Apple Jams Facebook's Web-Tracking Tools

The next version of iOS and macOS "will frustrate tools used by Facebook to automatically track web users," reports BBC. At the company's developer conference, Apple's software chief Craig Federighi said, "We're shutting that down," adding that Safari would ask owners' permission before allowing the social network to monitor their activity. BBC reports: At the WWDC conference - held in San Jose, California - Mr Federighi said that Facebook keeps watch over people in ways they might not be aware of. "We've all seen these - these like buttons, and share buttons and these comment fields. "Well it turns out these can be used to track you, whether you click on them or not." He then pointed to an onscreen alert that asked: "Do you want to allow Facebook.com to use cookies and available data while browsing?" "You can decide to keep your information private."

Apple also said that MacOS Mojave would combat a technique called "fingerprinting", in which advertisers try to track users who delete their cookies. The method involves identifying computers by the fonts and plug-ins installed among other configuration details. To counter this, Apple will present web pages with less details about the computer. "As a result your Mac will look more like everyone else's Mac, and it will be dramatically more difficult for data companies to uniquely identify your device," Mr Federighi explained.

Re:Do this

[AmiMoJo]

Firefox can do this already, but it's not that effective unfortunately.

The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

Unfortunately no browser can block them, and I have not found any plug-in except for NoScript that can block getting a list of installed fonts. There is a tool called "fluxfonts" that randomly installs and removes fake fonts in the background, but it would be nice if a mainstream browser did something about this.

Re:Do this

[Mordaximus]

The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

They are addressing this as well in Mojave. Slimmed down system information, it only reports system fonts. Essentially one MacBook will look like the next, etc. In theory, anyway

Re:

[cascadingstylesheet]

The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

They are addressing this as well in Mojave. Slimmed down system information, it only reports system fonts. Essentially one MacBook will look like the next, etc. In theory, anyway

Wouldn't that mean you only get to see system fonts then? (Assuming the reported list of fonts actually does something?)

(I'd be fine with that, but will the public at large be fine with it)?

Actually, since CSS lets you specify a list of fallbacks, why does the browser have to report fonts anyway? I have neglected to look into this little corner of madness ...

Re:

[Shotgun]

Wouldn't that mean you only get to see system fonts then?

If only we could be so lucky.

Re:

[Gr8Apes]

Actually, since CSS lets you specify a list of fallbacks, why does the browser have to report fonts anyway? I have neglected to look into this little corner of madness ...

I looked into this years ago, and there is absolutely 0 reason for this function to exist in today's world. If all browsers returned 0 fonts, the same style sheets still get served in 99.999999....% of the cases. So other than fingerprinting the machine, what purpose does this function serve?

Re:

[Plumpaquatsch]

I bet you will be really pissed when you find out what Apple has announced for Safari. https://www.wired.com/story/ap... [wired.com]

Re:

[AmiMoJo]

It's really good news that Apple is doing something about this.

Hopefully others will follow. Their improvements seem to be based on research done by Mozilla, so perhaps at least Firefox will get something similar soon.

Re:

[110010001000]

Apple also said that MacOS Mojave would combat a technique called "fingerprinting", in which advertisers try to track users who delete their cookies. The method involves identifying computers by the fonts and plug-ins installed among other configuration details. To counter this, Apple will present web pages with less details about the computer. "As a result your Mac will look more like everyone else's Mac, and it will be dramatically more difficult for data companies to uniquely identify your device," Mr Fe

Re:

[jbmartin6]

Firefox can do this already, but it's not that effective unfortunately.

Could you clarify why you say this?

Re:

[AmiMoJo]

Try the EFF's Panopticlick.

Re:

[spire3661]

All webpages should have an html fallback. If they dont, its not really a webpage.

Re:

[Gr8Apes]

Disabling JS makes the web browsable again for 99% of its pages. 99% of the web does not need JS, and never should have had JS installed with it.

Re:

[Cajun Hell]

Someone remind me: why should javascript ever be able to know what fonts you have? Why would anyone care?

Maybe browsers don't let you twiddle some config setting to deny font requests, but it could nevertheless be disabled in the browser's code. Is there any reason to even suspect that this might break anything? I wouldn't expect it to break anything. Being able to query fonts sounds like a totally useless feature anyway.

Re:

[TheFakeTimCook]

Firefox can do this already, but it's not that effective unfortunately.

The real problem these days is fingerprinting. Particularly installed fonts and user agent strings. Those two alone are often pretty unique, and combined with canvas fingerprinting and IP address are very powerful tracking mechanisms.

Unfortunately no browser can block them, and I have not found any plug-in except for NoScript that can block getting a list of installed fonts. There is a tool called "fluxfonts" that randomly installs and removes fake fonts in the background, but it would be nice if a mainstream browser did something about this.

Apple has a solution to "fingerprinting". They return random data.

Re:Do this

[theweatherelectric]

Hey Firefox, looking for something else to copy?

What, you mean like how Firefox provides built-in tracking protection [mozilla.org]? Or how Firefox provides a Facebook Container [mozilla.org] which isolates Facebook [mozilla.org] from the rest of your browsing activity? Or how Firefox is developing an anti-fingerprinting mode [mozilla.org]? Or how Firefox is integrating Tor [mozilla.org] as a built-in feature [torproject.org]?

I don't think you know what you're talking about. The web browser is the most commonly used piece of application software. If there's one type of software you should educate yourself about, it's web browsers.

or virtual machines

[goombah99]

if it's plug ins it's pointless. You might as well say, just run every browser window in a different virtual machine. It's so simple!!! not. Plug ins mean maintaining plugins over time and trying to figure out which one broke which website, maintainging a different whitelist for every plug in, and removing them when they go out of date, that's a mugs game.

Source

[Aadarshkothari]

Can we also track the source of the traffic?

Browsers and OS should do this

[AHuxley]

Not a member of a social media brand?
Ban it from the browser, OS until a user wants to register a social media account and be spied on.

Re:

[stealth_finger]

That is some initial work until you have the 153 worst tracking companies.

153? seems oddly specific.

Re:

[Plumpaquatsch]

That is some initial work until you have the 153 worst tracking companies.

153? seems oddly specific.

Maybe he works for the 154th entry on the Forbes' 200 Worst Tracking Companies List?

Re:

[vakuona]

From TFS:

The next version of iOS and macOS "will frustrate tools used by Facebook to automatically track web users,"

Re:

[Megane]

Exactly. This is about the web bugs and other things from Facebook that end up in other web pages, little things like "Share on Facebook" buttons. You see that little "f" icon? If it's served from facebook.com, your browser had to talk to them to get it.

Native in Browsers

[johnsie]

Various plugins do a good job of this, but some sort of blocking should be a native optional feature in major browsers. I've already refused to accept the new privacy policy from Facebook as I refuse to let that company turn my data into a product. People let them go to far. There must be an option to choose which companies are not allowed to collect your data, and that's why GDPR is a good thing. Facebook tried to avoid data privacy by moving millions of accounts out of Europe/

Don't think this is the right way to fight it

[Solandri]

There are two ways to fight this:

• Try to stop these tracking methods. Which just results in the people doing the tracking coming up with new tracking methods. That kicks off an endless arms race where each side keeps countering the move the other side makes.
• Pollute the data. Let them collect the data, but the browser should surreptitiously add fake data. Either generated by randomly crawling linked pages in the background, or by sharing anonymized sites other users have browsed. The moment the "user's" browsing data is no longer an accurate representation of the sites the user is actually browsing, that data loses its advertising value. And advertisers will be forced to place ads based on the type of people who like to visit a certain site (e.g. GPU ads on a gaming site), rather than trying to display ads targeted at the person browsing regardless of what site they visit.

The first method is a never-ending game of leapfrog. The second method favors users because there are a lot more of them than companies tracking this data. They can generate fake browsing data faster (up to the limit of their Internet bandwidth) than these companies can filter it out.

Re:Don't think this is the right way to fight it

[johnsie]

It'll still be an arms race. They'll try and find ways around it. GDPR has shown that strong legislation is probably going to be the best way to prevent this sort of tracking.

Re:

[Anonymous Coward]

On the eve of the GDPR I received an email from an affiliate organisation extolling how they would be complying with the law and be able to track users using such methods as the opt out of tracking cookies and industry wide opt ins (eg; agree with one website you agree with them all).

Legislation

[JBMcB]

Legislation may help, but the GDPR is a nightmare. This Week In Law had an entire episode critiquing it.

Re:

[dAzED1]

No, it's not. It also had years of warning, so I have zero pity for companies of any size that waited until the last few weeks to even think about it.

Re:

[Merk42]

"fighting is hopeless, do not do anything !!!"

No, I guess you are a FB propaganda operative. Or one from Google, they do exactly the same $hit.

Did you press the wrong button? GP never said that, nor even implied that.

Re:

[alvinrod]

The problem with your proposed solution is that you assume that these same tracking companies would be wholly incapable of cleaning the polluted data. All they would need is access to the browser that does the polluting and enough time to see how it works and they could probably get above 95% accuracy in terms of removing the fake, polluted data.

It's always a game of cat and mouse. The only way to really stop it is to make a user's data so worthless as to remove the economic incentive to attempt to track

Re:Don't think this is the right way to fight it

[AmiMoJo]

Pollution is quite effective. For example, there are various add-ons for popular browsers that add random noise to canvas elements, changing the fingerprint every time. Even if they are tracking you by other means such as detecting installed fonts, the random canvas fingerprint and maybe a random user-agent pollutes their data.

Re:

[6Yankee]

I'll let you send them my font list if I can send them yours...

Re:

[sinij]

I think technical term is poisoning the data. It is brutally effective, and not because it hides your own data, it also makes entire data set less valuable by contaminating it with fake data.

Re:

[jbmartin6]

You may be right about data pollution, although I have often wondered how easy it would be to tune out what you suggest. If my device randomly visits a needlepoint site, then a site about making home made sake, then FIVE sites about playing chess, it's pretty easy to figure out I like to play chess and the other ones were red herrings. My point is things that are true would rise above the noise of various random hits and would be easy to figure out based on timing, frequency, etc. Now, if I could create var

Re:

[sit1963nz]

This is currently the same tactic being used by spambots and anarchists
Look how many garbage posts are made in discussion forums, and they are growing in number.

The idea is to pollute sites where people can have reasoned, intelligent discussions with so much junk that it destroys the forum and drives the thinkers away.

This "normalises" abuse, hate, lies, anger, etc etc and that becomes part of normal society IRL.

Without rational discussion, "fake news" will rule because there will be nowhere to disc

For other platforms...

[Gravis Zero]

If you aren't already, you should be using SafeScript [andryou.com] which allows you to block lots of fingerprinting stuff. If you think you don't need it then you should check out BrowserLeaks [browserleaks.com] to see how horribly wrong you are. :)

Re:

[Ol Olsoc]

If you aren't already, you should be using SafeScript [andryou.com] which allows you to block lots of fingerprinting stuff. If you think you don't need it then you should check out BrowserLeaks [browserleaks.com] to see how horribly wrong you are. :)

And how! Early on in using NoScript I did an inventory of what was blocked. Facebook was the champ of tracking scripts, and a lot of those addresses the scripts reported to were obscured - ie not obviously facebook. And there were several FB trackers on most the sites that had them. Google had a number of scripts - at least they had the decency to make that clear. several ad providers, the font trackers, and a few I never figured out. My biggest haul for one page was over a hundred scripts.

And this was

Here's why I'm looking sideways at this -

[sabbede]

I'm using pfBlocker to filter DNS on my home network. You know what doesn't work without being able to talk to tracking and ad-serving servers (including google's for some reason)? The iTunes App Store.

Apple cart

[spinitch]

Don't upset the Apple cart? Wonder how far Apple evaluated their own SNS FB alternative? Seems time might be ripe to trip the FB giant.

VPN Required?

[atrex]

I don't see how any of these methods put a stop to user tracking unless you're using a VPN to obfuscate your source IP address. So is Safari going to include it's own free VPN service like Opera? Or is this all just a bunch of noise to try and capitalize on the anti-Facebook sentiment and gain market attention?

Re:

[WinstonWolfIT]

Astute. I rotate between Argentina and Albania which results in me being completely untrackable.

Apple only targeted ad

[lorinc]

In other news, Apple wants to be the only one to be able to track its demographic to perform targeted advertising.

Re:

[TheFakeTimCook]

In other news, Apple wants to be the only one to be able to track its demographic to perform targeted advertising.

Except they don't. And the truth is in the fact that I have NEVER seen an Apple-related ad show up anywhere that wasn't completely expected.

HALLELUJAH !

[TheStickBoy]

^ what the subject said