensions, etc.) are not your friends.

kgabis9y ago

Finally, I hope this becomes a common practice from other vendors as well.

horsecaptin9y ago

For those who are technically inclined: https://github.com/StevenBlack/hosts

l0stkn0wledge9y ago

Yes, and in the same keynote, they let Siri track stuff down you 'might' be interested in based on patch searching.

suyash9y ago

Thank you Apple for taking a stand for user's privacy.

MarkMc9y ago

I wonder if this could be good for Google because it has the money and expertise to counter this move by Apple, while smaller ad networks do not.

6590879y ago

Glad to see a player big enough to cause some damage taking this up. At this point, anything that harms Facebook/Google and those trying to mimic their data collection tactics should be considered good for the web and internet.

j / k navigate · click thread line to collapse