Apple's Intelligent Tracking Protection can be exploited to track Safari users, says Google

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple's enhanced privacy tools in Safari to prevent tracking can be used to continue tracking users, Google researchers intend to reveal in a paper, with a total of five different attack vectors identified in Apple's Intelligent Tracking Prevention system.

Intelligent Tracking Protection is designed to minimize the amount of data that is generated by users browsing website, that could be tracked by digital marketers to construct a profile of the user. By cutting down what data is available, Apple intended to make it harder to create the profiles and to track the user's movements.

In a soon-to-be-published research paper, Google has come up with a number of flaws in how ITP functions, that could allow users to continue to be tracked, reports the Financial Times. The five different attack types could allow third parties to acquire "sensitive private information about the user's browsing habits," according to the paper.

"You would not expect privacy-enhancing technologies to introduce privacy risks," security researcher Lukasz Olejnik proposed to the publication. The flaws, if exploited, would "allow unsanctioned and uncontrollable user tracking."

It is claimed the way ITP functions to detect and learn user behavior is why the potential for information leaks and tracking could occur. Google researchers write the data is exposed "because the ITP list implicitly stores information about the websites visited by the user."

Researchers were also able to use a flaw to create a "persistent fingerprint" of a user for easier tracking of online browsing, while another issue was able to determine what users searched for via search engines.

Apple has acknowledged the flaws during a blog post about security updates in December, but did not confirm if the flaws had been patched in Safari. Apple privacy engineer John Wilander publicly thanked the researchers "for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection."

So far, Intelligent Tracking Prevention and Apple's other similar tools are performing sufficiently enough that it is causing issues for the advertising industry. Ad executives have lauded ITP as being "stunningly effective," with some firms reporting a 60% decrease in pricing for targeted Safari ads.