Apple added a new anti-tracking feature to Safari that prevents one-to-one tracking of users who click an ad on one site and make a purchase on another, unrelated site. Instead, the connection will be blurred so that an advertiser can only track the total impact of a small number of different ads over short periods of time.

The new approach, called Privacy Preserving Ad Click Attribution, rolled out in the Safari Technology Preview today (version 82), and Apple said that it will appear in general release versions of Safari later in 2019. It’s also presented this as a proposed early-stage standard to the Web Platform Incubator Community Group at the W3C, an organization that helps create standards browser and sites.

In a blog post at the WebKit site, Apple security and privacy engineer John Wilander explained how the dance of advertising site, browser, and ecommerce site will work in some technical detail, intended both to inform sites about coming changes and teach developers how to implement and test the new approach.

This new Safari feature is part of Apple’s effort to differentiate itself on privacy from Amazon, Facebook, Google, and others that have a substantial reliance on broad user tracking as part of their revenue models for ad and product sales. Ads that pinpoint users by age, income, location, and interests take in more money. Making Safari more resistant to user tracking racks up points in the privacy column while also squeezing these other firms’ potential income.

How it works

With this new ad-click attribution model, an advertising site will not be able to attach extensive and unique identifiers in a link nor track a user with cookies. It will also require so-called “first party” links, where the tracking information is entirely fed by the website a user is visiting instead of embedded code or web page portions (called “iframes”) delivered by a third party.

With current ad and user tracking, third-party networks can build extensive profiles about user browsing and buying behavior without ever seeking specific permission from the user. This information is used to shape the ads you see. If you ever wondered why purchasing a multi-pack of facial tissues on one site meant seeing ads for facial tissue on every site you visited for the next two reasons, it’s this cross-site tracking.

In Apple’s model, a potential buyer sees an ad which has one of 64 numbers embedded in it, from 0 to 63, as well as the destination domain noted separately from the link itself. This uniquely identifies the ad for a given advertiser, but doesn’t provide a large-enough number range to ID the user.

If the user clicks the ad, only that destination domain receives that ad code—no cookies are sent and other tracking information gets stripped off.

On the ecommerce site, if a visitor then proceeds to make a purchase or other action, the site can use an invisible image to generate a request in the user’s browser back to the advertising site indicating what happened. The request contains a code that again is limited to the range of 0 to 63. While that seems like a paltry set of numbers, it can encode time of day, kind of purchase, and other general characteristics. The ecommerce site can optionally pass back a priority code in case a user carries out multiple tasks—like “add to cart” versus “makes a high-dollar purchase”—and the site wants to rank them.

The advertising site receives the incoming data from the ecommerce site and redirects a user’s browser to a standard pathway on its site that Apple will require all sites use for this purpose. At this point, Safari records that path, which includes the advertisement number and action code, but does nothing.

At a random time between 24 and 48 hours later, Safari sends a single cookie-free request to the ecommerce site that contains the original advertising ID and the highest-priority event the ecommerce site referred back. The advertising site, ecommerce site, and Apple never have access to this information, as it’s all stored and handled locally in Safari.

By restricting the range of numbers and randomly logging the behavior a user engaged in to a random later time, Safari provides aggregated information about the outcome of campaigns by advertisers, but very little information that can be tied directly to individual users. (The IP address from which a browser makes a request will still be sent, but users on laptops, smartphones, and tablets have constantly changing addresses as they move about, while residential Internet service providers often aggregate traffic under a limited number of Internet-facing addresses.)

Apple has worked to decouple user tracking in several ways across the last few years in Safari and elsewhere in iOS and macOS. Intelligent Tracking Prevention, introduced in 2017, uses a variety a techniques to limit the scope of browser cookies delivered by third-parties on Web sites you visit to restrict Internet-wide information gathering.

Content-blocking Safari Extensions, which came first to iOS in 2015 and then to macOS in 2017, let third-party app developers build lists of tracking sites and methods that users can opt to block.

How to test the new feature

For developers who want to test the new feature in the Safari preview, download the newest release and check the Show Develop Menu in Menu Bar option in Safari > Preferences > Advanced. Then choose Develop > Experimental Features > Ad Click Attribution Debug Mode. This allows the final step in which the browser communicates with the ecommerce site happen in 60 seconds instead of 24 to 48 hours. An Ad Click Attribution option is also available, which enables the new option exactly the way it will work in future standard Safari releases.