back to article Apple arms web browser privacy torpedo, points it directly at Google's advertising model

Apple's WebKit team, which develops the plumbing beneath the iGiant's Safari browser, has proposed a way that online ads can be measured while maintaining the privacy of those browsing the internet. The proposal is called Privacy Preserving Ad Click Attribution For the Web and its available for testing as an experimental …

  1. JohnFen Silver badge

    A start

    "If privacy-preserving attribution takes hold, the hardest hit companies are likely to be marketing attribution platforms"

    Hey, it's a start!

    I don't use iThings, but if other browsers were to implement this, I'd still consider it insufficiently protective and would continue to use all the same defenses I'm using now.

    1. big_D Silver badge
      Boffin

      Re: A start

      It sounds like a plan to push the marketing middlemen onto the B-Ark.

      I see no downsides.

    2. BebopWeBop Silver badge

      Re: A start

      A start, but I suspect that Google and others are far too keen on maintaining that information to give up easily. Some mandate (with proper teeth) will be required.

      1. DougS Silver badge

        Re: A start

        If Safari and Firefox support it, and they can get Microsoft on board, then it would be interesting to see what excuse Google comes up for being the lone holdout.

    3. Charlie Clark Silver badge

      Re: A start

      It's certainly an interesting start for a discussion and I can see it getting the regulatory thumbs up in some countries.

  2. DeKrow

    Apple Ad-Blocking?

    Is there any reason, other than not wanting to REALLY piss off Google and FB, that Apple don't create their own ad-blocking system within Safari?

    It'd be a huge end-user-privacy marketing win for them. But then would they also piss off all the marketing execs that make bank from online stalking to the extent that they'd turf their iDevices in protest?

    Another side-effect, I suppose, would be that if they can do it in Safari then they can do it system-wide and therefore potentially torpedo all ad-supported apps in the process and decimate their developer base.

    How much do Apple, Google and FB depend on each other? Probably just as complex as the US-China relationship. Maybe Apple system-wide ad-blocking would be equivalent to a declaration of war.

    1. Headley_Grange Silver badge

      Re: Apple Ad-Blocking?

      Firefox's Content Blocking feature stops a fair number of websites working properly so perhaps Apple are wary of doing the same for Safari.

    2. big_D Silver badge

      Re: Apple Ad-Blocking?

      Apple is a big target to sue, if they block your livelihood.

      I use a Pi-Hole at home, which is a great solution, but doesn't work, obviously, when I'm out and about.

      1. Spiz

        Re: Apple Ad-Blocking?

        Have you got a spare box (or even the same box) that you could plonk OpenVPN onto? Quite easy to set up and you could set the DNS servers for the OpenVPN connections to the Pi-Hole. Then Set OpenVPN to be "always on" on your mobile/tablet and hey-presto: No ads, no SSL inspection on dodgy WiFi.

        Works quite nicely for me.

        1. big_D Silver badge

          Re: Apple Ad-Blocking?

          Yes, that would be possible and I've been thinking about implementing it.

        2. Graham Cobb

          Re: Apple Ad-Blocking?

          The PiHole's days may be numbered.

          My understanding is that both DNS-over-TLS and DNS-over-HTTPS will prevent it working. Google seem to be testing both in Android. I don't know whether Apple has said anything.

          1. big_D Silver badge

            Re: Apple Ad-Blocking?

            Pi-Hole can already be configured with DNS over TLS and DNS over HTTPS - it isn't configured as standard, but can be (fairly) easily added.

      2. JohnFen Silver badge

        Re: Apple Ad-Blocking?

        "Apple is a big target to sue, if they block your livelihood."

        What basis would such a lawsuit rest on?

        That aside, Apple also has an enormous pile of cash to defend themselves against a lawsuit with. Unless the suit had some solid merit behind it, it would be rather easy for Apple to, at worst, bankrupt whoever is suing them by stretching out the court cases and increasing the litigant's expenses beyond their capacity to afford it.

    3. Graham Cobb

      Re: Apple Ad-Blocking?

      They don't want websites blocking iDevices access (or even just not bothering to optimise for them -- Apple sell the best experience). So, they are trying to create a middle ground where advertising still works but iDevices protect the most privacy.

      I support their goals, although I would prefer them to also allow a competitive browser environment with non-Safari browsers allowed.

    4. DougS Silver badge

      What about sites that detect ad blockers?

      Or modify their content to look like ads so it "accidentally" gets blocked, forcing people to turn off their ad blocker for that site to see the content?

      I think it would be great in theory for Apple to do this, but the companies that want to force ads on us wouldn't take it lying down and would find ways to get them back. They could go out of their way to make their site function poorly with slowdowns or crashes on Safari, and put a "best viewed with Google Chrome" icon on top, making people think it is Safari's fault. Or block certain functionality when Safari was used. Just make it enough of a pain that anyone can easily use a different browser instead would probably do it just to avoid the hassle.

      I mean, if it was such a great idea to do this with no downsides Firefox would have done it a decade ago, and never lost its lead over Chrome. They built in a pop up blocker before any other major browser, so they obviously will do stuff like this when they think it will work out.

      1. Headley_Grange Silver badge

        Re: What about sites that detect ad blockers?

        "Or modify their content to look like ads so it "accidentally" gets blocked, forcing people to turn off their ad blocker for that site to see the content?"

        Then I don't see the content. Fair dos - they have a right to get paid for their work, but my experience is that most sites abdicate responsibility for what advertisers can do to the web page, browser and PC cos it's easier for them to do that than to take responsibility for their sites. If it's news I'll search elsewhere for it if I'm interested. Otherwise I'll struggle by without it.

  3. Claverhouse Bronze badge

    Apple's WebKit team, which develops the plumbing beneath the iGiant's Safari browser,

    Might even inadvertently, give the idea that WebKit is Apple's own dear child, rather than something adopted, thanks to it being Open Source, from a greater project than Apple, KDE.

  4. Updraft102 Silver badge

    It's a way of providing click attribution – linking an ad click to an event like a purchase – that lets advertisers measure ad effectiveness without relying on potentially invasive cross-site tracking.

    They should do it the old way, as they did with newspaper ads, radio ads, non-smart TV ads, and billboard ads. It worked for all those years with the only metric being that sales either increased or did not increase. Of course, it wasn't possible in those days, but just because it is possible now doesn't mean it's a good idea. (Yes, cue the Dr. Malcolm/Jeff Goldblum clip here).

  5. alain williams Silver badge

    So what is to stop the user ...

    clearing out the browser once a day so that the delayed sending of attribution data never gets sent. Seems even better to me.

    1. Doctor Syntax Silver badge

      Re: So what is to stop the user ...

      My own approach now, for many sites, is to fire up a separate browser which has its history cleared on close-down. Do what's needed on that site and then close down.

    2. Charlie Clark Silver badge

      Re: So what is to stop the user ...

      Nothing, but how many would do this.

      Even though I've been blocking ads for over 15 years I understand that advertising is legitimate and that wanting to track the success of particular campaigns also. But to do so does not require the tracking of users across the web, just a signal that, yes, the sale did come from a particular campaign.

      1. Updraft102 Silver badge

        Re: So what is to stop the user ...

        Nothing, but how many would do this. ("This" means "clearing out the browser once a day so attribution data never gets sent".)

        You mean some people don't do at least that?

        I don't just clear cookies and local storage once a day... I do it each time a browser tab is closed or idle for a while (it gets unloaded) as well as whenever the browser is closed, not to mention that I manually clear everything before and after using any Google service (Facebook is blocked completely, so no worries there). My ISP uses dynamic IPs, so all it takes is a reboot of my router to change it, which I do frequently too. Why make it easy for them? If they want ad revenue, that's fine. Show an ad that does not animate, make noise, or get in the way of doing whatever I came for, and make sure it doesn't track me in any way. There's this idea out there that you can't have advertising without tracking, but they're not the same thing. You can have ads without tracking and tracking without ads!

    3. DougS Silver badge

      Re: So what is to stop the user ...

      Nothing would stop you, but why? If your personal information isn't being handed over, what difference does it make if there's an anonymous tick in a box "saw ad X, clicked on ad X, bought item advertised in ad X".

      If you never click on an ad there's nothing for it to send back. But this would be a way to send a message to advertisers that you hate invasive ads. If you see a 'polite' ad for something you plan to buy, you could click on it before making the purchase as a way of saying "good job on not making a shitty ad that tries to cover my page or fool me into thinking it is a Windows error message".

      1. JohnFen Silver badge

        Re: So what is to stop the user ...

        "If your personal information isn't being handed over, what difference does it make if there's an anonymous tick in a box "saw ad X, clicked on ad X, bought item advertised in ad X""

        How do you define "personal information"? This scheme uses an advertising ID, and I consider such IDs as personal information.

        In any case, while Apple's proposal is better than nothing, it's not nearly "anonymous" enough for me to feel comfortable using it instead of real defenses.

        1. DougS Silver badge

          Re: So what is to stop the user ...

          You consider an ID that ranges between 0 and 63 (per the article) as not anonymous enough?

          1. JohnFen Silver badge

            Re: So what is to stop the user ...

            I don't see in the WebKit writeup where it says the IDs are limited to 0-63. What it says is that campaign ID is limited to 6 bits. However, I also don't see a mention of an advertising ID at all, so I'm not sure where I got that from.

            In any case, the ID isn't why I consider it insufficient. I consider it insufficient for a number of other reasons, including the dependency on tracking pixels. The whole scheme also relies on trusting the websites and (to a lesser extent) ad agencies to play fair.

            I'm not saying that the scheme is bad at all. I'm just saying that it is not as protective as my current methods are.

    4. fidodogbreath Silver badge

      Re: So what is to stop the user ...

      Firefox has an option to clear all cookies on exit, except for those on a whitelist.

  6. T. F. M. Reader Silver badge

    "our solution ... dramatically limits the entropy of data passed between [intermediaries]"

    I don't think the word "entropy" means what he think it means. Hint: it's not a synonym for "information". Were the entropy passed between the various ad-slingers and merchants "unlimited" there would be no problem in the first place.

  7. Steve Davies 3 Silver badge
    Mushroom

    I'll carry on as before

    and

    1) limit the searching I do on my phone to next to nothing

    2) use Adguard and ublock origin on my MacBook

    3) block 90% of Google and 100% of FB etc on my firewall.

    Ads? You see them? How quaint... /s

    Now if some sites were to stop trying to sell me stuff that is only usable in the USA with embedded adverts (insideevs.com is one) I'd be even happier. It does not need a genius to see the IP address that my request is coming from and find out that it is outside of the USA after all how many sites stop you from watching videos for the opposite reason eh?

    To all ad slingers --> see icon

    1. N2 Silver badge
      Mushroom

      Re: I'll carry on as before

      Agreed,

      AdGuard Pro on my phone seems to kill the slop.

      Hosts file also works well

      To all ad slingers --> see icon

    2. big_D Silver badge
      Boffin

      Re: I'll carry on as before

      Take a look at Pihole (https://pi-hole.net/). A great little DNS server system that is easy to add blacklists to.

      It seems to work, my daughter visited and immediately told me that my Internet wasn't working, because her Instagram couldn't connect. I told her that I had blocked all of Facebook, to which she argued, but this is Instagram!

      A quick conversation later and she was having second thoughts about Instagram as well (having deleted her Facebook account a couple of years ago).

      1. JohnFen Silver badge

        Re: I'll carry on as before

        "A quick conversation later and she was having second thoughts about Instagram as well"

        This warms my heart. Keep up the good fight!

  8. Anonymous Coward
    Anonymous Coward

    Hillarious

    Fooling iIdiots by launch privacy guards, and pretending it's only Google, Facebook and Microsoft doing these things, whilst at the same time hoovering up all their details, and throwing out idiot fuel soundbytes like "Google is an answering business, Appple is a hardware business" for lazy journos to reuse at will..

  9. Doctor Syntax Silver badge

    "The protocol is great, but it may be too big of a change for most ad tech to understand and then deploy,"

    I think they'll understand it only too well. It will let the advertisers see just how effective - or otherwise - all the advertising services have been.

    "You've charged us How Much to get that one sale?"

  10. FrogsAndChips Bronze badge

    "That is why Amazon removed the list of products from order confirmation emails"

    I hadn't noticed. Is that a very recent change, or has it only been implemented on amazon.com but not yet .co.uk?

    1. Giles C

      Re: "That is why Amazon removed the list of products from order confirmation emails"

      Not from amazon uk, just checked the order I made last week for a tripod head.

      Has the name of the head (SIRUI L-10), delivery address, and cost all in the email.

      Mind you it isn’t a gmail account that it was sent to.

  11. tiggity Silver badge

    Don't click on ads usually

    However my (& I guess many others) main hatred of ads goes beyond privacy isses to potential malware issues. Improving privacy is great, but I will use a variety of ad block technology regardless as I just don't trust some of the JS that gets slung out by ad services as we have had so many cases of malware delivery via ads. Ad block is on a par with anti virus as basic computer safety measure. Just revert back to "safe" NO JS texts and images, I'm happy with risk free ads, but not with dangerous ones

  12. Aidan Thornton
    FAIL

    Provides neither trustworthy attribution stats nor reliable privacy

    Advertisers would have to be born yesterday to rely on any data from this Apple scheme. It relies entirely on trusting anything that contacts their website and claims an attribution to be honest when it says that it's a copy of Safari that's seen a conversion from ad campaign X on website Y. If the privacy protections work as intended there's no way for them to verify this by tying the reports to actual orders or visits. Any ad scammer could just set up bots pretending to be copies of Safari reporting successful conversions from ad campaigns on their fake sites and the advertisers would have no way of distinguishing them from the real thing.

    Worse still, I don't think it will reliably give the level of privacy claimed, because in many cases advertisers will be able to use other information such as IP addresses to match customer information with ad attributions anyway. This won't stop fraudsters since they can target scenarios where this doesn't work. It feels like this would fail to protect actual user's privacy whilst simultaneously protecting scammers faking advertising views and conversions.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019