Apple Does Right by Users, and Advertisers Are Not Amused

It’s not “destroying the Internet’s economic model.”

By Andrés Arrieta and Alan Toner, Electronic Frontier Foundation:

With the new Safari 11 update, Apple takes an important step to protect your privacy, specifically how your browsing habits are tracked and shared with parties other than the sites you visit. In response, Apple is getting criticized by the advertising industry for “destroying the Internet’s economic model.”

While the advertising industry is trying to shift the conversation to what they call the economic model of the Internet, the conversation must instead focus on the indiscriminate tracking of users and the violation of their privacy.

When you browse the web, you might think that your information only lives in the service you choose to visit. However, many sites load elements that share your data with third parties. First-party cookies are set by the domain you are visiting, allowing sites to recognize you from your previous visits but not to track you across other sites. For example, if you visit first examplemedia.com and then socialmedia.com, your visit would only be known to each site.

In contrast, third-party cookies are those set by any other domains than the one you are visiting, and were created to circumvent the original design of cookies. In this case, when you would visit examplemedia.com and loads tracker.socialmedia.com as well, socialmedia.com would be able to track you an all sites that you visit where it’s tracker is loaded.

Websites commonly use third-party tracking to allow analytics services, data brokerages, and advertising companies to set unique cookies. This data is aggregated into individual profiles and fed into a real-time auction process where companies get to bid for the right to serve an ad to a user when they visit a page.

This mechanism can be used for general behavioral advertising but also for “retargeting.” In the latter case,  the vendor of a product viewed on one site buys the chance to target the user later with ads for the same product on other sites around the web.

As a user, you should be able to expect you will be treated with respect and that your personal browsing habits will be protected. When websites share your behavior without your knowledge, that trust is broken.

Safari has been blocking third-party cookies by default since Safari 5.1, released in 2010, and has been key to Apple’s emerging identity as a defender of user privacy. Safari distinguished between these seedy cookies from those placed on our machines by first parties – sites we visit intentionally. From 2011 onwards, advertising companies have been devising ways to circumvent these protections. One of the biggest retargeters, Criteo, even acquired a patent on a technique to subvert this protection.

In order to present themselves as a first party, Criteo had their host website include code on the internal links in their website to redirect when clicked. So if you click on a link to jackets in a clothes store, your click brings you for an instant to Criteo before forwarding you on to your intended destination.

This trick makes them appear as a first party to your browser and they pop up a notification informing you and stating that by clicking on the page you consent to them storing a cookie. Once Safari accepted a first party cookie once, that site was allowed to set cookies also when it was a third party. So now they can retarget you elsewhere. Other companies (AdRoll, for example) used the same trick.

Criteo, however, was not the first company to circumvent Safari’s user protection. In 2012, Google paid 22.5 million dollars to settle an action by the FTC after they used another workaround to track Safari users with cookies from the DoubleClick Ad Network. Safari had an exception to the third-party ban for submission forms where the user entered data deliberately (e.g. to sign up). Google exploited this loophole when Safari users visited sites participating in Google’s advertising network to set a unique cookie.

The new Safari update, with Intelligent Tracking Protection, closes loopholes around third-party cookie-blocking by using machine learning to distinguish the sites a user has a relationship with from those they don’t, and treating the cookies differently based on that. When you visit a site, any cookies that are set can be used in a third-party context for twenty-four hours. During the first twenty-four hours the third-party cookies can be used to track the user, but afterward can only be used to login and not to track. This means that sites that you visit regularly are not significantly affected. The companies this will hit hardest are ad companies unconnected with any major publisher.

At EFF we understand the need for sites to build a successful business model, but this should not come at the expense of people’s privacy. This is why we launched initiatives like the EFF DNT Policy and tools like Privacy Badger. These initiatives and tools target tracking, not advertising. Rather than attacking Apple for serving their users, the advertising industry should treat this as an opportunity to change direction and develop advertising models that respect (and not exploit) users.

Apple has been a powerful force in user privacy on a mass scale in recent years, as reflected by their support for encryption, the intelligent processing of user data on device rather than in the cloud, and limitations on ad tracking on mobile and desktop. By some estimates, Apple handles 30% of all pages on mobile.

Safari’s innovations are not the silver bullet that will stop all tracking, but by stepping up to protect their users’ privacy Apple has set a challenge for other browser developers. When the user’s privacy interests conflict with the business models of the advertising technology complex, is it possible to be neutral? We hope that Mozilla, Microsoft and Google will follow Apple, Brave and Opera’s lead. By Andrés Arrieta and Alan Toner, Electronic Frontier Foundation.

Short seller Carson Block was victimized by the Equifax hack and his personal data was stolen. He sues for $500,000. But he isn’t the only one. Read…  Lawsuits Against Equifax Pile Up. But Where Are the Handcuffs?

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  35 comments for “Apple Does Right by Users, and Advertisers Are Not Amused

  1. Maximus Minimus says:

    My few cents:
    Use different browsers for different purposes. There are enough of them: Firefox, Seamonkey, Opera, and even Google Chrome, and IE.

    Avoid using Chrome and IE if you can for obvious reasons.

    Use one browser to visit trash sites which you suspect use tracking cookies. In this browser, clean all browsing history as frequently as possible.

    You can block third party cookies in many browsers, or you can use “Do not track” option.

    • Shawn says:

      Thanks very good advice on a very good article. Ghostery addon can stop trackers.

      • Maximus Minimus says:

        Ghostery was acquired by some Silicon Valley company/VC. I stopped using it right after that. This is an old tune.

    • zoomev says:

      torproject browser!

    • Carlada says:

      Use “New Private Window” in Firefox—it “does not save visited pages, searches, cookies, temporary files”. More and more, I like to use this for sites that have access to my full name, SSN, etc. Mozilla needs to focus on these technologies and not SJW crapola!

  2. Bobby Dale says:

    The very same companies complaining about Apple and user privacy support “net neutrality” as if it were some Constitutional right. Google, Facebook and their ilk are equivalent to Equifax, Experian and TransUnion in that users are the product.

  3. Anon1970 says:

    On Firefox, you have the option to eliminate cookies when you close the browser. It is a great work around for web sites that want to limit your access to a certain number of visits per month free of charge.

    The Brave browser does a great job eliminating ads with its built in ad blocker. But it may give you problems if you want to post comments.

    Before the Great Recession, many web sites used to abuse their visitors with too many junk ads. The mortgage companies were among the worst. Then somebody came up with the idea of a free ad blocker.

    Expect the cat and mouse game to continue.

    • Carlada says:

      Use “New Private Window” in Firefox—it “does not save visited pages, searches, cookies, temporary files”. More and more, I like to use this for sites that have access to my full name, SSN, etc.

      I’m going to try your tip to access articles on AutoNews.com — they recently went from 2 free articles to 1. So I went to 0. Not too bright!

  4. Jeff bezos says:

    No one uses Safari.

    If the most impenetrable safe box in the world is alone in the forest and it falls… would anyone hear it?

    See for yourself.

    http://gs.statcounter.com

    Apple doesn’t care about it’s users. Its a tax dodger and uses slave labor to maximize profits.

    Apple made safari safe just because safari doesn’t matter and Apple can milk this PR to make writers think they’re the good guys and then tout their praises.

    Selling a $1000 iphone was a bad move. You’ll see. The apple line-waiters for every new product will soon revolt.

    Apple is rotten to the core and it’s only gonna get worse as apple and amazon race to be the first trillion dollar company.

    Dont get me started on amazon and its nose bleed pe ratio.

    My rant is over. Need to get some coffee from starbucks before i start banging on my mac air keyboard again…

    • Wolf Richter says:

      This article was about MOBILE in the US. Your chart shows desktop, mobile, tablet, and console, for the ENTIRE world. So already, this is way off.

      In the US on mobile, Safari’s market share = 50% … by a wide margin ahead of #2 Chrome (38%).

      http://gs.statcounter.com/browser-market-share/mobile-tablet/north-america/#monthly-201608-201708

      Even globally, Safari on mobile is #2 with a 19% share. But again, this was about the US.

      So Apple dominates mobile in the US and is a big factor globally. After these data points, the rest of your diatribe is just funny.

      • Al Loco says:

        Thanks for the clarification, I missed that also. Does it even matter though? Most sign their lives away with free apps anyway. Facebook wants my mobile info so bad that I cannot use messenger or marketplace anymore because I stay Web based. I don’t know anyone that even reads the permissions to these apps.

    • chip javert says:

      Dear Jeff

      Thanks for demonstrating you don’t have a clue.

      Good rant, but almost fact-less…

  5. Truth Always says:

    I love it; i think Google, Facebook and other ad networks have too much power which needs constraints.

    While not fond of Apple personally; I may switch to an iPhone just because of this.

    And if Trump appoints Peter Thiel as some sort of privacy or other czar and who has animus against Google – things would be very interesting.

    The cynic in me thinks Trump would use Peter Thiel to extract retribution against Google who was very vocal against the Trump campaign – so if Google gets hit- Trump benefits in the next election or at least gets revenge. Consumers might get collateral benefit if Google gets limited

  6. Shawn says:

    Wow, so the real “Don’t be Evil” slogan should go to Apple not Google. I guess switching to an android phone is now on the back burner for me.

    • Bobby Dale says:

      “Don’t be evil” though still an official Google motto, went out as a philosophy somewhere around August of 2004. Alphabet uses “do the right thing” which would have different meanings to James Clapper and Julian Assange.
      Apple, under the guidance of Tim “buyback” Cook is not a paragon of corporate virtue, but they do profess to respect individual privacy.

      • Kent says:

        Apple doesn’t make its money by selling advertising. So it is one place they can act non-evil.

      • nick kelly says:

        A timid Cook allowed himself to be shaken down by Icahn after the latter bought about one percent of the shares. Then they went to lunch.
        Whatever the merits of what happened next, Jobs probably wouldn’t have taken Icahn’s call.

      • alex in san jose AKA digital Detroit says:

        “do the right thing” – for the stockholders.

    • Maximus Minimus says:

      “Don’t be Evil”, the marketing slogan for/of the 21st century, so far.

    • Wolf Richter says:

      Don’t go too far in sanctifying Apple :-]

      It does collect all your data. It just doesn’t want others to access it and use it to track you.

  7. TJ Martin says:

    Yup … thats why we only use Apple’s ( since the Apple II ) …. pay for the majority of our non-confedential email / internet ( so’s I can block and spam what ever and who ever I wish to as well as anonymous addresses ) and for any private/confidential etc use protomail.ch along with the browsers they have on offer .

    Suffice it to say Protomail aint perfect ( nobody is ) but they’re leagues ahead of the rest

    • TJ Martin says:

      Oh … and unlike the majority of the rest Safari allows you to clean out all cookies etc with a couple of key strokes … which I do religiously at least every other week

      Now where is that pesky Wolfstreet cookie ? ( just joking )

  8. michael says:

    I suspect that Apples intent is less individual privacy and more limiting others ability to monopolize their users activities. More for their own purposes. They are all “evil”

  9. J Bank says:

    Another example of doing right by customers: making the previous phone models obsolete via updates once their new $1,000 phone is released.

    Good joke.

  10. cdr says:

    It takes a lot of know-how and discipline to keep the intrusive internet away. I use sandboxes, router-based ids/ips, VPNs on occasion, ad blockers on browsers, ram disks, ad blockers at the router level, normal antivirus, and the recently compromised but still trusted ccleaner. (tin foil hats don’t work)

    Since free internet requires advertising to exist, I suspect Apple might be tip-toeing into something more exclusive with respect to ad-sales … “The others won’t get through … Now you deal with Us.”

  11. Kenny Logins says:

    This is why a vpn with filtering is a good idea.
    You then get robust server side protections blocking all manner of not good stuff on any old device/browser.

    Ie, cryptostorm seems to make iPhone web use (which is generally very unconfigurable) really good.
    No ads, super fast loading, blocked tracking sites, etc.

    Yes android is more configurable but then it’s Google too… soo.

    Anything that ‘breaks’ the internet model is good.
    It’s a terrible model.
    The only real losers are those selling trash any way.
    Anyone with real value to offer can subsidise it or find other income streams.

  12. Jim Graham says:

    Hummmm…

    This info has got me thinking. I have always thought that the iPhone was just a very very overpriced toy for people with a overblown ego.

    I am beginning to think that I may be wrong about a few of the iPhone users – the ones with a brain and the ability to use it.

    I may have to pony up the money and buy one of the darned things….

    That thought hurts.

    • alex in san jose AKA digital Detroit says:

      I’m keeping my flip phone until it dies.

      Then I might get another flip phone. I’m unsure, as everyone uses text these days and not being able to (easily) do text might be the equivalent of not being “on email” in the 90s/early 2000s. I’d also not mind having a decent camera with me, because I see a lot of bitchin’ stuff around San Jose I’d like to get photos of, maybe put ’em in a blog.

  13. penfold dangermouse says:

    irrespective of cookies, your browser/computer has a fingerprint (determined via OS build, browser, installed fonts, etc) that advertisers can track.

    google “panoptclick”

    https://panopticlick.eff.org/

    • Kenny Logins says:

      This is the most subversive thing.

      I’ve found my iPhone less unique than my desktop, and so with Brave set up via Cryptostorm vpn, the iPhone is pretty good for most browsing by laymen.

      But for privacy work on pc you just go full militant and spoof/block/disable the rest if you care.
      But it’s arguably harder to leave no trace on pc these days in my experience.

  14. Ronnie says:

    Go to safari in General.
    Block on as much as you want
    Click delete cookies.
    This cleans the record.
    I do it after using the phone/iPad/mac.

    Apple told me how to do it.
    Very helpful

  15. mean chicken says:

    The internet in it’s entirety is priceless! Man’s best invention since the military industrial complex.

  16. G says:

    Mobile privacy is greatly reduced compared to desktop. Noscript, an adblocker like bluhell and the random agent spoofer make Firefox much more private by blocking advanced recognition techniques. Almost every website tracks the installed fonts and when that does not work tries html5 canvas fingerprinting. That is as intrusive as 3rd party cookies but much harder to control.

  17. raxadian says:

    When people at a bank insist that I use their online services my answer is “So you are actively working to get fired and replaced by a machine?”

    Just when they insist that is safe, we get several months of data leaks… will 2017 be know as “data leak year” by hackers?

    If I still bought newspapers I should start to save the ones that mention data leaks and just show them the next time they insist home banking is “safe”.

Comments are closed.