Apple's Intelligent Tracking Protection can be exploited to track Safari users, says Googl...
Apple's enhanced privacy tools in Safari to prevent tracking can be used to continue tracking users, Google researchers intend to reveal in a paper, with a total of five different attack vectors identified in Apple's Intelligent Tracking Prevention system.
Intelligent Tracking Protection is designed to minimize the amount of data that is generated by users browsing website, that could be tracked by digital marketers to construct a profile of the user. By cutting down what data is available, Apple intended to make it harder to create the profiles and to track the user's movements.
In a soon-to-be-published research paper, Google has come up with a number of flaws in how ITP functions, that could allow users to continue to be tracked, reports the Financial Times. The five different attack types could allow third parties to acquire "sensitive private information about the user's browsing habits," according to the paper.
"You would not expect privacy-enhancing technologies to introduce privacy risks," security researcher Lukasz Olejnik proposed to the publication. The flaws, if exploited, would "allow unsanctioned and uncontrollable user tracking."
It is claimed the way ITP functions to detect and learn user behavior is why the potential for information leaks and tracking could occur. Google researchers write the data is exposed "because the ITP list implicitly stores information about the websites visited by the user."
Researchers were also able to use a flaw to create a "persistent fingerprint" of a user for easier tracking of online browsing, while another issue was able to determine what users searched for via search engines.
Apple has acknowledged the flaws during a blog post about security updates in December, but did not confirm if the flaws had been patched in Safari. Apple privacy engineer John Wilander publicly thanked the researchers "for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection."
So far, Intelligent Tracking Prevention and Apple's other similar tools are performing sufficiently enough that it is causing issues for the advertising industry. Ad executives have lauded ITP as being "stunningly effective," with some firms reporting a 60% decrease in pricing for targeted Safari ads.
Intelligent Tracking Protection is designed to minimize the amount of data that is generated by users browsing website, that could be tracked by digital marketers to construct a profile of the user. By cutting down what data is available, Apple intended to make it harder to create the profiles and to track the user's movements.
In a soon-to-be-published research paper, Google has come up with a number of flaws in how ITP functions, that could allow users to continue to be tracked, reports the Financial Times. The five different attack types could allow third parties to acquire "sensitive private information about the user's browsing habits," according to the paper.
"You would not expect privacy-enhancing technologies to introduce privacy risks," security researcher Lukasz Olejnik proposed to the publication. The flaws, if exploited, would "allow unsanctioned and uncontrollable user tracking."
It is claimed the way ITP functions to detect and learn user behavior is why the potential for information leaks and tracking could occur. Google researchers write the data is exposed "because the ITP list implicitly stores information about the websites visited by the user."
Researchers were also able to use a flaw to create a "persistent fingerprint" of a user for easier tracking of online browsing, while another issue was able to determine what users searched for via search engines.
Apple has acknowledged the flaws during a blog post about security updates in December, but did not confirm if the flaws had been patched in Safari. Apple privacy engineer John Wilander publicly thanked the researchers "for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection."
So far, Intelligent Tracking Prevention and Apple's other similar tools are performing sufficiently enough that it is causing issues for the advertising industry. Ad executives have lauded ITP as being "stunningly effective," with some firms reporting a 60% decrease in pricing for targeted Safari ads.
Comments
So ITP is successful in "making it harder". The fact that there's more than can be done is why they invented the word "evolution". It would be unreasonable for anyone to expect perfection out of the gate or to last forever in a digital world that is always changing.
https://techcrunch.com/2019/08/22/google-proposes-new-privacy-and-anti-fingerprinting-controls-for-the-web/
https://www.techrepublic.com/article/why-google-plans-to-cut-off-support-for-third-party-cookies-in-chrome/
In fairness a lot has changed in 8 years. Google is now at the forefront in offering ways for people to maintain their privacy and security when life requires that they use the internet. You don't have to accept defaults which nearly always lean in favor of the service provider whether it be Apple, Google, or Microsoft.
Sidenote FWIW:
*The reason Apple is able convince Google to pay $B's for the privilege of being the default search provider is because of some fine print that allows Google (and Facebook too but whatever) to remain relatively unaffected by Safari's 3rd party blocking. If Apple actually cut off Google access to Apple Safari users then they would cut themselves out of a huge amount of profit. The big techs are going to protect their revenue streams and not cut off their noses.