back to article Safari's Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler

Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple's WebKit team for the company's Safari browser. In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) …

  1. JohnFen

    Even so

    Even if Google is correct and these can't actually be fixed (for the sake of argument -- I see no reason to take Google's word for this), it's still a lot better than the alternatives, and better than the nonsense that Google has come up with under the "privacy sandbox" effort so far.

    1. iron Silver badge

      Re: Even so

      Its an obvious shortcoming of Apple's method and it actually decreases your privacy because it adds another fingerprinting technique. No need to trust Google, its obvious from the descriptions in the article. So no it is most definitely NOT better than the alternative, its worse!

      1. Cuddles

        Re: Even so

        Is that actually the case? My understanding of this is that Apple's method does effectively close off several common tracking mechanisms, but in doing so opens up a new one of its own. So at the very worst it doesn't help much but also doesn't make anything worse, while in reality it replaces multiple common techniques with a single one that is a bit more difficult and convoluted to exploit, making things a bit better overall. Maybe it doesn't actually fix the problem as well as Apple claimed, but it seems to be better than not doing anything at all.

      2. JohnFen

        Re: Even so

        > Its an obvious shortcoming of Apple's method and it actually decreases your privacy because it adds another fingerprinting technique.

        Actually decreases on the whole? Are you sure? I'd love to see the evidence for this. Yes, it's another fingerprinting technique, and that's not great, but it also provides real privacy protection in other directions. The important bit is not whether it introduces a new fingerprinting signal, but whether the effort increases privacy on the whole.

        Google has not provided any evidence or argument that it does, and given that Google despises things like ITP in the first place, such evidence or strong argument is absolutely required. We can't just take them at their word on this.

  2. Anonymous Coward
    Anonymous Coward

    Shock

    Google is expending effort to try to prove tracking protection doesn't work? Someone please pick my jaw up off the floor!

    As for their claims that "it can't be fixed", I'll wait to see if Apple throws in the towel on it, thanks. I don't exactly trust Google to be truthful when it comes to something that obviously fucks with their business model.

    If it is true that it can't be fixed due to inherent conflicts with web standards, then Apple (along with Mozilla) should propose whatever changes to those web standards are required so that it can be made to work! And then let's see if Google is willing to try to stop them, when their motives for doing so would be so obvious...

    1. MJB7

      Re: Shock

      I don't think it is inherent conflict with web standards that it is the problem. The problem is that they are introducing state into the browser, and that state can be tracked. It's an architectural problem.

    2. Charlie Clark Silver badge

      Re: Shock

      Or, you could read the article again and see that the engineers are highlighting the flaws in Apple's approach, which can be abused to create a fingerprint for the each user.

      1. teknopaul

        Re: Shock

        Simple fix is a static list.

        Perhaps...

        google.com,facebook.com

        and be done with it.

        1. Michael Wojcik Silver badge

          Re: Shock

          Yes, since it's impossible for a firm to obtain a second domain name, that will definitely do the trick.

  3. iron Silver badge

    I had a recruitment process at the end of last year where the employer - an advertising agency - asked me to come up with a way of bypassing Apple's privacy safeguards as a pre-interview technical challenge. They said they had already implemented a solution themselves. I declined and halted the recruitment process because I deem that unethical. I wonder if this is how they were doing it.

    1. BebopWeBop

      Share their 'solution' if you can.

    2. Wade Burchette

      I would told the advertising agents a few words -- and it wouldn't be "have a nice day". The first thing I would do is ask how their conscience lets them sleep at night.

      1. J. Cook Silver badge
        Devil

        That's easy- the advertisers sold their conscience to the devil for hookers and blow. :)

    3. katrinab Silver badge
      Coat

      Even if I did consider it ethical, I wouldn't do it without being paid for it first. Looks like a way to get free labour from potential recruits.

  4. Mike 137 Silver badge

    Just like government

    A bunch of guys who can't get things right attacking another bunch of guys who can't get things right for not gettting things right...

  5. mark l 2 Silver badge

    Unfortunately there are lots of ways that your browser can be fingerprinted. The obvious one is you IP, which unless you regularly switch off your router or phone for the period required for the lease to expire could be associated with you for quite a long time. But other things such as the list of fonts available on your PC, along with the OS build, browser version can be used to build a profile on you even with tracking protection switched on.

    1. katrinab Silver badge
      Meh

      List of fonts: For most people, that would be the standard set supplied with their operating system

      OS and browser versions are probably going to be most recent or previous release

      There's a load of other things they use though; and you end up with a "no such thing as an average person" situation.

  6. Claptrap314 Silver badge

    When Google tells me something can be used to track me across the web..

    I believe them.

    It's when they tell me that they are concerned about my privacy that I parse things carefully--and still don't trust a word of it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like