How Safari’s New Intelligent Tracking Prevention Works

It’s one of the most discussed new features in High Sierra: Safari’s new Intelligent Tracking Prevention. Advertisers are upset about it, claiming it’s “bad for the ad-supported online content and services consumers love.” Apple is undeterred by the rhetoric. But what does the feature actually do?

Basically, Intelligent Tracking Prevention changes which sites can and can’t use particular cookies, and in some cases deletes cookies that aren’t doing anything useful for you. To quote the official explanation, from Apple’s High Sierra feature list:

Remember when you looked at that green mountain bike online? And then saw annoying green mountain bike ads everywhere you browsed? Safari now uses machine learning to identify advertisers and others who track your online behavior, and removes the cross‑site tracking data they leave behind. So your browsing stays your business.

This sounds good in the abstract, but how does it actually work? Apple’s official explanation on Webkit.org outlines the technology in language intended for developers; here’s what users need to care about.

What Is Cross-Site Tracking?

 

Intelligent Tracking Prevention works to prevent what’s called cross-site tracking, a feature where a cookie served up by one website can track you across the wider web.

Why is this possible? Because when you load a web page not every element you see comes from the exact site you’re looking at. Ads, for example, tend to come from third party ad networks, which might pull recently viewed items from Amazon, eBay, or other sites. Social media buttons are generally hosted by those social networks. Most sites make use of Google Analytics, and other tools to track user numbers.

It’s part of how modern websites are built, and it’s not a problem in and of itself. In some cases these third party services may access cookies stored by your browser, which also isn’t a problem in and of itself.

In fact, many features useful rely on this. If you’ve ever used your Google or Facebook account to log into another site, you’ve used cross site cookies in a tangible way that makes your life easier.

That’s why this is complicated: the cross site ads are creepy, but other cross site functionality makes the web a better place. How is a browser supposed to tell the difference?

What Will Intelligent Tracking Prevention Actually Do?

So how will Intelligent Tracking Prevention actually work? Ironically, by tracking you—though all information stays on your machine, meaning nothing is uploaded to Apple. Safari will use your browsing history to work out which sites you’re interested in, and use that information to save, partition, or delete cookies depending on context.

To Safari, domains you’re interested in are domains you yourself visit on a regular basis. Domains you never visit directly, but regularly use cross site resources from, are deemed things you’re not interested in. To quote the Webkit page again:

Let’s say Intelligent Tracking Prevention classifies example.com as having the ability to track the user cross-site. What happens from that point? If the user has not interacted with example.com in the last 30 days, example.com website data and cookies are immediately purged and continue to be purged if new data is added. However, if the user interacts with example.com as the top domain, often referred to as a first-party domain, Intelligent Tracking Prevention considers it a signal that the user is interested in the website and temporarily adjusts its behavior.

The behavior is relatively simple, so let’s break it down:

  • If you visit a domain directly, Safari will assume you’re interested in the site, and will allow cross site tracking for the domain for 24 hours.
  • If you then don’t visit that domain for 24 hours, Safari will assume you’ve lost interest, and stop allowing cross site tracking for that domain.
  • If you don’t visit that domain for 30 days, Safari will delete the cookies for that domain entirely.

It’s a little weird, so let’s explore a concrete example. Let’s say you’re not a Facebook user, but occasionally click a Facebook link and read a public post. Under this scheme Facebook would be able to track your activity online using cookies for 24 hours, thanks to those “Like” buttons embedded on so many pages. After 24 hours Facebook would no longer be able to access these cookies, assuming you don’t head to Facebook.com again. After 30 days of not visiting Facebook the cookie will be deleted completely.

Facebook is just one example of a site that uses cross site tracking, and this tracking is something regular Facebook users have learned to live with (if not love.) Ad networks aren’t the same: they run completely in the background, and most people never visit their domains directly. Safari’s Intelligent Tracking Prevention stops them from tracking you without breaking cookies for sites you actually use.

It makes sense when you think about it. Safari will keep cookies around for sites you regularly use, but quarantines and delete the cookies left there by advertisers and other tracking services. It’s a compromise between functionality and privacy.

It’s worth noting that Apple is uniquely positioned to offer such a feature. Google, for example, makes liberal use of cross-site tracking for its own ad network—Chrome users shouldn’t hold their breath waiting for something similar on that browser.

How to Turn Off Intelligent Tracking Prevention

Not sure you’re a fan of this feature, or wonder if it’s breaking a site you use regularly? It’s easy enough to turn off. Open Safari, then click Safari > Preferences in the menu bar.

Uncheck the top option, “Prevent cross-site tracking,” and you’re done. The feature is still turned off. You could block third party cookies in every browser instead, but know that this is far more likely to break sites than Safari’s default method.

Photo Credit: Alejandro EscamillaJens Kreuter

Justin Pot is a staff writer for How-To Geek, and a technology enthusiast who lives in Hillsboro, Oregon. Follow him on Twitter and Facebook, if you want. You don't have to.