Apple seems focused on building Safari to become the world’s leading privacy-focused web browser, continuing development of under-the-hood enhancements to protect private lives.
Better privacy by proxy
Beginning with (currently in beta) iOS 14.5, Apple is improving privacy by changing how Safari accesses Google’s Safe Browsing service. The latter warns users when they visit a fraudulent website. (Apple uses the service to drive the “Fraudulent Website Warning” in Settings>Safari on iOS or iPadOS devices.)
The Safe Browsing service works by identifying potentially compromised sites from Google’s web index. If it suspects a site is compromised, virtual machines are despatched to see whether the site attempts to compromise them.
In the event it does, Google then flags it as being fraudulent. That’s a lot of technology, but for Safari users, it means you should receive a fraudulent website warning when Safari checks your destination against Google’s index.
To interrogate the service, it was originally necessary to share both the URL of the destination site and the user’s IP address. To help prevent data leaks, Apple already sends an encoded version of the site address. But in iOS 14.5 it begins to proxy the Safe Browsing service, routing requests through its own servers to hide the IP address of the person whose browser is making these requests.
Apple’s philosophy of privacy
The philosophy behind this is that no one other than yourself should know which sites you are visiting or learn your IP address. Maciej Stachowiak, Apple’s head of WebKit engineering, says it will “limit the risk of information leak.”
That’s bad for some advertisers and surveillance snoops — just look at how loudly Facebook is squawking — but aligns perfectly with Apple’s overall mission to protect user privacy by minimizing the information its services and devices gather to what is essential for use.
Apple’s senior vice president for software engineering, Craig Federighi, explained some of the company’s thinking when he told the European Data Protection and Privacy Conference: “The mass centralization of data puts privacy at risk—no matter who’s collecting it and what their intentions might be. So, we believe Apple should have as little data about our customers as possible.
“Now, others take the opposite approach,” he said. “They gather, sell, and hoard as much of your personal information as they can. The result is a data-industrial complex, where shadowy actors work to infiltrate the most intimate parts of your life and exploit whatever they can find — whether to sell you something, to radicalize your views, or worse.
“That’s unacceptable. And the solution has to start with not collecting the data in the first place.”
Don’t track me for ISPs
Apple continues to develop additional solutions designed to protect privacy. Most recently, we learned of its work with Cloudflare to build a technology called Oblivious DNS-over-HTTPS (ODoH), which decouples DNS queries from the user; in plain English, that means your ISP can no longer easily track which sites you visit.
Firefox, PCCW and others are experimenting with ODoH, which you can access through Cloudflare’s existing 184.108.40.206 DNS resolver.
We don’t yet know when Apple will implement this in iOS, but add it to the upcoming ability to access fraudulent site databases by proxy and you have useful privacy enhancements. It means Safari users can visit the websites they want and have access to fraudulent website warnings, without sharing their IP address or the address of the site they wish to visit.
Such data should be personal, Apple believes.
“What some companies call ‘personalized experiences’ are often veiled attempts to gather as much data as possible about individuals, build extensive profiles on them, and then monetize those profiles,” wrote Jane C. Horvath Apple’s senior director for global privacy.
Putting users in control
Finally, we have the raft of privacy protections introduced in recent iterations of Apple’s operating systems, including Privacy Reports in Safari, Privacy Nutrition Reports at the App Store and the upcoming introduction of App Tracking Transparency (ATT) tools, also in iOS 14.5. While Apple may face some regulatory pushback on ATT in the event it doesn’t treat its own advertising services in the same way as it does competing advertisers, the company seems resolute that it will also implement the same protection around its own ads services.
“We believe that this is a simple matter of standing up for our users,” Apple has said. “Users should know when their data is being collected and shared across other apps and websites — and they should have the choice to allow that or not. App Tracking Transparency in iOS 14 does not require Facebook to change its approach to tracking users and creating targeted advertising, it simply requires they give users a choice.”