[Webkit-unassigned] [Bug 255450] New: ITP Bounce tracking defense not efficient enough

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 14 05:29:08 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=255450

            Bug ID: 255450
           Summary: ITP Bounce tracking defense not efficient enough
           Product: WebKit
           Version: Safari 16
          Hardware: Mac (Apple Silicon)
                OS: macOS 13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: webkit.gently881 at simplelogin.fr

Hello,

I contact you because I noticed adtech companies selling their Safari deterministic cross-domain tracking capabilities. From Taboola some time ago (cf. this thread https://twitter.com/WolfieChristl/status/1356547088692240386) to First.id (cf. this thread https://twitter.com/pixeldetracking/status/1645123172671389696). When I noticed Taboola tracking and read John Wilander answer https://twitter.com/johnwilander/status/1356638414880215040, I assumed I was protected (and I remembered Criteo tried this a long time ago, without success).

But then, I noticed that Safari didn't flag first-id bounce tracking if the user only consulted one, two or three different websites using first-id.fr tracking. It wasn't until the fourth website that first-id.fr was flagged by ITP (cf. this thread https://twitter.com/pixeldetracking/status/1646816439486099463). And in some circumstances, Safari might even not flag the website after 4+ domains (first-id made this video to "prove" their tracking was efficient: https://www.youtube.com/watch?v=cDKc7xALi1w).

Here are a few of the websites with first-id tracking. If you click on one of the website links (for the bounce tracker to be triggered, you have to consult 2 pages), and accepting cookies if you see the consent pop-up (but this pop-up might be dependant on you being in European Union):
- allocine.fr
- marmiton.org
- liberation.fr
- aufeminin.com
- doctissimo.fr
- marieclaire.fr
- capital.fr
- jeuxvideo.com

Their website: https://www.first-id.fr/
As they are not the only one, Taboola is using the same mechanism, I am afraid a few other adtech companies might also rely on this "ITP limitation".

ITP bounce tracking defense is working well if the user consult enough websites with first-id.fr tracker included, but I would have assumed ITP was protecting me from their tracking even if I only consulted 2 different domains, hence this bug filling.

Thanks in advance

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230414/938c3a3a/attachment-0001.htm>

More information about the webkit-unassigned mailing list