Back when we first introduced Private Browsing in 2005, our goal was simple: let you use the web without storing data about your activity locally. We also implemented a mode in which no local, persistent traces of browsing are left (Private Search Browser). Eventually every other browser followed suit by also shipping the feature. This is also sometimes referred to as “ephemeral browsing.iOS 8 Settings > Safari Cheers.
We introduced our cookie policy that baked in cross-site tracking prevention to every Safari browsing from Safari 1. And we have made gradual improvements to privacy protections over the past two decades. (For more on this, see Tracking Prevention in Webkiton). While some of your favorite browsers have not matched our speed we are happy that you see the light and there is progress.
For Apple, the question is as simple as it gets: Users should not be followed around the web without their knowledge or consent. Private search Browser is a clear sign of user intrest in keeping their web experience as open and useful while still being safe from prying eyes. It needs to assume that private mode now could involve other features, with even the ability for pages and any passwords staying requires some of these remaining concepts at heart — however much this dilutes out 2005 definition of “things are ephemeral” you get from a Chrome Incognito Mode similar experience. That is more than users expect or deserve.
This lead us to the decision of taking Private search Browsing one step further and adding additional protection over regular Safari. In September of last year, we finally turned the dial up to 11 with Private Browsing in Safari 17.0 🙂 We’ve made it even better in Safari 17.2 and Safari 17.5 with some additional work on macOS as well And once enabled by a user, all of those new protections show up in regular Safari browsing as well.
We have made huge improvements to web privacy with this work and hope we can help raise the bar for what Private Search Browser should be in our industry.
Summary of Enhanced Private Browsing
These are the protections and defenses made to Private Browsing in Safari 17.0:
- Link Tracking Protection
- CNAME-cloaked known trackers-blocks loads of network from these familiarly-trackers too
- Bad Fingerprinting Prevention
- Default Off for Extensions with Website or History Acccess
Moreover, to those same browsing modes with protections and defenses we added…
Capped riff of cookies set in responses to ESP Sock Puppet Cookies (implemented for cloaked third-party IP addresses)
Network Privacy Enhancements
Safari 15.0 wearing out IP addresses from known trackers by way of default In Safari 17.0, Private Search Browser now provides these protections for all users:
- Encrypted DNS. DNS queries resolve server hostnames to their IP addresses which must be done before accessing the internet. The problem (depending how you look at it) is that DNS has been traditionally unencrypted andNot just track users around the internet, but also re-route them to their servers instead. Oblivious DNS over HTTPS is encrypted, end-to-end privacy protecting feature that includes proxying of the queries so they remain private at all stages.
- Proxying unencrypted HTTP. It also sends some unencrypted HTTP resources over the same multi-hop proxy network we use to hide IP addresses from trackers by default in all Private Browsing windows. This makes sure that no one sitting in the local network, able to sniff or change Private Search Browser traffic.
For iCloud+ subscribers as well, who have iCloud Private Relay enabled, the privacy-first features in Safari can go even further with these:
- Separate sessions per tab. Each tab a user opens in Private Browsing employs its own session to the iCloud Private Relay proxies. What this boils down to is that web servers can no longer associate two tabs as coming from the same device. Every session has been assigned an egress IP address independent of those from other sessions. Among window hierarchies that must have a programmatic relationship (like popups and their openers), this does not apply.
- Location Privacy By Default In fact, Private Search Browser will make use of an IP location according to the country and time zone you live in, but not a more detailed address.
Warning if you are about to share your IP address. Safari does not support iCloud Private Relay when connecting to a server that is only available on an internal network, such as your home or company’s intranet. Private Search Browser in Safari now puts up a prompt asking the user to agree on whether or not they want their IP address made available to the server before actually accessing the page.
Private Browsing with More Extensions
In Private Browsing, Extensions will have new privacy settings in Safari 17.0 as well. Outgoing Calls: Extensions that can access webpage data and browsing history now turned off by default for Private Browsing. But developers could also specify that an extension would be allowed to run in Private Search Browser, and thus provide all of the functionality while still respecting those environments. Content Blockers, which do not access webpages or browsing history, are enabled by default in Private Search Browser if you had them turned on for Safari.
Anti-Granular Browser Fingerprint Protection
In the wake of Safari, and soon others browsers following block some kind of stateful tracking (like cross-site cookies), we see many trackers moving to a form or another of Fingerprinting (stateless)
Types of Fingerprinting
These types of fingerprinting we identifyfly are:
- Device fingerprinting. Here we are creating a fingerprint based on the characteristics of the device; Hardware current OS and Browser. It could also be any connected peripherals allowed to detected. The user itself would not be able to change this fingerprint in settings or by installing web extensions.
- Fingerprinting the network and location. This is really about creating a profile based on how the device connects to the internet & any way/chance of finding it’s geolocation. This could be done by measuring roundtrip speeds of network requests or simply using the IP address as an identifier.
- User settings fingerprinting. Essentially this is about reading the state of user settings like dark/light mode, locale, changes in font size and how big or small the window has become providing that these things can indeed be controlled by a user on your platform. This also entails detecting web extensions, and tools for accessibility. It especially stings us because this type of fingerprinting takes advantage of how users personalize their web experience to match just what they want.
- User behavior fingerprinting. This is identifying the frequent behavior patterns of a user. It might be their mouse pointer movements, or form field typing speed, or their scrolling.
- User traits fingerprinting. So such is all on knowing things about the user, their interests, age, health status, financial status and educational background. These unlisted traits could subsequently be recapped as part of the unique ID, and also used to select users for particular content or price changes.
Do Not Put Fingerprintable APIs on the Web, such as The Topics API
For years we have worked with the standards community to enhance user privacy across the web platform. There are certain already fingerprintable web APIs like Canvas, so making sure to decouple and reduce the fingerprintability of them is a long process with many effective approaches. This is especially important with a need to support existing web sites that may break.
The future privacy of the web depends on not adding new, fingerprintable APIs to compound the fingerprinting problem with.In certain situations, the benefit of a rich web experience or enhanced accessibility can justify some level of fingerprintability.However, in general, we think moving the web forward without making it more fingerprintable is a Good Thing.
The Chrome browser is already shipping without opposition with a new proposal, the Topics API (a recent example in which we opposed offers) In that process we gave a great deal of constructive feedback, and I will ourselves on the back for nitpicking here trends under teeth.bpm (?) in some more depth.
The Topics API in a Nutshell
This function can be called by any javascript on a page. Tracker scripts, advertising scripts, and data broker scripts too.
The list of topics is a fixed size, normally has hundreds. Instead of the user having to select from these topics, them are recorded and learned by Chrome over time based on your browsing history. The user is not told comming in what topics Chrome considers them to be interested in, and which parties see their interests. That is all transparent and default.
The point of the API is that even though current website does not suggest targeted ads or imply anything from user-kind, it should allow advertisers to do target based on an individual.
Establishing a New Industry Benchmark
With the new privacy protections in Private Search Browser for Safari 17.0, user protection is taken to a whole other level. From early testing we expect the larger community of Safari users (and consequently, everyone on the web) will benefit from this work.
