WebKit working group publishes anti-tracking policy
Apple's WebKit team this week published a "WebKit Tracking Prevention Policy" that details web tracking practices it believes are harmful to consumers, as well as technology the group has implemented or intends to implement in its browser engine to block such activity.
Announced in a post to the official WebKit blog on Wednesday, the Tracking Prevention Policy covers the types of tracking WebKit prevents, alternative tracking countermeasures and how the engine handles unintended consequences of tracking prevention.
The document lists a number of known tracking techniques, including cross-site tracking, stateful tracking like cookies and other storage-based methods, covert stateful tracking, navigational tracking like URL parameter-based tracking or link decoration, fingerprinting and covert tracking. Apple and WebKit note covert tracking includes covert stateful tracking, fingerprinting and "any other methods that are similarly hidden from user visibility and control."
WebKit defines tracking as "the collection of data regarding an individual's identity or activity across one or more websites. Even if such data is not believed to be personally identifiable, it's still tracking."
According to the document, WebKit endeavors to prevent all forms of covert and cross-site tracking, including techniques not currently known to the team. If a certain form of tracking cannot be completely prevented without impacting the user experience, WebKit imposes limitations like reducing tracking time windows or available data points. When presenting limitations is not possible, WebKit asks informs a user and asks for their consent to continue.
Circumvention of installed preventions are treated like exploitation of security vulnerabilities, the document says. In such cases when a workaround is detected, WebKit might employ additional restrictions without first informing a third party.
Apple's WebKit team says no exceptions will be made for preventative technologies applied universally across all sites. This policy extends to parties who might have a legitimate reason for tracking, as WebKit lacks the means to to distinguish valid tracking from illicit tracking.
Finally, the document notes WebKit's tracking prevention technologies might inadvertently interfere with sites employing legitimate web practices that might also be used for tracking. For example, prevention might have an unintended impact on single sign-on to multiple affiliated websites, fraud prevention, bot detection, audience measurement, analytics and more.
WebKit might in some cases adapt its technology to allow certain practices, but the engine puts a priority on user benefits.