Google Researchers Find Flaws in Safari’s Privacy Features

One of the problems that Apple has with taking such a strong stance on user privacy is that it’s constantly under more scrutiny than many of its rival companies, and when a problem is discovered, it’s deemed all the more serious.

For example, when news surfaced last summer that third-party contractors were hearing some Siri recordings, it was a major revelation, despite the fact that Amazon’s Alexa and Google’s Assistant had long been doing similar things. Likewise, a report this week that Apple killed encrypted iCloud Backups in response to pressure from the FBI surprised and even shocked many users. In short, because of Apple’s focus on privacy, we’ve come to expect much more from the company.

The challenge, however, is that it’s quite complicated to protect user privacy in an era when everything is so open on the web and so much online technology seems designed with the express purpose of tracking and profiling users. So it should be understandable that Apple may not always get it perfect — privacy, especially on the web, is a cat-and-mouse game at the best of times.

So it probably shouldn’t come as a big surprise that Google security researchers have found flaws in the Intelligent Tracking Prevention feature in Safari, but what may be a bit more surprising is that the feature itself actually created a new privacy flaw while otherwise doing exactly what it was designed to do in the first place.

According to The Financial Times, Google security researchers found multiple flaws in Safari that allowed users’ browsing behaviour to actually be tracked as a direct result of how the Intelligent Tracking Prevention feature was designed, allowing third parties to obtain “sensitive private information about the user’s browsing habits.”

Working Too Well?

When it was released in 2017, Safari’s Intelligent Tracking Prevention (ITP) feature was hailed by privacy advocates as a revolutionary way to prevent users from being tracked around the web, using intelligent on-device machine learning to detect user behaviour and what advertising sites were doing and automatically block privacy-invasive tracking across websites. It was more user-friendly than the all-or-nothing approach of blocking third-party cookies entirely, while also proactively preventing many ways that advertisers and tracking networks would try to get around the usual restrictions.

However, it seems that the strength of Intelligent Tracking Prevention was also its biggest weakness. Since all of the ITP algorithms run on the Mac or iOS device, and are tailored to the specific user’s behaviour, that also means that it’s collecting its own set of user information about the websites visited by the user.

You would not expect privacy-enhancing technologies to introduce privacy risks. If exploited or used, these vulnerabilities would allow unsanctioned and uncontrollable user tracking.

Lukasz Olejnik, independent security researcher, speaking with The Financial Times

Although this information is stored entirely on the user’s device, and should therefore be private, security researchers were able to exploit flaws in the system that let them “create a persistent fingerprint” of users that could be used to track them around the web, as well as revealing what individual users were searching for on search engine pages.

It’s Already Fixed

While some might think that this is a case of Google being quick to pillory a competitor’s technology, the reality is that Google’s security researchers privately notified Apple of the flaws back in August, giving the company time to fix the problem. Apple patched Safari in December, publishing the results in a blog post titled Preventing Tracking Prevention Tracking and crediting the Google researchers for discovering the flaw and thanking them for their “responsible disclosure practice” that allowed Apple to address the problem before making it public knowledge.

Google’s researchers have found numerous flaws in Apple’s software over the past year or so, but also make it clear that they’re not singling out Apple, telling The Financial TImes that they have “long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users.” The technical paper that Google is releasing this week outlining the flaws is primarily intended to help others benefit from the researchers’ findings.