The beta releases of iOS 12.2 and Safari 12.1 on macOS High Sierra and Mojave include an updated version of the WebKit Intelligent Tracking Prevention (ITP) feature that will further decrease trackers’ ability to trace user identities across websites.

Intelligent Tracking Prevention was added to WebKit back in the summer of 2017 and it is a feature designed to dynamically manage site cookies to make sure that websites cannot use cross-site tracking and third-party cookies to stay on their users' tracks while browsing around the web.

At the time the ITP feature was first implemented, the WebKit development team was able to find "popular websites with over 70 such trackers, all silently collecting data on users."

Persistent client-side cookies capped to 7 days

Starting with this updated version of ITP, cookies will be blocked automatically in third-party contexts, while existing cookies stored by websites and new cookies will be blocked after 30 days if the user has not returned to interact with the site.

Additionally, browsers using a WebKit engine with Intelligent Tracking Prevention 2.1 will also cap "all persistent client-side cookies, i.e. persistent cookies created through document.cookie" to seven-day expiry deadline.

Tracking prevention timeline

With the release of ITP 2.1, Apple also removed support for the now-defunct Do Not Track (DNT) signal, which was "an attempt by web stakeholders to offer users an off-by-default way to ask servers not to track them."

However, it was met with disdain by most websites which, instead of changing their behavior to match their users' request to not have their actions logged, chose to further develop their online tracking and tracking techniques.

Given the lack of deployment of DNT and Safari’s on by default privacy protections such as ITP, Safari removed support for DNT so that users are not presented with a misleading and ineffective privacy control that, if anything, only offered additional browser fingerprinting entropy.

Privacy, security, and performance improvements

According to Apple WebKit Engineer John Wilander, the new ITP update comes with privacy, security, and performance improvements:

Cross-site trackers have started using first-party sites’ own cookie jars for the purpose of persistent tracking. The first-party storage space is especially troublesome for privacy since all tracker scripts in the first-party context can read and write each other’s data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example, and video.example can leverage or cross pollinate that user tracking ID through their scripts on news.example.

for the purpose of persistent tracking. The first-party storage space is especially troublesome for privacy since all tracker scripts in the first-party context can read and write each other’s data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example, and video.example can leverage or cross pollinate that user tracking ID through their scripts on news.example. Cookies available in document.cookie can be stolen by speculative execution attacks on memory . Therefore, they should not carry sensitive information such as credentials.

. Therefore, they should not carry sensitive information such as credentials. Cookies available in document.cookie can be stolen by cross-site scripting attacks . Again, therefore, they should not carry sensitive information such as credentials.

. Again, therefore, they should not carry sensitive information such as credentials. The proliferation of cookies slows down page and resource loads since cookies are added to every applicable HTTP request. Additionally, many cookies have high entropy values which means they cannot be compressed efficiently. We come across sites with kilobytes of cookies sent in every resource request.

since cookies are added to every applicable HTTP request. Additionally, many cookies have high entropy values which means they cannot be compressed efficiently. We come across sites with kilobytes of cookies sent in every resource request. There is a size limit on outgoing cookie headers for performance reasons, and websites risk hitting this limit when cross-site trackers add first-party cookies. We’ve investigated reports of news site subscribers getting spuriously logged out, and found that trackers were adding so many cookies that the news site’s legitimate login cookie got pushed out.

While this update might seem like a cookie doomsday release, Wilander says that only the website cookies created through document.cookie will be affected by ITP 2.1, with session cookies not being affected in any manner.

This Intelligent Tracking Prevention update also changes how popups work by removing the compatibility fix added in ITP 2.0 "for popups that dismiss before they receive user interaction, i.e. dismiss before they receive a tap, click, or text entry."