We Need Intelligent Tracking Prevention

Early June has become something of a summer Christmas for those of us who like and use Apple products. Every year, Apple uses this time for the Worldwide Developers Conference, which kicks off with a keynote detailing the next set of major upgrades to Apple’s software platforms. Of course, most of the media attention goes to the flashier new features, and new APIs get a lot of applause from the assembled app developers. But increasingly, Apple also tends to announce something much more controversial to developers: ever-tighter restrictions on what websites can do in Safari.

These changes have included restrictions on autoplaying audio and video that admittedly cause complications for developers working on interactive web content. Another Safari restriction is known as Intelligent Tracking Prevention. It limits how third-party cookies can be used in the background without user action. As my colleague and I discovered this week, it can create some headaches when attempting to maintain sessions and API authentication across multiple domains for legitimate, first-party uses.

https://twitter.com/hayden_dev/status/1033401010776092672

WebKit is the Apple-owned, open-source rendering engine that powers Safari, in case you didn’t know.

It’s not hard to understand why some developers are annoyed by these browser restrictions. Web games, for example, may suffer from not being able to play audio until the user has interacted with the page. But developers need to recognize, as my colleague did, that things like Intelligent Tracking Prevention are great features for users; and more than that, sadly, they have become very necessary features.

Tracking cookies have spread across the web like a plague. Advertisers have gotten addicted to following users around from site to site. For a long time, questionable banner ads have invited users to download sketchy software under a variety of pretexts, in order to get a foothold on their computers to track their activity. Such programs are considered malware, and treated as such by antivirus and Internet security software.

Yet tracking cookies, which are no less of a privacy violation, somehow have been deemed “fair game” by major, legitimate advertisers. Did you know Facebook uses its prolific “Like” buttons around the web to facilitate such tracking, even if you don’t click them? I’d bet a lot of people didn’t, until it got called out at WWDC. (When Safari 12 arrives in macOS Mojave, Intelligent Tracking Prevention will be upgraded specifically to block this behavior.)

And that’s not all. As some browsers and extensions have started cracking down on this unwanted spying, the spies have kept scheming to circumvent those protections. They’ll use contextual data like device configuration to continue tracking users even in the absence of a unique identifier (Safari 12 intends to thwart that as well).

This is why we can’t have nice things.

It’s incredibly unfortunate that all developers now have to deal with these limitations because so many websites and their advertisers have chosen to engage in wildly user-hostile practices for the sake of monetization. And make no mistake, it is a choice. The way ads and intrusive content behave on the web is unlike any other medium of advertising to date.

Imagine browsing through a store in the mall, and then when you leave to explore the rest of the mall, the poster ads follow you out the door. They bounce around in your peripheral vision while you walk, and when you stop at a kiosk, they hop in front of you so you have to push past them to see what the kiosk has to offer.

Imagine reading a magazine, and when you go to turn the page to the article you want to read, you can’t because the previous page has an ad. You have to look at the ad for at least ten seconds before the page will turn. When you finally can turn the page, the article you wanted suddenly starts reading itself out loud at movie-theater volume in the middle of the waiting room.

Ridiculous, right? But this is exactly how intrusive content on the web behaves. Eventually, people install ad blockers. In other words, they bring bats to the mall to smash the clingy poster ads, and earmuffs to the waiting room to block out the screaming magazine articles. Or they stop going to the mall or picking up the magazines in the waiting room altogether, forced to sacrifice the potential benefits of those activities for the sake of their own sanity.

And thus you arrive at Apple’s position: building features like Intelligent Tracking Prevention as a nuclear option, making the web harder for some developers in order to make it tolerable for users. It’s not an enviable position to be in, but an inevitable one given how pervasively advertisers and their partner sites have abused the good faith of their audiences with obnoxious and invasive tactics.

I will continue to applaud the new web privacy features in every WWDC keynote, because I know even though they’ll probably get in my way sometimes as a developer, they’ll benefit me as a user. And when I do develop web software, I’ll refrain from abusing the technology to engage in user-hostile practices, because I never want to be the reason a browser had to start blocking something by default.