This article contains a roundup of important privacy enhancements delivered to Mac users with the recent release of Safari 13.1.
Apple has once again demonstrated its commitment to an overarching customer-centric strategy. The new Safari 13.1, released on March 24, 2020, goes equipped with groundbreaking tweaks to its Intelligent Tracking Prevention (ITP) privacy technology in addition to a handful of features for better performance and more streamlined user experience. The fundamental change that really makes a difference, though, is about unconditional third-party cookie blocking. This means that online data aggregates such as advertisers and analytics services won’t be able to surveil Safari users’ Internet activities through cookies for cross-site resources anymore. Essentially, this modification pulls the plug on financially-motivated and otherwise dubious amassing of information regarding Mac users’ interests and web surfing habits.
It’s worth mentioning that Safari follows in the footsteps of the Tor Browser and the Brave Chromium-based browser in this context. Both have previously implemented such mechanisms to take users’ privacy to the next level. In the case of Safari 13.1, Apple engineers have extended such initiatives further by lacing the Intelligent Tracking Prevention feature with a few extra characteristics.
Safari 13.1: what’s under the hood privacy-wise?
One of the implications of full third-party cookie blocking introduced in the update is that login fingerprinting is no longer an issue. In plain words, it means that websites cannot surreptitiously determine which personal accounts you are logged into, nor can they uniquely identify you based on a combo of clues such as the installed fonts, your screen size, the time zone, and HTTP headers your browser generates. Ultimately, this new approach is an effective countermeasure for exposure of sensitive data.
Yet another benefit is that ITP will henceforth thwart cross-site request forgery, also known as session riding. The logic of this attack is to dupe a trusted user into unwittingly sending a request to a web application, which may entail unintended changes of the person’s account or data leakage down the road.
A noteworthy change that was announced last year and has been fully implemented in Safari 13.1 is that script-writeable storage expires in seven days. What does it mean to the average layman? The nearly ubiquitous third-party scripts deployed on numerous websites are often mishandled to get around browsers’ defenses against unauthorized cross-site tracking. Therefore, by reducing the lifetime of these scripts Apple makes this attack vector less likely to manifest itself.
The privacy overhaul in Safari 13.1 is kind of a breakthrough that will hopefully encourage other major browsers to follow suit. Whilst some may argue that third-party cookie blocking doesn’t get along with effective web marketing that fuels global ecommerce, no one ever said these activities should be performed at the expense of regular users’ personally identifiable data. Furthermore, Apple takes it up a notch by disabling a few techniques described above that don’t rely on cookies but can still be used to circumvent Safari’s new anti-tracking efforts.