ITP 2.x and the Latest Updates in the Browser Consumer Privacy Battle
With Apple’s latest edition of ITP, or Intelligent Tracking Prevention, the battle between Apple, Google, and Mozilla to own the consumer privacy narrative is heating up. I’ve written on ITP a few times in the past year (here and here), but Apple is constantly changing the way ITP affects cookies in Safari.
With so many consumers worried about their privacy, Apple, Google, and Mozilla are making consequential tweaks to the way cookies work in all of their browsers.
To help keep you up to date on the latest on Apple’s ITP and other cookie-limiting features in popular web browsers such as Chrome and Firefox, here is a short reading list with quick summaries of the changes you need to know.
Privacy Preserving Ad Click Attribution
Introduced By: Apple (Safari)
Summary: This is Apple’s most recent blog post and doesn’t actually mention ITP. Apple provides a proposal for a non-cookie way to understand ad click conversion. The catch? No more real-time reporting or optimization of ads. Apple will hold onto the conversion event 24-48 hours before reporting to the ad vendor. Apple seems to think this is necessary and helpful, but I’m guessing others will disagree.
SameSite Cookies Explained
Introduced by: Google (Chrome version 76)
Summary: Google plans to leverage the HTTP cookie “SameSite” feature to allow developers to communicate if they want to allow their cookies to be able to be read in a third-party context. Effectively, developers can say, “this cookie is private” and make the cookie more secure at cookie creation time. The update in Chrome 76 (currently we’re on Chrome 74) will set a default SameSite value even when a web developer didn’t explicitly set one. That means most server-side cookies out there will be automatically more secure by default.
Intelligent Tracking Prevention (ITP) 2.2
Introduced by: Apple
Improving Privacy and Security on the Web
Introduced by: Google
Summary: This post appears to be Google’s response to the recent and rapid changes by Apple under its ITP initiatives. Google lays out a vision for a private web that doesn’t seem as extreme or ad hoc as Apple’s recent changes. The Chrome Product Management team also says here that Chrome will block fingerprinting (which is a common way to uniquely identify visitors when cookies are not available).
HTTP State Tokens
Introduced by: Google
Summary: This is a formal proposal by Google to allow a website to keep a session alive (i.e. keep me logged in) using a single identifier that is kept in the browser instead of in a cookie. This allows for site-specific ids that would be completely under the control of the end-user who would have one id per website and the ability to reset the id on his or her own time frame. This is an internet standard proposal which could be adopted by all browsers and remove the need for cookies to keep you logged in. Likely another milestone in the complete elimination of cookies on the web.
Introduced by: Mozilla (Firefox)
Summary: Not to be outdone by the other browsers Firefox makes the statement that third-party cookie blocking will be the default setting soon. They also mention blocking fingerprinting and cryptominers. Get more specifics in the “Privacy protections included in content blocking” section of the Mozilla link above. At this point, it’s clear that third-party cookies and fingerprinting are no longer an option in any browser.
Since Apple appears to be releasing frequent updates, this set of links will soon become old news. Check back here often to find out how the latest ITP iterations will continue to affect your data.