WebKit Tracking Prevention Policy

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.

We have implemented or intend to implement technical protections in WebKit to prevent all tracking practices included in this policy. If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques.

Our current anti-tracking mitigations in WebKit are applied universally to all websites, or based on algorithmic, on-device classification.

We will review WebKit patches in accordance with this policy. We will review new and existing web standards in light of this policy. And we will create new web technologies to re-enable specific non-harmful practices without reintroducing tracking capabilities.

Tracking Definitions

Tracking is the collection of data regarding an individual’s identity or activity across one or more websites. Even if such data is not believed to be personally identifiable, it’s still tracking.

A first party is a website that a user is intentionally and knowingly visiting, as displayed by the URL field of the browser, and the set of resources on the web operated by the same organization. In practice, we consider resources to belong to the same party if they are part of the same registrable domain: a public suffix plus one additional label. Example: site.example, www.site.example, and s.u.b.site.example are all the same party since site.example is their shared registrable domain.

A third party is any party that does not fall within the definition of first party above.

A privileged third party is a party that has the potential to track the user across websites without their knowledge or consent because of special access built into the browser or operating system. Examples: a central clearinghouse that can learn of a user’s browsing; a domain uniquely allowed to host tracking scripts by the browser. WebKit’s policy does not allow privileged third parties.

Interactions with other parties are considered third-party, even if the user is transiently informed in context (for example, in the form of a redirect). Merely hovering over, muting, pausing, or closing a given piece of content does not constitute an intention to interact.

Types of Tracking

Cross-site tracking is tracking across multiple first party websites; tracking between websites and apps; or the retention, use, or sharing of data from that activity with parties other than the first party on which it was collected.

Stateful tracking is tracking using storage on the user’s device. This storage can be ephemeral or persistent. Such storage includes but is not limited to cookies, DOM storage, IndexedDB, the HTTP cache and other caches, HSTS, and media keys. It also includes tracking via communication mechanisms that are potentially accessible cross-site, such as Service Workers or Broadcast Channels.

Covert stateful tracking is stateful tracking which uses mechanisms that are not intended for general-purpose storage, such as HSTS or TLS.

Navigational tracking is tracking through information controlled by the source of a top-level navigation or a subresource load, transferred to the destination. This includes URL parameter-based tracking or link decoration, which is tracking via information added to URLs, and HTTP header data that can be set up to include tracking information, such as the referrer.

Fingerprinting, or stateless tracking, is tracking based on the properties of the user’s behavior and computing environment, without the need for explicit client-side storage. This includes properties of user’s web browser and its configuration, the user’s device and its configuration, the user’s location, or the user’s network connection. Fingerprinting vectors include but are not limited to installed fonts, the user agent string, GPU details, CPU details, IP address, and TLS connection.

Covert tracking includes covert stateful tracking, fingerprinting, and any other methods that are similarly hidden from user visibility and control.

Tracking may also be performed using currently unknown techniques that do not fall into these categories.

Tracking We Will Prevent

WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert). These goals apply to all types of tracking listed above, as well as tracking techniques currently unknown to us.

If a particular tracking technique cannot be completely prevented without undue user harm, WebKit will limit the capability of using the technique. For example, limiting the time window for tracking or reducing the available bits of entropy — unique data points that may be used to identify a user or a user’s behavior.

If even limiting the capability of a technique is not possible without undue user harm, WebKit will ask for the user’s informed consent to potential tracking.

We consider certain user actions, such as logging in to multiple first party websites or apps using the same account, to be implied consent to identifying the user as having the same identity in these multiple places. However, such logins should require a user action and be noticeable by the user, not be invisible or hidden.

Policy Circumvention

We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.

If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.

No Exceptions

We do not grant exceptions to our tracking prevention technologies to specific parties. Some parties might have valid uses for techniques that are also used for tracking. But WebKit often has no technical means to distinguish valid uses from tracking, and doesn’t know what the parties involved will do with the collected data, either now or in the future.

Unintended Impact

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact. These practices include:

  • Funding websites using targeted or personalized advertising (see Private Click Measurement below).
  • Measuring the effectiveness of advertising.
  • Federated login using a third-party login provider.
  • Single sign-on to multiple websites controlled by the same organization.
  • Embedded media that uses the user’s identity to respect their preferences.
  • “Like” buttons, federated comments, or other social widgets.
  • Fraud prevention.
  • Bot detection.
  • Improving the security of client authentication.
  • Analytics in the scope of a single website.
  • Audience measurement.

When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.

However, we will try to limit unintended impact. We may alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience. In other cases, we will design and implement new web technologies to re-enable these practices without reintroducing tracking capabilities. Examples of these include Storage Access API and Private Click Measurement.

We want to see a healthy web ecosystem, with privacy by design.

Acknowledgements

Our policy was inspired by and derived from Mozilla’s anti tracking policy.