{"id":24877,"date":"2019-04-04T16:19:49","date_gmt":"2019-04-04T20:19:49","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=24877"},"modified":"2019-04-24T17:22:33","modified_gmt":"2019-04-24T21:22:33","slug":"safari-link-tracking-can-no-longer-be-disabled","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/04\/04\/safari-link-tracking-can-no-longer-be-disabled\/","title":{"rendered":"Safari Link Tracking Can No Longer Be Disabled"},"content":{"rendered":"<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1113584361851490304\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking.html\"><p>Notice that when you hover over the &ldquo;Ping Me&rdquo; link, you only see the <code>href<\/code> URL, you don&rsquo;t see the <code>ping<\/code> URL, so you don&rsquo;t even know that the attribute exists unless you look at the HTML page source. When you click the link, it loads the page <code>http:\/\/lapcatsoftware.com\/<\/code> as expected. But it also sends an HTTP POST request to <code>http:\/\/underpassapp.com\/<\/code> without any visible indication to the user. You can only see it if you do a packet trace. It should come as no surprise that the primary usage of hyperlink auditing is for tracking of link clicks.<\/p><p>[&#8230;]<\/p><p>Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists.<\/p><\/blockquote>\n<p><a href=\"https:\/\/twitter.com\/Eric_WVGG\/status\/1113597974632755200\">Eric Jacobsen<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/Eric_WVGG\/status\/1113597974632755200\">\n<p>If anyone is curious why this attribute was introduced: it&rsquo;s supposed to be an alternative to those chains of redirects that publishers often put in front of outbound links.<\/p>\n<p>User gets a direct link to destination instead of redirects (good), publishers and advertisers still get their data async (creepy, but arguably better than the alternative)<\/p>\n<p>Imo is fine as long as there&rsquo;s an opt-out, which chrome and ff have but oddly Safari just dropped.<\/p>\n<\/blockquote>\n\n<p>Is Apple&rsquo;s reasoning that making it an option would prevent sites from using <code>ping<\/code>? It&rsquo;s better to have access to the real URL with a compulsory <code>ping<\/code> than to be forced to use a redirect chain that&rsquo;s slower and no more private.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/02\/07\/apple-is-removing-do-not-track-from-safari\/\">Apple Is Removing &ldquo;Do Not Track&rdquo; From Safari<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/01\/18\/stop-google-search-results-tracking\/\">Stop Google Search Results Tracking<\/a><\/li>\n<\/ul>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-08\">Update (2019-04-08): <a href=\"https:\/\/www.bleepingcomputer.com\/news\/software\/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk\/\">Lawrence Abrams<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=19596080\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.bleepingcomputer.com\/news\/software\/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk\/\">\n<p>With privacy and online tracking being such a large problem and major concern for many users, you would think that browser developers would give you the option to disable anything that could affect your privacy.<\/p>\n<p>Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing.<\/p>\n<p>[&#8230;]<\/p>\n<p>Of all the browsers I tested, only Brave and Firefox currently disable it by default and do not appear to have any plans on enabling it in the future.<\/p>\n<p>[&#8230;]<\/p>\n<p>It turns out that Google uses hyperlink auditing in their search result pages. Every time you click on a search result link, your browser will also send HTTPS POST request back to a Google url in order to track the click.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking2.html\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking2.html\"><p>Anchor ping is not an alternative form of tracking, it&rsquo;s an additional form of tracking. We still have all the other forms of tracking along with this one. It may be true that if advertisers don&rsquo;t have anchor ping, they&rsquo;ll just use alternative methods, but the belief that advertisers won&rsquo;t use alternative methods of tracking if they have anchor ping has proven to be completely false. Anchor ping also turns out to be an advertiser&rsquo;s dream feature. It&rsquo;s completely invisible to the user, and it&rsquo;s more powerful and reliable than the other tracking methods.<\/p><p>[&#8230;]<\/p><p>Anchor ping was supposed to be transparent as in easily perceived by the user. Instead, anchor ping has become &ldquo;transparent&rdquo; as in invisible to the user. The browsers never informed the user about the ping notifications. And now browsers such as Safari and Chrome are removing the ability of the user to disable the notifications. As far as privacy is concerned, this is not &ldquo;a wash&rdquo; compared to previous tracking methods. It&rsquo;s a cover-up.<\/p><\/blockquote>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-09\">Update (2019-04-09): <a href=\"https:\/\/pxlnv.com\/linklog\/user-tracking-ping-attribute\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/linklog\/user-tracking-ping-attribute\/\">\n<p>I still can&rsquo;t figure out what users gain by <em>not<\/em> being informed of both the target URL and the redirect. When links are being used for tracking purposes, it makes sense to show the contents of the <code>href<\/code> so that users aren&rsquo;t misled; but, if we start <a href=\"https:\/\/pxlnv.com\/linklog\/firefox-reduce-notification-request-spam\/\">assuming all browser features will be used maliciously<\/a>, it is easy to see why the <code>ping<\/code> attribute should also be visible to the user.<\/p>\n<\/blockquote>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-11\">Update (2019-04-11): <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hyperlink-auditing-pings-being-used-to-perform-ddos-attacks\/\">Lawrence Abrams<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hyperlink-auditing-pings-being-used-to-perform-ddos-attacks\/\">\n<p>Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline.<\/p>\n<p>[&#8230;]<\/p>\n<p>The yo.js script, shown below, would randomly select one of the above sites and create a HTML ping URL with that site as the ping target. It would then programmatically click on the link as shown by the link.click() command.<\/p>\n<p>The JavaScript would then create a new HTML ping URL and click every second. So the long a user was on this page, the most clicks they would generate.<\/p>\n<\/blockquote>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-12\">Update (2019-04-12): <a href=\"https:\/\/webkit.org\/blog\/8821\/link-click-analytics-and-privacy\/\">John Wilander<\/a>:<\/p>\n<blockquote cite=\"https:\/\/webkit.org\/blog\/8821\/link-click-analytics-and-privacy\/\">\n<p>Just turning off the Ping attribute or the Beacon API doesn&rsquo;t solve the privacy implications of link click analytics. Instead, it creates an incentive for websites to adopt tracking techniques that hurt the user experience. In effect, the choice between supporting Ping and not is not one of privacy, rather it is a choice between a good user experience and a bad one.<\/p>\n<p>[&#8230;]<\/p>\n<p>Until recently, Safari supported an internal User Defaults flag to disable support for the Ping attribute. It was never our intention to surface this flag as a customer setting. We think it&rsquo;s misguided to offer users the ability to disable web-facing features if doing so doesn&rsquo;t disable or prevent the ends of that technology. Instead, Intelligent Tracking Prevention and Content Blockers offer users different levels of support for categorically affecting link click analytics.<\/p>\n<\/blockquote>\n\n<p>However, <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1116472355889537025\">currently<\/a> it seems like neither can be used to categorically <a href=\"https:\/\/bugs.webkit.org\/show_bug.cgi?id=196851\">block pings<\/a>.<\/p>\n\n<p><a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1116463956766461953\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1116463956766461953\">\n<p>The Chromium team is <a href=\"https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=951611\">finally coming around<\/a>[&#8230;]<\/p>\n<p>[&#8230;]<\/p>\n<p>I think Apple just found itself on the wrong side of history, now as the <em>only<\/em> browser vendor defending a user tracking technology.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/rmondello\/status\/1116513538015551488\">Ricky Mondello<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/rmondello\/status\/1116513538015551488\">\n<p>We agree that <code>&lt;a ping&gt;<\/code> should be more transparent. I publicly filed <a href=\"https:\/\/bugs.webkit.org\/show_bug.cgi?id=196844\">this bug<\/a> to track improving this for WebKit and Safari[&#8230;]<\/p>\n<\/blockquote>\n\n<p>This is weird because his bug notes that Safari is <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1116463214030667777\">not to spec<\/a>, yet Wilander&rsquo;s blog post makes it sound like the Safari team likes the current behavior.<\/p>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-16\">Update (2019-04-16): <a href=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking3.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1116858088819232768\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/Safari-link-tracking3.html\"><p>Fortunately, I have a solution for you now! Last night (as soon as I could get approved by Apple) I released <a href=\"https:\/\/itunes.apple.com\/app\/stopthemadness\/id1376402589?mt=12\">StopTheMadness 6.0 in the Mac App Store<\/a>. If you click on a link with the &ldquo;ping&rdquo; attribute, StopTheMadness 6.0 will now remove that &ldquo;ping&rdquo; attribute, thereby preventing your clicks from getting tracked by hyperlink auditing.<\/p><\/blockquote>\n\n<p id=\"safari-link-tracking-can-no-longer-be-disabled-update-2019-04-24\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/software\/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default\/\">Lawrence Abrams<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=19704179\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.bleepingcomputer.com\/news\/software\/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default\/\"><p>Mozilla has told BleepingComputer that they will be enabling the tracking feature called hyperlink auditing, or Pings, by default in Firefox.<\/p><p>[&#8230;]<\/p><p>After Mozilla&rsquo;s response, we also contacted Brave Software to ask if they had any plans to enable hyperlink auditing in their browser.<\/p><p>&ldquo;Disabling hyperlink auditing is a crucial privacy feature, and Brave has always disabled this by default,&rdquo; Catherine Corre, Head of Communications at Brave Software, told BleepingComputer via email. &ldquo;Brave users expect this protection from our browser.&rdquo;<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/chrome-hyperlink-auditing.html\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/chrome-hyperlink-auditing.html\">\n<p>Today, Google shipped <a href=\"https:\/\/chromereleases.googleblog.com\/2019\/04\/stable-channel-update-for-desktop_23.html\" title=\"Chrome Releases\">Chrome 74<\/a> to the public, and this hidden preference is now indeed gone for everyone. The change log for Chrome 74 includes the removal of <code>disable-hyperlink-auditing<\/code> from <a href=\"https:\/\/chromium.googlesource.com\/chromium\/src\/+\/80a809a3566fe87ecbf2d7255ff7af4a7ee2fcb8\">Chromium<\/a>.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Jeff Johnson (tweet): Notice that when you hover over the &ldquo;Ping Me&rdquo; link, you only see the href URL, you don&rsquo;t see the ping URL, so you don&rsquo;t even know that the attribute exists unless you look at the HTML page source. When you click the link, it loads the page http:\/\/lapcatsoftware.com\/ as expected. But [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-04-04T20:19:51Z","apple_news_api_id":"1a9f2e18-aaff-4e06-868e-88c935790356","apple_news_api_modified_at":"2019-04-24T21:22:38Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAACA==","apple_news_api_share_url":"https:\/\/apple.news\/AGp8uGKr_TgaGjojJNXkDVg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1223,1337,649,279,51,456,81,30,1609,355,103,343,1775,96],"class_list":["post-24877","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-news","tag-brave","tag-esoteric-preferences","tag-firefox","tag-google","tag-googlechrome","tag-html5","tag-mac","tag-macos-10-14","tag-privacy","tag-safari","tag-search","tag-stop-the-madness","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=24877"}],"version-history":[{"count":9,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24877\/revisions"}],"predecessor-version":[{"id":25090,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24877\/revisions\/25090"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=24877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=24877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=24877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}