Opinion: With one High Sierra feature, Apple isn’t protecting privacy, it’s taking away choice

One of the things I like about Apple is the company’s strong commitment to privacy. By making its money from hardware and chargeable services, it doesn’t need to rely much on advertising, and it can therefore afford to take a strong stand on the issue.

Indeed, the legal tussle with the FBI over the San Bernardino shooting was probably one of the best pieces of PR for the company. It demonstrated that Apple felt so strongly about protecting the privacy of its customers that it was willing to take on the might of the U.S. government.

Taking on the advertising industry is likely even better PR, but while I generally applaud Apple’s attitude, I think in one particular case, it is actually taking things too far: Intelligent Tracking Prevention in High Sierra …

This requires a fair bit of background, so bear with me. If you know all about first-party cross-site ad cookies, feel free to skip to the Intelligent Tracking Prevention section …

If you’ve ever Googled for something, visited a few websites and then started seeing a lot of ads for that same thing, that’s not coincidence. It’s targeted advertising driven by cookies.

Web cookies are probably the most misunderstood and maligned pieces of technology in existence. If you read a typical mainstream media piece about them, they are evil things that lurk on our computers, watching our every move and reporting back to advertisers everything we do. You’d almost picture them as viruses with fangs.

The reality is much more mundane, so let’s step back a little and look at what they do and don’t do …

A cookie is a simple text file. At its most basic, it saves you from having to login every time you visit a website.

Let’s say you visit a website which requires a login. You login, and ask Safari to remember you. The website drops a cookie – a text file – onto your Mac so that it can recognize you next time. This text file doesn’t contain your username or password, just a unique identifier that contains no personal information. Next time you visit the site, it looks to see whether that text file exists and, if it does, it reads that identifier. It then checks that identifier against a database stored on the server, sees it is you and logs you in.

So far, no controversy. You can choose whether or not to accept cookies, and you can choose whether or not you ask Safari to automatically log you in.

So let’s move onto the more controversial use of cookies: so-called tracking cookies …

Advertisers want to know how effective their ads are. Historically, with things like billboard ads, they couldn’t do that. There’s an old saying in advertising, attributed to John Wanamaker: ‘Half the money I spend on advertising is wasted; the trouble is I don’t know which half.’

But with web ads, advertisers realised that they could come up with a way of measuring the effectiveness of ads that people didn’t click. Enter the cross-site cookie.

An advertising cookie works like this. You visit Facebook, and see an ad for a new iPhone case. You think it looks cool, but you’re busy catching up with your feed, and so just make a mental note to check it out later. Silently, in the background, Facebook drops a cookie on your Mac: a text file with a couple of ID codes. One code is for Facebook, the other is for the specific ad. The cookie contains no identifying information about you.

The next day, you remember that cool case, Google the name of it and end up at the company’s website. The website sends a request to Safari, asking it if it has stored any cookies with the ad code. Safari says ‘Yes, I do’ and sends it to the website. The website reads the data inside it and sees that you saw that ad on Facebook. It then increments a counter so that it can see, for example, that 3,172 people visited its website after seeing that particular Facebook ad.

Remember, that cookie contains no identifying information for you. The website has no idea who you are, it only knows that you are an anonymous Internet user who saw a particular ad on Facebook.

Advertising cookies also work the other way around. If you visit the case manufacturer website first, the site drops a cookie onto your Mac noting that you visited the site. Once again, there is no personally identifiable information in that cookie: it identifies the website, not you.

When you visit Facebook, the web server asks Safari if it has any cookies containing codes for any of its current advertisers. Safari says ‘Yep, here’s one for this iPhone case maker.’ Facebook says ‘Thanks very much, I’ll display an ad for an iPhone case.’ That’s targeted advertising using cross-site cookies.

Once again, the website has no idea who you are, it only knows you as an anonymous Internet user who has visited a particular website.

There are more sophisticated versions, such as dropping a specific cookie when you carry out a particular action at a website, such as placing a product in your basket and then not buying it, but the key point applies: at no point does the website know who you are.

There are also complications with third-party cookies – ones that are nothing to do with either the site you are visiting or an ad that you have seen – that we needn’t get into: Safari has always blocked those, and I fully support Apple in that choice.

What Apple is introducing with the version of Safari included in High Sierra, however, is what it calls Intelligent Tracking Prevention (ITP). What this does it severely limit the use of what are known as first-party cross-site cookies – the ones I described above. Here’s what Apple has to say about it:

If the user has not interacted with example.com in the last 30 days, example.com website data and cookies are immediately purged and continue to be purged if new data is added.

However, if the user interacts with example.com as the top domain, often referred to as a first-party domain, Intelligent Tracking Prevention considers it a signal that the user is interested in the website and temporarily adjusts its behavior as depicted in this timeline.

And here’s the timeline:

What that effectively means for businesses is that, in many cases, if you visit a website more than a day after you saw an ad, the company will have no idea that its advertising brought you there. Advertisers are upset about that, and have written an open letter to Apple asking the company to rethink. (I saw that letter via CNET.)

Apple’s unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love. Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful. Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.

What ITP means for consumers is that Safari will effectively forget which sites you’ve visited after a day. Net result: you’ll see fewer targeted ads, and more generic ones.

Now, some will take the view that this is a good thing. If you do – after fully appreciating that tracking cookies contain no personal identification – then that’s a view I can respect. But personally, given that the web is largely funded by advertising, my view is this. There’s a choice between three scenarios:

  • I can use an ad-blocker, and see relatively few ads
  • I can allow third-party cookies, and see ads likely to be relevant to my interests
  • I can block third-party cookies, and see generic ads

I won’t do the first, because I like the fact that most websites are free, and I recognize that they need to pay their bills. It would also be deeply hypocritical of me to use an ad-blocker when it’s advertising that ultimately pays my bills.

I don’t want to do the third because, if I’m going to see ads at all, I’d far rather they were for things that interest me – like gadgets – than things that don’t, like soap powder.

So personally, I want to allow third-party cookies to persist for the normal 30 days. But High Sierra won’t allow it. So despite strongly supporting the vast majority of Apple’s privacy initiatives, in this particular case, I think Apple has got it wrong.

There is an irony to my view. I’m a decisive shopper. I identify a need or want, research my options and then buy immediately. So the vast majority of personalised web advertising I see is for something I have recently bought. It’s largely wasted on me. But, all the same, given the choice between ads for things I like, and ads for things I couldn’t care less about, I’d prefer to see the former. How about you?

Images: Sonder; Love & Lemons; Wikihow; Apple

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear