Safari’s Advanced Privacy Protection

By admin

Safari
ORG

’s Advanced Privacy Protection

Back in

June
DATE

I briefly covered some of the changes to

Safari
PERSON

with the upcoming operating system updated

Apple
ORG

had planned for

the fall of
DATE


2023
DATE

. Now that these updates have come, I wanted to get a deeper look at some of the files and behavior of

Safari
ORG

’s

Advanced Privacy Protection
ORG

features. Just how does

Advanced Privacy Protection
ORG

defend users?

How often is Private Mode Used?

This is a metric that is hard to measure, but

Jason Packer
PERSON

over at Quantable gave it a try. Based on his testing the amount varies by both industry, operating system and form factor, which I found rather interesting but generally falls

between 5
CARDINAL

and

10%
PERCENT

. It’s worth a read to fully understand the methodology.

Now what is important to realize is that while

Advanced Privacy Protection
ORG

is enabled by default in

Safari
ORG

’s Private mode – users who enter settings can enable it for all browsing. Since this requires user action of modifying default behavior – I would guess that for most, this would only increase the possible impact by a percentage point or

two
CARDINAL

but this is important as you can’t assume that because a user isn’t in Private Mode everything will work.

It’d be worth understanding the possible impact to your specific data set before panicking.

Link Tracking Protection

The behavior of

Link Tracking Protection
ORG

hasn’t changed from my

summer
DATE

review, and the list of name / value pairs removed from the URL remains consistent with my list of vendors from

July
DATE

. A raw GIT file of the parameters can be seen here.

The affected vendors and their clients should begin to notice the impact from these changes in their reporting as of

mid-September
DATE

, when the iOS OS upgrade was released.


Tracker Domains

PRODUCT


Apple
ORG

identifies

627
CARDINAL

domains as trackers in the TRACKING_DOMAINS.wplist file. This is the file that

Safari
PERSON

appears to be using to determine if a network request should be routed through it’s

Private Relay
ORG

feature.

There’s also a TRACKING_SUBNET.wplist file – which has entries for

Adobe, Criteo and
ORG


Google
ORG

.


Tracker Blocking
WORK_OF_ART

The tracker blocking is where it gets interesting.

There is a file known as

URL_FILTER.wplist
ORG

which has over

3800
CARDINAL

entries. Each entry looks at a specific request type, does a RegEx match, determines if the request is

third
ORDINAL

-party, and if so, performs an action – typically blocking the request outright. Some of the Regex appears to apply to specific companies usage of these systems where other strings are more far reaching to all companies which use the platform.

If you ever wondered who’s using specific vendors you may find that information in this file.

There’s some platform specific impacts that are worth mentioning.

Tag Managers

The gang’s all here. There are entries for

Google Tag Manager
ORG

,

Adobe
ORG

, Ensighten, Segment and Tealium.

In general – under

Advanced Privacy Protection
LAW

you can expect your tag managers to be blocked from loading. By extension anything they load will also be blocked from loading. If you are loading items like

Consent Managers
ORG

via your Tag Manager, it may be worth re-evaluating that decision.

Analytics Platforms


43
CARDINAL


Entries
EVENT

return when searching for Regex targeting Analytics platforms, and this includes items such as

Adobe Analytics
ORG

,

Google Analytics
ORG

, Mix Panel, Amplitude,

Heap
PERSON

and Site Improve.

Depending on how your loading your analytics – you can expect

Advanced Privacy Protection
ORG

to prevent data collection by blocking the required scripts from loading. There is also regex to apply to various

Beacons
ORG

or noscript pixel solutions.

Optimization Platforms

But what about A/B testing? Platforms which handle this service are also impacted with entries existing for platforms such as: Visual Website Optimizer and Monetate,

It seems that currently most Optimization platforms are not yet impacted.

Other callouts

There’s a lot of entries in this file – but a few other big names jumped out at me as likely having issues such as

HubSpot & Treasure Data
ORG

.

Next Steps

It’s worth testing how your site performs when viewed with

Advanced Privacy Protection
ORG

. Ideally, your site still works as intended, but if your developers got “clever” or didn’t practice defensive coding to account for the possibility a service may be unavailable then you may have issues that need to be addressed.

In general you’d want to understand your specific risk of adverse customer experience, as well as determine how any services you leverage are impacted (blocked, restricted feature access, etc.). From there you’ll be able to determine if these services are critical, and if so – determine how you may need to adjust your site to work without them, or to adjust the delivery of those services to be more compatible with the restrictions of

Advanced Privacy Protection
ORG

.


Advanced Privacy Protection
ORG

is in public availability now, and adoption will continue to grow for

the next several months
DATE

as

Apple
ORG

pushes these changes out to users devices.


One
CARDINAL

final note worth mentioning is – these files can be updated by

Apple
ORG

at any time.

Renaming
PERSON

files/paths to get around the Regex is, at best, a limited time option and effort may be better spent learning how to work with the new restrictions, rather than around them given

Apple
ORG

’s track record of closing loopholes created by industry.