Yeah that part stuck out to me too. Sigh. What if my browser just did nothing at all to help advertisers, because it's my browser running on my hardware? Even if it is totally privacy-preserving and completely transparent, why would my browser spend my processor cycles, network bandwidth, and electricity for the benefit of someone else's for-profit business?
Really, just ... what if the software on my computer tried its best to do exactly what I asked it to do, and was not concerned with anyone else's problems?
I buy Apple products. Believe me, I pay the full cost of those - but even if I didn't there are free browsers like Firefox and they are also playing with this.
You might be correct soon, but not quite yet. There are some positive things going on and the recent news about the EU, Apple and virtualisation is one example.
> why would my browser spend my processor cycles, network bandwidth, and electricity for the benefit of someone else's for-profit business?
I think a reasonable answer is that you are using their website for your own purposes; that running a website has costs; and that many businesses choose to fund those costs by advertising. If you don't want to be advertised to, I would suggest paying a fee to use ad-free services.
The time when you could reasonably expect paid services not to track you ended well over a decade ago.
Apple specifically gets mentions as a website data sharing partner in the privacy policies of my health insurance, my dental insurance, and my mortgage provider. I can assure you that none of those companies are lacking for funds to run basic websites and equally that none of them have ways to pay to "opt out".
They present this like a smart solution for some sort of fundamental problem. It's really not a fundamental problem. Advertisement has worked and still works perfectly fine without attribution in TV, in magazines, on billboards.
Adtech gaslights everyone into accepting that just because it is technically possible to perfectly track and personalize ads in digital media, that they have some sort of moral right to do it.
In many ways it is. When I first started blocking using pac files. It was painfully obvious that samesite advertising is the harder thing to block. Luckily for the blockers most companies have been lazy about adverts and put them in known locations. Which works just as well for whole site blocking (known trackers). However, once the adverts are blended into the real data it becomes much harder. Such as what youtube is experimenting with (putting adverts right in the same data stream remuxed). As long as the adverts follow known patterns blocking works fairly easily. The next 'arms' race will be AI detection and block. It will only be a matter of time until someone comes up with a plugin that does exactly that.
> Does this prevent Google's cookieless tracking technology?
To a point. But you do not need much data to fingerprint. Think it is something like 12-13 bits plus your IP even with a VPN.
dont know. legal does not have much to do with it. You just dont need that much info to identify someone. https://coveryourtracks.eff.org/ I was wrong it is more like 20-30 bits you need. But those bits are fairly known how to get by the advertisers. The reality is most people do not known about or are resigned to it.
> Proxying unencrypted HTTP. Any unencrypted HTTP resources loaded in Private Browsing will use the same multi-hop proxy network used to hide IP addresses from trackers. This ensures that attackers in the local network cannot see or modify the content of Private Browsing traffic.
No thanks, Apple!
I trust my ISP more than you. Multi-hop wont matter if all nodes are managed by you.
iCloud Private Relay uses one hop through Apple infrastructure, and one hop through third-party infrastructure. So, one node is managed by Apple and the other is managed by Cloudflare/Akamai/Fastly. The Apple node knows where the request comes from but not the contents, while the CF/Akamai/Fastly node knows the contents but not the source.
This works as long as there is no one combining the information together, like Apple together with Cloudflare, or the US government. This is a concern, since both are under the same jurestiction and are bussiness partners.
Contrast this model with Tor where you have 3 hops that are selected in such a way that there is a lower probability that logs from the node operators will be combined. If two nodes, let's say node 1 and 3 are coorporating, then the best that they can do is a correlation attack or other probabalistic methods.
If two nodes (all of them) in WebKit are adverserial, then the content is linked back to your IP address with 100% probability.
How paranoid are you? If I were the US government and wanted a leg up on Internet meta data of people looking to avoid surveillance, I'd run a shitton of Tor exit nodes and log IP information on the off chance something useful comes of it.
Afaik, all that gives you is the person running the exit node (and where the request is going) and nothing about the person who initiated the request N-hops ago.
A large set of exit and relay nodes are being run out of Germany, presumably by some state actor, so it's likely at least a subset of traffic is being unmasked by a state actor.
I'm sure some of this info has been passed on and then parallel construction used to obfuscate the initial source of the data.
Tor and Private Relay are both vulnerable to traffic analysis by a global adversary, which is what OP is complaining about here (if Apple and Cloudflare collude or are compelled to share data). Basically, if you can see the traffic going in/out of all the nodes (even just the amount of it), then you can deanonymize individual streams of data. Tor explicitly does not defend against this threat.
>Contrast this model with Tor where you have 3 hops that are selected in such a way that there is a lower probability that logs from the node operators will be combined
"selected in such a way" sounded like there is something in Tor that actively works against a situation where the hops are owned by the same operator, but AFAIK there isn't such a thing. Hence my request for confirmation that the only thing Tor does better than the Apple+Cloudflare situation here is that it has more than two hops so that it increases the number of colluders needed for correlation.
Yeah, all true. In fact Tor explicitly forgoes any mitigation against a global passive adversary - it’s designed to accept that risk.
Another thing Tor does better is that it creates circuits with nodes spanning multiple jurisdictions, whereas Private Relay circuits are confined to one jurisdiction (and worse, to your current one).
> actively works against a situation where the hops are owned by the same operator, but AFAIK there isn't such a thing
Right, there is nothing Tor can do to guarantee this, but it does take some best-effort measures like maximizing diversity of AS providers (you won’t get a circuit of three nodes with the same AS number). Of course this is meaningless in a world where anyone can purchase servers from anywhere. There is a lot of research on this attack vector against Tor (and p2p networks in general) - the relevant search term is “Sybil resistance.”
You are assuming a US ISP. That's only true for a minority of internet users.
Trusting local parties of US parties is not a strange thought, especially since I can influence their supervision with my vote. Also, it seems plausible that the US is headed into dictatorship or civil war in the near future. Nether scenario helps me trust the US jurisdiction.
If you’re outside the US, I’d be even more concerned about the US completely compromising your networks. It’s well known the NSA is tapping backbones, DNS, and exchanges around the world
> This works as long as there is no one combining the information together, like Apple together with Cloudflare, or the US government.
If that is your threat model, you need something a lot stronger than Private Browsing, whose purpose begins and ends with "I do not want other people to know what porn sites I visit". Tor is a good start.
Tor is vulnerable to the same threat of a global passive observer. But at least you can mitigate against it by ensuring the nodes are in separate jurisdictions.
@radicaldreamer, I don't live in the US, same goes with a large number of Apple's customers.
A user's residential IP address is in many cases almost static, and doesn't change that often. If you use the same residential IP for other services from Apple, or sites that are protected by Cloudflare's MITM DDOS protection, the content of the HTTP site can be linked back to you with a high probability through your IP address, and possibly in combination with other metadata such as the user-agent, or other headers.
The probability that a user's identity would be linked up with browsing HTTP sites and an attempt to use that in an adverserial manner is higher when it's Apple than when using my ISP.
Of course, you may think differently regarding your ISP, but that's for each one of us to decide about our own service providers.
I don't understand, why is using 10 sites with a cloudflare layer linking directly to your static home IP less likely to identify you across those sites than a double hop via apple's servers where the sites (and cloudflare) don't know which sites are being visited by which end user static ip?
Browsing an HTTP site that would otherwise have nothing to do with Cloudflare could end up becoming associated with you. That can happen if the data that CF has is matched with the data at Apple, either by Apple and CF themselves or the US government.
The sites that already are MITM'd by Cloudflare are a different story. Cloudflare is going to know what IP address visited them at what time, and if you login with your personal email address, or if your personal phone number is shown in your account settings, then your identity is linked with some probability to that IP address+time.
If you then browse a non-CF HTTP site, using Apple's proposed proxy, there would be the risk that your identity+IP address that CF knows become associated with using the HTTP site as well.
If you don't use Apple's proxy at all, you connecting to a non-CF HTTP site would only be known by your ISP.
Your ISP and every single network between you and the server your connected too. Better hope that your connection does go via any major internet exchanges or data centres, because we know full well they’re all tapped by various three letter agencies hoovering up endless amounts of metadata
Apple own the browser, if they want to link up your identity with your browsing habits, they can just have Safari phone home all the data.
There’s no need for this ridiculous game of charades with private relay. Why on earth would Apple bother spending so much money setting up this infrastructure to spy on a browser they own, running on an OS they also own. It would be like arguing that your bank is secretly in cahoots with shops to spy on your transaction history, because of some reason they can’t do the obvious thing of just spying on your transaction history, which they already have by virtue of being your bank.
Your claim is ridiculous and doesn’t stand up to even a modicum of scrutiny. Unless you know of reason for believing that Apple is secretly spy on their customers, but only doing in the most convoluted way possible?
>Your claim is ridiculous and doesn’t stand up to even a modicum of scrutiny. Unless you know of reason for believing that Apple is secretly spy on their customers, but only doing in the most convoluted way possible?
Even if it doesn't happen today, there is a realistic, technical possibility that the data flow could be exploited tomorrow. If the infrastructure is already there, and future incentives are found, what prevents the infrastructure from being exploited in the backend?
It is an easely exploitable system, and that's worth discussing and be conserned about.
But still, you bring up a good point. This is relatively convoluted to other ways Apple could harvest data if they wanted to. In fact, they already are harvesting much more data than unencrypted HTTP content by pushing iCloud onto its users.
Even if this was an attampt by Apple to gain good will, it has serious flaws, and Apple isn't generally a trustworthy company, and the jurestiction it operates under is not trustworthy either.
This feature is being sold as a strong privacy tool, and it's beneficial to discuss its flaws in isolation.
Could you provide some evidence for this claim, beyond the fact that all companies are profit motivated, and thus can only be trusted to protect their bottom line.
> This feature is being sold as a strong privacy tool, and it's beneficial to discuss its flaws in isolation.
Not really, all security and privacy is relative. You can discuss any security or privacy tool in isolation and find fault. But that’s not actually useful, because the only conclusion you could possibly derive from such an approach is that only truly secure and private way to exist is inside a small box disconnected from the rest of the world.
> Even if it doesn't happen today, there is a realistic, technical possibility that the data flow could be exploited tomorrow. If the infrastructure is already there, and future incentives are found, what prevents the infrastructure from being exploited in the backend?
That’s a rather silly question. It only makes sense to worry about this hypothetical if you already have strong argument for why Apple et.al. wouldn’t just compromise the browser or OS instead. The more parties needed to assemble a complete data flow, the more people that are needed, and more likely some will leak the fact this activity occurring. That the whole point of making a big song and dance about both Apple and 3rd parties being involved in Private Relay. Both parties have to be compromised to get valuable data, that’s much harder than compromising a single organisation.
Talking about all this silly hypotheticals deliberately ignores the simple fact that people will always choose the simplest, easier route to solving a problem. Putting forward the argument that a nation state or a private organisation is gonna bother attacking Private Relay, but not your ISP and unencrypted HTTP connections (which we know are already tapped at major internet exchanges) is ridiculous, bordering on paranoid.
Apple only control half the nodes, the other half is controlled by cloudflare.
Every request goes via an Apple node first, then is sent to a 3rd party node for final routing. That way neither Apple nor the 3rd party have a complete picture of where a request came from, or where it went.
Not entirely sure why you would trust a random ISP, and everyone else involved in routing that connection, more than Apple. Last I checked most ISP don’t have the tightest privacy policies, or even the best data handling practices. Apple stands to loose millions if they slip up on their privacy promises. Most ISP wouldn’t even bother telling you if they accidentally misplaced your personal details.
Really… in Europe, all ISPs and phone companies were required to keep a log of traffic and location (for example email addresses source/dest up). This was until 2015 but I’m sure some still do
My ISP is required to save logs as far as I'm aware, and I think that's bad, don't get me wrong. I still trust Apple and Cloudflare less, because I believe that data in their hands is more likely to end up being used in an adverserial manner. This is my opinion.
See also Mozilla turning on routing DNS traffic to Cloudflare by default because that's the level of trust this American organisation has in their ISPs, but after concerns raised in other countries they decided to turn it off by default at least where I'm from in western Europe (not sure about the rest of the world)
This is one of iCloud's best features. I'm almost always protected by something like a VPN but that Cloudflare has been programmed to trust so I don't see recaptchas all day. AT&T just helpfully leaked their call records database which serves as a data point against trusting ISP more than Apple & Cloudflare. If anything, I want Private Relay running for every application on my phone
Has anyone actually seen this feature in action? Looking at packet traces, I can't seem to get it to work. I'm still seeing DNS queries and HTTP in the clear.
It's very odd that Safari treats extension scripts as third-party, especially when they have been given permission to access all websites and data (sound like a bug almost?).
I use and love StopTheMadness Pro. Do you know if it breaks the whole extension or only some parts of it? If so, which ones? (I don't use the copy URL shortcut for example).
> When we invented Private Browsing back in 2005, our aim was to provide users with an easy way to keep their browsing private from anyone who shared the same device.
I wonder if anyone actually involved 19 years ago was also involved in writing this piece, or if it just sounded reasonable to whoever drafted it up.
Oh no, I didn't mean at all to say it was unreasonable. I meant that the paragraph claims to know what the aim was when introducing the feature, so I wondered if they actually knew that, or just guessed that that was the aim (because it sounds reasonable that it was).
Apple has a corporate writing/speech style guide that they adhere to religiously. Anything done by anyone in the company present or past is always “we”. Notice how all their keynotes and product press releases almost always include the sentence “we think you’re gonna love it”?
Sorry, I was mostly referring to the fact that they claim to know what the aim was when introducing the feature, even though they might not have been there. Pure curiosity.
It's stylistically typical in English for someone writing on behalf of an organization to use "we" to refer to the organization in its entirety, not to the individual or individuals doing the writing - so in something such as this, "we" is indeed appropriate as Apple the company definitely was there when they released Private Browsing back in 2005.
I wasn't involved in the internal discussion 19 years ago, but definitely remember the feature being considered to be for the purpose you cited. I also remember telling classmates that you can use it for logging in to two accounts at the same time on the site we were developing to have an easier time demoing it to the teachers, and getting jokes about "gee you're awfully familiar with the private browsing feature", from which I'd say it was (1) news to people that it also worked the other way around (website doesn't recognise you) because it was worth bringing up, and (2) people demonstrated knowing it's for not leaving the browser history full of NSFW content—and buying gifts for your partner or parent, of course
My most-wanted feature in Safari (and Orion) is first-party website-data whitelisting. I have a limited number of sites whom I trust to store data. Everyone else should be a tabula rasa each visit.
There's an option for "delete cookies and site data when Firefox is closed", and you can allow sites to have persistent cookies. Also to block them from even use cookies, if that's your cup of tea, but I've found it works great this way: sites work but I don't keep logged in at every site all the time - after I close the browser window it's an instant log out for every site.
If you're willing to switch browsers, Firefox has this option built in. It flushes all cookies on exit, except from domains in the whitelist. Been using it for years!
> Staying with the 2005 definition of private mode as only being ephemeral, such as Chrome’s Incognito Mode, simply doesn’t cut it anymore.
Yes I cannot agree more. Personally this shift in people's expectations of Private Browsing or Incognito Browsing came in a way that felt sudden. The recent lawsuit about Google tracking you in Incognito mode was absolutely dumbfounding to me: of course websites can still track you! If only people still remembered the origins of this feature in 2005 (or 2008 in Chrome's case). But even on HN the opinion was pretty split. It is indeed clear that it is now time to change what private browsing means.
However, I don't think this is going to stay this way for long. The word "private" when it comes to computing has many varied definitions and it all depends on who the information is made private to. In the extreme case, if your threat model is privacy from eavesdroppers on the network or the ISP, then a browser can easily claim any HTTPS connection is private enough; the majority of browsing is already private browsing. If it is privacy from others using the same machine, then this older private browsing already works. But I cannot help but feel that a few years down the road people are going to consciously or subconsciously substitute yet another definition of privacy.
I'm not entirely surprised they got this "wrong" given that the question was, "What should we call it?" Naming things (correctly, "future-proof"-ly) is hard.
It's also not as if smart lamps have brains, as if "we use cookies" is about cookies (it's about agreeing to 178 privacy policies using localStorage and canvas fingerprinting unapologetically), as if cloud computing runs in the sky (ironically, in said clouds, you often can't use those services properly), as if a home button have something to do with your house, and so on and so forth. But, surprise: private navigation mode doesn't give you a free VPN or joins you to an onion routing dark web or something! Why would any consumer expects a computer term to be literally what it says, rather than being like the real-world thing they're named after
Naming things may be hard, but in addition, this isn't even a bad name. The popular colloquial name at the time (porn hiding button, or maybe that was only because I was a student when it was introduced) could hardly be seriously used, of course it is called something related to not leaving traces on the computer you're using
> Alongside the new suite of enhanced privacy protections in Private Browsing, Safari also brings a version of Web AdAttributionKit to Private Browsing.
This is worse for privacy. No other browser does this. No other browser even lets you opt in for this because it's so nonsensical.
and according to another poster here, Firefox added something similar.
Don't get me wrong, I hate that they had to make these concessions, but what was their choice? If they did not give something (while giving users the ability to opt out) we would have seen browsers being blocked (and no way Google was going to not do something given their entire business is ads, so they could just keep saying use Chrome).
That's just plain wrong. The thing PCM/PPA enables is tracking ad performance without tracking individual users. It is the polar opposite of browser fingerprinting.
You plain read my comment wrong. The things that Apple prevents (like the changes to make fingerprinting harder) are already illegal in enough markets that no big player is doing it. The tracking that Apple enabled is tracking that everybody does. The net effect is a reduction in privacy in private mode.
> We also expanded Web AdAttributionKit (formerly Private Click Measurement) as a replacement for tracking parameters in URL to help developers understand the performance of their marketing campaigns even under Private Browsing.
Without fail, the knee bends. This also just got quietly enabled by default in Firefox 128, go check and turn it off if you are so inclined.
It's not hidden in about:config thankfully. It's a checkbox in about:preferences labelled "Allow websites to perform privacy-preserving ad measurement"
Alternative take on the same news: ""Safari already contains ad tracking technology, and they’re now adding it to Safari’s Private Browsing mode, too"" -
With a subscription, you also get per-tab sessions and a VPN
---
The fingerprinting resistance is interesting as it claims to remove user behaviour characteristics like typing speed and how you move the cursor. Does it fire keyboard events with randomised delays and adds random offsets to mouse locations or how could this work? Games would be unplayable with mouse offsets and random input lag, but if that's not it, then the website gets the data so this has to be it right? For canvas specifically, they say there'll be small but probably visible artifacts from noise injections. So no web-based photo editing in private navigation? Curious how this'll work out in practice
Also cool is that they offer an open platform (Mastodon) as a place where you can respond to the author!
That article doesn't really say either way? It doesn't mention utm nor give a list of what's removed nor link to such a list (at least not the two links I tried). But if you found the list somewhere I'll take your word for it that utm isn't on there specifically; I should have used more generic phrasing though this did seem like an immediately recognisable "ah, that's what's meant" example
I don't know why you're loling. Do you expect me to paste the entire file contents into this comment thread?
If you're a Mac user, then you can easily see the file on your own Mac. My blog post was written for Mac users. And the WebKit blog post was written for Apple Safari users on Mac and iPhone.
In any case, you already said "I'll take your word for it that utm isn't on there specifically", so I don't know why this particular detail needs further debate.
I moved from Android to Apple for only two reasons:
1. They started using USB Type C.
2. They are the only major manufacturer that appears to actually take privacy seriously. Even their AI endeavours look the most privacy focused that exists.
I'm sure I could go buy some no-name brick and flash my own security focused OS and run my own relays and ... I don't want to do that. I want to buy something that everyone else uses and for it to respect me.
So as much hate as Apple gets, they have my trust in good faith, for now.
Apple is the only major manufacturer that makes phones that can't get their location or install an application without phoning home. The only appearance of privacy is in their marketing. Consider that Google did on-device voice-to-text long before Apple did, that Android lets you use a fully-offline app as your default maps app while iOS does not, and that Android lets you use real Firefox with real uBlock Origin. All out of the box on any Android phone from a reputable vendor. No flashing required.
Apple's deceptive marketing has made me lose all trust in the company. It will take a lot more than USB-C for me to consider Apple for computing devices.
114 comments
[ 0.25 ms ] story [ 177 ms ] threadThis is like a bad dream.
Really, just ... what if the software on my computer tried its best to do exactly what I asked it to do, and was not concerned with anyone else's problems?
Anyway, here are the AdAtributionKit docs:
- Technical / API: https://developer.apple.com/documentation/adattributionkit
- High-level: https://developer.apple.com/app-store/ad-attribution/
It's Safari. You pay a lot of money for a machine and its bundled software, which includes this.
I think a reasonable answer is that you are using their website for your own purposes; that running a website has costs; and that many businesses choose to fund those costs by advertising. If you don't want to be advertised to, I would suggest paying a fee to use ad-free services.
Apple specifically gets mentions as a website data sharing partner in the privacy policies of my health insurance, my dental insurance, and my mortgage provider. I can assure you that none of those companies are lacking for funds to run basic websites and equally that none of them have ways to pay to "opt out".
Adtech gaslights everyone into accepting that just because it is technically possible to perfectly track and personalize ads in digital media, that they have some sort of moral right to do it.
Is this a cat and mouse game?
> Fingerprinting
Does this prevent Google's cookieless tracking technology?
In many ways it is. When I first started blocking using pac files. It was painfully obvious that samesite advertising is the harder thing to block. Luckily for the blockers most companies have been lazy about adverts and put them in known locations. Which works just as well for whole site blocking (known trackers). However, once the adverts are blended into the real data it becomes much harder. Such as what youtube is experimenting with (putting adverts right in the same data stream remuxed). As long as the adverts follow known patterns blocking works fairly easily. The next 'arms' race will be AI detection and block. It will only be a matter of time until someone comes up with a plugin that does exactly that.
> Does this prevent Google's cookieless tracking technology?
To a point. But you do not need much data to fingerprint. Think it is something like 12-13 bits plus your IP even with a VPN.
Is that legal under GDPR?
No thanks, Apple!
I trust my ISP more than you. Multi-hop wont matter if all nodes are managed by you.
Contrast this model with Tor where you have 3 hops that are selected in such a way that there is a lower probability that logs from the node operators will be combined. If two nodes, let's say node 1 and 3 are coorporating, then the best that they can do is a correlation attack or other probabalistic methods.
If two nodes (all of them) in WebKit are adverserial, then the content is linked back to your IP address with 100% probability.
I'm sure some of this info has been passed on and then parallel construction used to obfuscate the initial source of the data.
>Contrast this model with Tor where you have 3 hops that are selected in such a way that there is a lower probability that logs from the node operators will be combined
"selected in such a way" sounded like there is something in Tor that actively works against a situation where the hops are owned by the same operator, but AFAIK there isn't such a thing. Hence my request for confirmation that the only thing Tor does better than the Apple+Cloudflare situation here is that it has more than two hops so that it increases the number of colluders needed for correlation.
Another thing Tor does better is that it creates circuits with nodes spanning multiple jurisdictions, whereas Private Relay circuits are confined to one jurisdiction (and worse, to your current one).
> actively works against a situation where the hops are owned by the same operator, but AFAIK there isn't such a thing
Right, there is nothing Tor can do to guarantee this, but it does take some best-effort measures like maximizing diversity of AS providers (you won’t get a circuit of three nodes with the same AS number). Of course this is meaningless in a world where anyone can purchase servers from anywhere. There is a lot of research on this attack vector against Tor (and p2p networks in general) - the relevant search term is “Sybil resistance.”
Btw - just to add some detail to the discussion, this blog post from Cloudflare is a good introduction to Private Relay: https://blog.cloudflare.com/icloud-private-relay
What if your ISP is working with the local cops or US government directly?
Trusting local parties of US parties is not a strange thought, especially since I can influence their supervision with my vote. Also, it seems plausible that the US is headed into dictatorship or civil war in the near future. Nether scenario helps me trust the US jurisdiction.
If that is your threat model, you need something a lot stronger than Private Browsing, whose purpose begins and ends with "I do not want other people to know what porn sites I visit". Tor is a good start.
You mean like an ISP that isn't in (and doesn't unnecessarily route through) the USA?
A user's residential IP address is in many cases almost static, and doesn't change that often. If you use the same residential IP for other services from Apple, or sites that are protected by Cloudflare's MITM DDOS protection, the content of the HTTP site can be linked back to you with a high probability through your IP address, and possibly in combination with other metadata such as the user-agent, or other headers.
Of course, you may think differently regarding your ISP, but that's for each one of us to decide about our own service providers.
The sites that already are MITM'd by Cloudflare are a different story. Cloudflare is going to know what IP address visited them at what time, and if you login with your personal email address, or if your personal phone number is shown in your account settings, then your identity is linked with some probability to that IP address+time.
If you then browse a non-CF HTTP site, using Apple's proposed proxy, there would be the risk that your identity+IP address that CF knows become associated with using the HTTP site as well.
If you don't use Apple's proxy at all, you connecting to a non-CF HTTP site would only be known by your ISP.
There’s no need for this ridiculous game of charades with private relay. Why on earth would Apple bother spending so much money setting up this infrastructure to spy on a browser they own, running on an OS they also own. It would be like arguing that your bank is secretly in cahoots with shops to spy on your transaction history, because of some reason they can’t do the obvious thing of just spying on your transaction history, which they already have by virtue of being your bank.
Your claim is ridiculous and doesn’t stand up to even a modicum of scrutiny. Unless you know of reason for believing that Apple is secretly spy on their customers, but only doing in the most convoluted way possible?
Even if it doesn't happen today, there is a realistic, technical possibility that the data flow could be exploited tomorrow. If the infrastructure is already there, and future incentives are found, what prevents the infrastructure from being exploited in the backend?
It is an easely exploitable system, and that's worth discussing and be conserned about.
But still, you bring up a good point. This is relatively convoluted to other ways Apple could harvest data if they wanted to. In fact, they already are harvesting much more data than unencrypted HTTP content by pushing iCloud onto its users.
Even if this was an attampt by Apple to gain good will, it has serious flaws, and Apple isn't generally a trustworthy company, and the jurestiction it operates under is not trustworthy either.
This feature is being sold as a strong privacy tool, and it's beneficial to discuss its flaws in isolation.
Could you provide some evidence for this claim, beyond the fact that all companies are profit motivated, and thus can only be trusted to protect their bottom line.
> This feature is being sold as a strong privacy tool, and it's beneficial to discuss its flaws in isolation.
Not really, all security and privacy is relative. You can discuss any security or privacy tool in isolation and find fault. But that’s not actually useful, because the only conclusion you could possibly derive from such an approach is that only truly secure and private way to exist is inside a small box disconnected from the rest of the world.
> Even if it doesn't happen today, there is a realistic, technical possibility that the data flow could be exploited tomorrow. If the infrastructure is already there, and future incentives are found, what prevents the infrastructure from being exploited in the backend?
That’s a rather silly question. It only makes sense to worry about this hypothetical if you already have strong argument for why Apple et.al. wouldn’t just compromise the browser or OS instead. The more parties needed to assemble a complete data flow, the more people that are needed, and more likely some will leak the fact this activity occurring. That the whole point of making a big song and dance about both Apple and 3rd parties being involved in Private Relay. Both parties have to be compromised to get valuable data, that’s much harder than compromising a single organisation.
Talking about all this silly hypotheticals deliberately ignores the simple fact that people will always choose the simplest, easier route to solving a problem. Putting forward the argument that a nation state or a private organisation is gonna bother attacking Private Relay, but not your ISP and unencrypted HTTP connections (which we know are already tapped at major internet exchanges) is ridiculous, bordering on paranoid.
Every request goes via an Apple node first, then is sent to a 3rd party node for final routing. That way neither Apple nor the 3rd party have a complete picture of where a request came from, or where it went.
Not entirely sure why you would trust a random ISP, and everyone else involved in routing that connection, more than Apple. Last I checked most ISP don’t have the tightest privacy policies, or even the best data handling practices. Apple stands to loose millions if they slip up on their privacy promises. Most ISP wouldn’t even bother telling you if they accidentally misplaced your personal details.
https://blog.cloudflare.com/icloud-private-relay/
I’ve got one too, it’s taken me 25 years to find.
https://voyager.nz/
And no NAT!
See also Mozilla turning on routing DNS traffic to Cloudflare by default because that's the level of trust this American organisation has in their ISPs, but after concerns raised in other countries they decided to turn it off by default at least where I'm from in western Europe (not sure about the rest of the world)
(I don't use iCloud Private Relay.)
I use and love StopTheMadness Pro. Do you know if it breaks the whole extension or only some parts of it? If so, which ones? (I don't use the copy URL shortcut for example).
Yes, I assume it's a bug.
> I use and love StopTheMadness Pro.
Thanks!
> Do you know if it breaks the whole extension or only some parts of it? If so, which ones?
Not the whole extension, no, only the parts that depend specifically on the URL query.
> When we invented Private Browsing back in 2005, our aim was to provide users with an easy way to keep their browsing private from anyone who shared the same device.
I wonder if anyone actually involved 19 years ago was also involved in writing this piece, or if it just sounded reasonable to whoever drafted it up.
It's an interesting question to me because their tone is speaking from experience but is it the authors experience or Apple?
I care a lot more if it's the actual author, a human, over Apple, a brainless corporation.
https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
Yes I cannot agree more. Personally this shift in people's expectations of Private Browsing or Incognito Browsing came in a way that felt sudden. The recent lawsuit about Google tracking you in Incognito mode was absolutely dumbfounding to me: of course websites can still track you! If only people still remembered the origins of this feature in 2005 (or 2008 in Chrome's case). But even on HN the opinion was pretty split. It is indeed clear that it is now time to change what private browsing means.
However, I don't think this is going to stay this way for long. The word "private" when it comes to computing has many varied definitions and it all depends on who the information is made private to. In the extreme case, if your threat model is privacy from eavesdroppers on the network or the ISP, then a browser can easily claim any HTTPS connection is private enough; the majority of browsing is already private browsing. If it is privacy from others using the same machine, then this older private browsing already works. But I cannot help but feel that a few years down the road people are going to consciously or subconsciously substitute yet another definition of privacy.
I'm not entirely surprised they got this "wrong" given that the question was, "What should we call it?" Naming things (correctly, "future-proof"-ly) is hard.
Naming things may be hard, but in addition, this isn't even a bad name. The popular colloquial name at the time (porn hiding button, or maybe that was only because I was a student when it was introduced) could hardly be seriously used, of course it is called something related to not leaving traces on the computer you're using
Private browsing was so your gf wouldn’t find out about the engagement rings you were looking at!
* These guys are truly working very hard at guaranteeing privacy;
* That will probably break some websites (I'm trying out the advanced tracking protection in normal mode, we'll see).
* It will also put them on collision with Google, which is essentially an advertising shop with a free browser frontend.
> Alongside the new suite of enhanced privacy protections in Private Browsing, Safari also brings a version of Web AdAttributionKit to Private Browsing.
This is worse for privacy. No other browser does this. No other browser even lets you opt in for this because it's so nonsensical.
That seems like an exaggeration? How could another solution possibly be worse for privacy than the open season it was previously...
The worst it could be is the same.
> No other browser even lets you opt in for this because it's so nonsensical.
That also does not seem true
Google has their topics API: https://developer.chrome.com/blog/new-in-chrome-115/#topics-...
and according to another poster here, Firefox added something similar.
Don't get me wrong, I hate that they had to make these concessions, but what was their choice? If they did not give something (while giving users the ability to opt out) we would have seen browsers being blocked (and no way Google was going to not do something given their entire business is ads, so they could just keep saying use Chrome).
Previously, there was no ad tracking at all in private mode.
> That also does not seem true
No other browser enables any such tracking in private mode or incognito mode. https://developers.google.com/privacy-sandbox/relevance/attr....
The Topics API you mentioned returns empty topics in incognito mode. https://clearcode.cc/blog/google-chrome-topics-explained/#:~....
> but what was their choice?
Do what other browsers do. Don't enable ad tracking in private mode.
The post is about ways that tracking was previously possible in private mode that have now been blocked.
Without fail, the knee bends. This also just got quietly enabled by default in Firefox 128, go check and turn it off if you are so inclined.
https://www.osnews.com/story/140252/safari-already-contains-...
- Blocking requests to known trackers
- Remove utm_ and other such parameters from URLs
- Fingerprinting resistance
- Extension disabling
- Cap third-party cookie lifetimes
- Partitioning for sessionStorage and blob URLs
- Proxying encrypted-to-the-resolver DNS traffic
- Proxying HTTP, but only when it's unencrypted
With a subscription, you also get per-tab sessions and a VPN
---
The fingerprinting resistance is interesting as it claims to remove user behaviour characteristics like typing speed and how you move the cursor. Does it fire keyboard events with randomised delays and adds random offsets to mouse locations or how could this work? Games would be unplayable with mouse offsets and random input lag, but if that's not it, then the website gets the data so this has to be it right? For canvas specifically, they say there'll be small but probably visible artifacts from noise injections. So no web-based photo editing in private navigation? Curious how this'll work out in practice
Also cool is that they offer an open platform (Mastodon) as a place where you can respond to the author!
Incorrect. Safari does not remove utm_ parameters. See: https://lapcatsoftware.com/articles/2023/6/2.html
I don't know why you're loling. Do you expect me to paste the entire file contents into this comment thread?
If you're a Mac user, then you can easily see the file on your own Mac. My blog post was written for Mac users. And the WebKit blog post was written for Apple Safari users on Mac and iPhone.
In any case, you already said "I'll take your word for it that utm isn't on there specifically", so I don't know why this particular detail needs further debate.
What an oxymoron.
1. They started using USB Type C.
2. They are the only major manufacturer that appears to actually take privacy seriously. Even their AI endeavours look the most privacy focused that exists.
I'm sure I could go buy some no-name brick and flash my own security focused OS and run my own relays and ... I don't want to do that. I want to buy something that everyone else uses and for it to respect me.
So as much hate as Apple gets, they have my trust in good faith, for now.
Apple's deceptive marketing has made me lose all trust in the company. It will take a lot more than USB-C for me to consider Apple for computing devices.