Apple Extends Privacy Protections to Traffic Leaving Its Walled Garden

Originally published at: Apple Extends Privacy Protections to Traffic Leaving Its Walled Garden - TidBITS

New services and features in operating systems coming later this year will improve security and privacy for everyone using Apple products, even outside the Apple walled-garden ecosystem. iCloud+ even adds anonymized browsing.

Glenn,

I’ve been using MailTrackerBlocker for a couple of months now in Mail on 10.14 to get similar results, at least for tracking pixels.

The next-to-most recent update added a report so you can see how many trackers have been blocked and an icon in the message window to see if any where blocked in that message.

I don’t now if the forthcoming macOS 12 feature will have any reporting available, but I’m often amazed at what is shoehorned into email and would hope that I can continue monitoring what evil intentions are thwarted.

Cheers,
Jon

First, it would be nice to be able to see when tracking pixels are blocked. Maybe put an icon in the email where the tracking pixel would have been, had it downloaded.

Second, if you block tracking pixels, then they will just escalate to something larger. Of course, the images require unique URL’s in order to be useful for tracking, and a mail server can scan a broadcast email across multiple recipients to find the image that looks like a tracker, and then block it wholesale. Finding the tracking image in a single recipient email (non broadcast) might not always be so easy.

Most tracking pixels are 1 pixel by 1 pixel, so an icon would be hard to see anyway and might change the rendering of the HTML if it was larger than 1x1.

Apple I believe has altered the way that they retrieve all remote content from email now. The downloads now get done through a proxying IP address, so the senders get no information about what our IP address is. They will still form unique URLs per messages, so they will see that this particular message was opened, but they won’t be able to correlate the IP address of the recipient anymore. It’s true that senders will perhaps try other methods to track, but Apple moving to a like-VPN to download all remote content will help at least prevent getting information about your IP address, the mail client or browser that you use to download the remote content, etc.

There’s a big difference between tracking pixels and cookies. Tracking pixels send info directly to a tracker’s server. Cookies live on an individual’s browser. Both methods are based on still images. And Google has pretty much admitted defeat in the cookie war, especially because of pressure from the EU. But Google is moving forward with new, even more effective initiatives. And they are also refining data collection from live and prerecorded video, which are becoming increasing popular with users. Google, and other companies, are taking tracking to a whole new level:

https://support.google.com/google-ads/answer/2456138?hl=en

Object Detection and Tracking  |  ML Kit  |  Google Developers the eu

MMTalker, Cookies are based on still images? Please elaborate.

Doug. Ok, so no icon. But some kind of notification that tracking was blocked would be nice.

It’s not just pixels, but any kind of invisible or tracking image that Apple identifies. Apple said “pixels,” but I think that’s a shorthand (as it is in most anti-tracking software) for images designed not to be displayed but to provide a retrieval from a Web server that provides a tracking beacon.

What Doug said!

If you enable the feature. Without it enabled, retrieval happens from your machine as I understand their explanation. Apple’s explanation: “If you choose to turn it on, Mail Privacy Protection helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity.”

Anything retrieved via a Web connection can have a cookie attached, but in a mail message, I don’t think cookies are sent by Apple’s Mail or third-party mail apps? On a Web page, however, an invisible image or JavaScript or what have you all allows a remote server from which the item is retrieved to obtain any information the browser sends on requesting the item, and the server can send a cookie in reply that will be accepted or ignored by the browser based on the rules the browser’s maker has set (Apple automatically blocks a lot of behavior now) and any settings in the browser you’ve changed that modify cookie acceptance.

A cookie is a single pixel that sends information to a server. There are cookies that permanently reside on a site, or those that hang around until they are removed. And there are tracking cookies that are often placed by third parties. A tracking cookie, aka tracking pixel, has code written in to it that will track paths of action across sites. Tracking cookies are used primarily by advertising analytics, e-commerce and content servers.

To clarify, a cookie may be attached to any item retrieved from a server, including a Web page, JavaScript, etc. It’s just part of an HTTP transaction. It’s unrelated to whether it’s an image (or a single pixel) or not. A cookie provided in a standard form as part of the header information sent back by a Web server in response to a retrieval of any item. The browser then uses rules to determine whether to store the cookie.

Likewise, when a browser connects with a Web server to retrieve a page, image, script, etc., it uses rules to determine whether there’s a stored cookie (really, a bit of text) that matches the domain, path to the file, and other parameters, and transmit that as part of the request.

Cookies are used to establish “state” or a continuous session on the Web, which is inherently a stateless medium when used without an HTTP-based login (common in the early days; rare now). A cookie is most often used to store a session token that lets you stay logged in for email, e-commerce, or when posting to TidBITS Talk!

Invisible pixels (often either 1-by-1 or displayed that size or merely set to be transparent) are often used in email, which doesn’t retrieve cookies as far as I can tell, so that the image is retrieved from a third-party ad-tech server that tracks email being opened and where (by IP address and anything else it might extract from the HTTP retrieval).

I think we’re confusing two different things.

A tracking image is an ordinary image sent in a mail message for the purpose of determining whether or not you read the message. An HTML mail message containing images may have the image(s) attached to the mail message, or the image(s) may be remote - fetched from a web server when you read the message.

Like all web content, the web server hosting a remote image may log every request to download it. That log typically includes the IP address where it was sent, the date/time and the URL that was requested.

The idea of using images for tracking is that you generate a unique URL for each person you send the mail to. This way, the operator of the web server can look at the log file and know which URLs were retrieved and by extension which mail messages were read and therefore which mailboxes belong to a person that read the mail message.

The technique can be used for any image, but since the company performing the tracking is often not the author of the mail message (e.g. it could be an advertising service or the company hosting the mailing list), it is typically done with an image that exists for the sole purpose of tracking. In order to not mess up the message’s content, it is typically something you won’t notice - like a 1x1 pixel image where that pixel is transparent.

This is completely different from tracking cookies. Cookies are a fundamental part of how the web operates.

Whenever you request any web content, whether it’s a page, an image, a script, or anything else, the reply contains many lines of header information in addition to the data you requested. The headers may contain one or more Set-Cookie: header lines. These are key/value pairs and may contain any information the server wants to send you along with the requested data. Web browsers typically store this data in a local database, associated with the web page/site that sent you the cookie.

Later on, when you request another piece of content from the same web site, your browser sends all of the cookies that came from that site along with the request using one or more Cookie: headers.

This is how, for example, web sites like TidBITS lets you log in once and remain logged in over time. When you log in, the server sends back a cookie representing your login (typically a cryptographic hash that can identify your login in a way that is difficult for someone else to forge). On all subsequent requests for content, your browser sends that cookie so the server knows that it is your account.

Advertisers use this mechanism for tracking you.

An advertiser (like Amazon, Facebook or Google) runs its own set of web servers that serve up ad content. Any web page that displays the ads includes content (typically a script) that downloads and displays an ad. The advertising server will generate a random ID representing you and will send it back attached to the ad content. Your web browser stores this cookie associated with the advertising server.

When your load another page that pulls content from the same advertising server (which could be from a completely different site), your browser sends the ad server’s cookie back. So the ad server knows that it is you that viewed both pages. And it knows what pages you were viewing because browsers typically include HTTP referer headers in requests, indicating where the request came from (or in the case of images, the URL of the page where the image will be displayed).

Note that this is an oversimplification. There is a lot more to how cookies operate and how they are used and abused, but this should at least help you to understand the basics. For more information, see Wikipedia.

Note that there are many other ways to track people on web pages and mail messages. This is just a quick summary of some of the most common ways.

A pixel is not a cookie. It is the act of retrieving a pixel for a web page that allows the browser to create or send back the contents of a stored cookie to the server sending the pixel (or any piece of web content on a page). Since page content can be made up of pieces from multiple servers, every one of them can store/retrieve identifying information identifying you on your machine.

Plus any server can retrieve information about your environment (screen sizes, color density, memory, available fonts, etc) that can usually identify your machine uniquely (your “fingerprint”).

And then cooperating sites share personal information about you with other sites, and soon everything is known about you, thanks to data aggregation and internal sharing.

Actually, third party cookies will become history sometime next year. Under pressure from the EU, other governments, and bad press, Google is planning to stop to cookie tracking and has been pushing Federated Learning Of Cohorts (FLOC) and Privacy Sandbox APIs as an alternative. Instead of tracking each and every individual as an entity, your data will be lumped into distinct special interest groups based on searching activity. Google is currently beta testing FLOC around the globe, but not in any EU countries or the US where they are under anti trust pressure. Summaries of what’s going on are here:

IMHO, FLOC and Privacy Sandbox sounds to me like it could be just as intrusive to individuals as cookies. But hopefully, smaller special interest publications like TidBits will benefit from cookies crumbling.

It’s a terrible technology and I hope to FLOCing heck it won’t be adopted. The EU probably won’t ultimately allow it, and the US under the Biden administration may prevent its adoption, too. Then there’s the browser side—Apple, Mozilla, Brave, and Microsoft won’t support it.

Yes!

I just stumbled across a couple of articles talking about significant issues with FLOC.

Ok, a cookie is not a single pixel. I was beginning to think that I had missed an entire section of web development. And it would seem that “tracking cookie” is a misnomer and “tracking pixel” is more appropriate. As I understand it, a tracking pixel just has a uniquely generated URL that allows the server to connect the download request to your IP address, browser, and OS. Any ‘code’ would reside on the server. Please correct me if I am wrong.

“tracking cookies” and “tracking pixels” are terms used to describe the use of cookies and images for the purpose of tracking users. But cookies and images have many other uses as well and the mail/web standards don’t distinguish between them.

The “tracking pixel” is simply an image reference in an HTML-formatted mail message with a unique URL designed to let the server associate requests for the image with the mail message in order to determine if and when the message is read.

In theory, it will let the server operator know when the mailbox owner reads the message, but like all things, it’s not perfect. The reader might have his mail app configured to not display images (false negative - the message was read but the server doesn’t know), and the reader might have forwarded the message to someone else (false positive if the message was read and the image downloaded by the forward-recipient).

And, of course, the operator of the server can get whatever metadata the reader’s mail app sends along with the HTML request. The operator will always get the IP address, URL and timestamp. Anything else will depend on the mail app used - some expose more data than others.

And yes, all the code used for this tracking resides on the server. Your mail app doesn’t do anything beyond loading the image from the server.

A cookie is saved on the browser that it was downloaded to; web servers can use them to identify individuals. A tracking pixel is sent directly to a server. They both collect information about what you see and do on websites. There are also retargeting pixels, which follow you around the web to gather information to serve you ads or content. And there are conversion pixels; after you make a purchase or complete a request, they will send follow up information to sign up for a service, offer bargains, or to make related purchases.

Cookies and pixels are usually used together by sophisticated marketers, as they kind of function sequentially with one another. But cookies often have expiration dates; pixels can’t do this.

The terminology here is very confusing and is being massively abused by the advertisers/spammers that use it.

For instance, I just did quite a bit of searching into what a “retargeting pixel” is. And it has absolutely nothing to do with the one-pixel images attached to mail messages. No pixel data (by any normal definition of the word) is uploaded to any server.

Instead, a JavaScript application is embedded in web pages by advertising networks. This script computes a URL that is used to request a single-pixel image when the page is loaded. The remote web server uses the requested URL to extract data collected by the JavaScript program.

The spamming community is calling this URL or the script that generates it a “pixel”, but that is simply an abuse of the English language. Pixels are dots of color that belong to images. They don’t exist independently of images and they are definitely not sent around the Internet like ID cards.

Unfortunately, the spammers creating this terminology either don’t understand the tech they’re using or they are deliberately inventing misleading terms in order to make it hard for technically savvy people to have an intelligent conversation on the subject.

If I decide to invent a user-tracking script and call its data a “Porsche”, few people would think I’m actually transmitting automobiles around the Internet, but that’s pretty much the same thing that’s going on here. Lots of deliberately confusing terminology designed to prevent people outside of the spamming industry from being able to intelligently discuss the subject.

“ A rose by any other name would smell as sweet.” William Shakespeare

Maybe we should move this to the”Champing with bated breath” thread?