Major new policy from WebKit, with inspiration credit given to Mozilla:
We treat circumvention of shipping anti-tracking measures with the
same seriousness as exploitation of security vulnerabilities.
If a party attempts to circumvent our tracking prevention methods,
we may add additional restrictions without prior notice. These
restrictions may apply universally; to algorithmically classified
targets; or to specific parties engaging in circumvention.
We do not grant exceptions to our tracking prevention technologies
to specific parties. Some parties might have valid uses for
techniques that are also used for tracking. But WebKit often has
no technical means to distinguish valid uses from tracking, and
doesn’t know what the parties involved will do with the collected
data, either now or in the future.
There are practices on the web that we do not intend to disrupt,
but which may be inadvertently affected because they rely on
techniques that can also be used for tracking. We consider this to
be unintended impact.
Equating tracking with malware and security exploits is a major policy change, and absolutely correct. Notably, they are not respecting commercial interests at all. The user’s privacy comes first, and if there is commercial collateral damage from that, fuck it:
WebKit will do its best to prevent all covert tracking, and all
cross-site tracking (even when it’s not covert). These goals apply
to all types of tracking listed above, as well as tracking
techniques currently unknown to us.
If a particular tracking technique cannot be completely prevented
without undue user harm, WebKit will limit the capability of
using the technique. For example, limiting the time window for
tracking or reducing the available bits of entropy — unique data
points that may be used to identify a user or a user’s behavior.
Hopefully, this will help close the email tracking-pixel loophole as well.
The ball is now in Chrome’s court to follow suit. I think Google could aggressively close these same privacy-invasive loopholes without losing their ability to serve targeted ads — they’d simply be limited to serving targeted ads to users who sign into Chrome with their Google accounts.
★ Wednesday, 21 August 2019