Apple WebKit Team Publishes Website Tracking Prevention Policy

Apple's WebKit team has published a "WebKit Tracking Prevention Policy" that details a range of anti-tracking measures it has developed and the types of tracking practices it believes are harmful to users.


Inspired by Mozilla's anti-tracking policy, the document posted to the WebKit blog provides an insight into the anti-tracking features built into Apple's Safari browser that the team hopes to see in all browsers one day.

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user's privacy without giving users the ability to identify, understand, consent to, or control them.

Apple introduced Intelligent Tracking Prevention in iOS 11 and in Safari 11 in macOS High Sierra 10.13 and has been working to develop ITP ever since. For example, in February Apple released iOS 12.2 and Safari 12.1 for macOS, both of which included ITP 2.1 featuring enhancements that block cross-site tracking.

The new WebKit policy highlights Apple's continuing efforts to target all forms of cross-site tracking behavior, even if it's in plain view.

WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert). These goals apply to all types of tracking listed above, as well as tracking techniques currently unknown to us.

If a particular tracking technique cannot be completely prevented without undue user harm, WebKit will limit the capability of using the technique. For example, limiting the time window for tracking or reducing the available bits of entropy — unique data points that may be used to identify a user or a user’s behavior.

In addition to cross-site tracking, the document outlines several other tracking practices it deems harmful to users, and says WebKit will treat circumvention of its anti-tracking measures "with the same seriousness as exploitation of security vulnerabilities."

If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.

For more on tracking definitions, the unintended impact of anti-tracking measures, and exceptions to the rules, check out the full WebKit Tracking Prevention Policy on the WebKit blog.