Apple said this week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting.
Technologies that Apple declined to include in Safari because of user fingerprinting concerns include:
- Web Bluetooth – Allows websites to connect to nearby Bluetooth LE devices.
- Web MIDI API – Allows websites to enumerate, manipulate and access MIDI devices.
- Magnetometer API – Allows websites to access data about the local magnetic field around a user, as detected by the device’s primary magnetometer sensor.
- Web NFC API – Allows websites to communicate with NFC tags through a device’s NFC reader.
- Device Memory API – Allows websites to receive the approximate amount of device memory in gigabytes.
- Network Information API – Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes
- Battery Status API – Allows websites to receive information about the battery status of the hosting device.
- Web Bluetooth Scanning – Allows websites to scan for nearby Bluetooth LE devices.
- Ambient Light Sensor – Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device’s native sensors.
- HDCP Policy Check extension for EME – Allows websites to check for HDCP policies, used in media streaming/playback.
- Proximity Sensor – Allows websites to retrieve data about the distance between a device and an object, as measured by a proximity sensor.
- WebHID – Allows websites to retrieve information about locally connected Human Interface Device (HID) devices.
- Serial API – Allows websites to write and read data from serial interfaces, used by devices such as microcontrollers, 3D printers, and othes.
- Web USB – Lets websites communicate with devices via USB (Universal Serial Bus).
- Geolocation Sensor (background geolocation) – A more modern version of the older Geolocation API that lets websites access geolocation data.
- User Idle Detection – Lets website know when a user is idle.
The vast majority of these APIs are only implemented in Chromium-based browsers, and very few on Mozilla’s platform.
Apple claims that the 16 Web APIs above would allow online advertisers and data analytics firms to create scripts that fingerprint users and their devices.
User fingerprints are small scripts that an advertiser loads and runs inside each user’s browser. The scripts execute a set of standard operations, usually against a common Web API or common web browser feature, and measure the response.
Since each user has a different browser and operating system configuration, responses are unique per user device. Advertisers use this unique response (fingerprint), coupled with other fingerprints and data points, to create unique identifiers for each user.
Over the past three years, user fingerprinting has become the standard method of tracking users in the online ad tech market.
The shift to user fingerprinting comes as browser makers have been deploying anti-tracking features that have limited the capabilities and reach of third-party (tracking) cookies.
Some browser makers have also been deploying countermeasures to prevent fingerprinting operations through the most common methods — such as fonts, HTML5 canvas, and WebGL — but not all user fingerprinting vectors are currently blocked.
Furthermore, new ones are constantly being created as browser makers add new Web APIs to their code.
Currently, Apple has identified the 16 Web APIs above as some of the worst offenders; however, the browser maker said that if any of these new technologies “reduce fingerprintability down the road” it would reconsider adding it to Safari.
“WebKit’s first line of defense against fingerprinting is to not implement web features which increase fingerprintability and offer no safe way to protect the user,” Apple said.
For Web APIs already implemented in Safari years before, Apple says it’s been working to limit their fingerprintability vector. So far, Apple said it:
- Removed support for custom fonts. This means only presenting built-in fonts which are the same for all users with the same system.
- Removed minor software update information from the user agent string. The string only changes with the marketing version of the platform and the browser.
- Removed the Do Not Track flag, which ironically was used as a fingerprinting vector, adding uniqueness to the users who had enabled it.
- Removed support for any plug-ins on macOS. Other desktop ports may differ. (Plug-ins were never a thing on iOS.)
- Require a user permission for websites to access the Device Orientation/Motion APIs on mobile devices, because the physical nature of motion sensors may allow for device fingerprinting.
- Prevent fingerprinting of attached cameras and microphones through the Web Real-Time Communication API (WebRTC).