iOS 11 apparently brings significant changes to the way cookies work.
Can someone provide me with a comprehensive, technically detailed description of the exact behaviour changes?
If we're all going to need to make modifications to the way our site's work to support this, this feels like an important question/thread to populate with concise details as a reference for everyone.
The best I can find are articles like this:
https://adexchanger.com/data-driven-thinking/apples-upcoming-safari-changes-will-shake-ad-tech/
The actual feature of concern is Webkit's Intelligent Tracking Prevention.
This is covered in a post on the Webkit blog: https://webkit.org/blog/7675/intelligent-tracking-prevention
I'll attempt to summarise for the benefit of SO:
The intention is that third-party cookies from sites that are determined to perform Cross-site tracking can only be available on your site if the user is an active user of the third party site.
A machine learning algorithm, on device, makes the determination that a site is doing cross-site tracking. The exact conditions that would trigger this determination are not made clear in the blog post.
Example:
Using AdTech Co as an example, and Foo.com as your site.
you have AdTech Co tracking code on your site, foo.com which relies on a adtech.com cookie to identify the user.
adtech.com is a third-party cookie, it isn't a subdomain of foo.com, it has already been determined to be a Cross site tracker
Whether the user is an active user of AdTech Co is tracked by the browser - have they actually browsed adtech.com as a user?
If the user has actually browsed adtech.com in the past day:
Cookies work as normal
If the user has browsed adtech.com between 1-30 days ago:
Cookies are partitioned, meaning that adtech.com cookies can be stored and retrieved, but are scoped to foo.com. AdTech Co code running on bar.com would not be able to read these cookies, even though they are owned by adtech.com
If the user hasn't browsed adtech.com in 30 days:
The cookies are purged entirely
Here's the image from the blog post showing these rules:
Related
I am very confused as to how Safari ITP 2.3 works in certain respects, and why sites can’t easily circumvent it. I don’t understand under what circumstances limits are applied, what the exact limits are, to what they are applied, and for how long.
To clarify my question I broke it down into several cases. I will be referring to Apple’s official blog post about ITP 2.3 [1] which you can quote from, but feel free to link to any other authoritative or factually correct sources in your answer.
For third-party sites loaded in iframes:
Why can’t they just use localStorage to store the values of cookies, and send this data back and forth not as actual browser cookie headers 🍪, but as data in the body of the request or a header like Set-AuxCookie? Similarly, they can parse the response to updaye localStorage. What limits does ITP actually place on localStorage in third party iframes?
If the localStorage is frequently purged (see question 1), why can’t they simply use postMessage to tell a script on the enclosing website to store some information (perhaps encrypted) and then spit it back whenever it loads an iframe?
For sites that use link decoration
I still don’t understand what the limits on localStorage are in third party sites in iframes, which did NOT get classified as link decorator sites. But let’s say they are link decorator sites. According to [1] Apple only start limiting stuff further if there is a querystring or fragment. But can’t a website rather trivially store this information in the URL path before the querystring, ie /in/here without ?in=here … certainly large companies like Google can trivially choose to do that?
In the case a site has been labeled as a tracking site, does that mean all its non-cookie data is limited to 7 days? What about cookies set by the server, aren’t they exempted? So then simply make a request to your server to set the cookie instead of using Javascript. After all, the operator of the site is very likely to also have access to its HTTP server and app code.
For all sites
Why can’t a service like Google Analytics or Facebook’s widgets simply convince a site to additional add a CNAME to their DNS and get Google’s and Facebook’s servers under a subdomain like gmail.mysite.com or analytics.mysite.com ? And then boom, they can read and set cookies again, in some cases even on the top-level domain for website owners who don’t know better. Doesn’t this completely defeat the goals of Apple’s ITP, since Google and Facebook have now become a “second party” in some sense?
Here on StackOverflow, when we log out on iOS Safari the StackOverflow network is able to log out of multiple sites at once … how is that even accomplished if no one can track users across websites? I have heard it said that “second party cookies” still can be stored but what exactly makes a second party cookie different from a third party?
My question is broken down into 6 cases but the overall theme is, in each case: how does Apple’s latest ITP work in that case, and how does it actually block all cases of potentially malicious tracking (to the point where a well-funded company can’t just do the workarounds above) while at the same time allowing legitimate use cases?
[1] https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/
I am not sure if the below answers are correct, please comment if they are not:
It seems applications can use localStorage with no problem, up to 7 days. But it won’t be persisted across multiple enclosing domains. I would even recommend using sessionStorage, since the goal is just to have nothing more than a seamless session. You can then roll your own cookie mechanism using a different set of headers, the only thing you can’t implement is http-only cookies.
They can, but ITP won’t let the JavaScript on the enclosing page store cookies (at least, not if your third party domain was flagged as a tracker by Safari).
Yeah, the description of “link decoration” technically doesn’t mention this workaround, but probably Apple has or will update its classifier to handle this workaround.
Yes, if a first-party webpage will send a request to the server and it sets a cookie in the response headers, then these aren’t blocked by ITP, even if it has an iframe to a tracking site. They say that’s not their goal.
Yes, in fact your first-party site can just let your site redirect to google.com and back quickly (like with oAuth) and thereby inform Google of whatever you wanted, without cookies. Google’s JavaScript can do this as well, if you allow it. Then the JavaScript can just load your google-hosted subdomain in an iframe and set a cookie that persists for years, tracking the user. However, ITP 2.3 seems to have also added mitigation to this, so you might use A records instead? https://cookiesaver.io/archives/analytics-guides/cname-cloaking-mitigation-eliminates-safari-itp-workarounds/
Probably the StackExchange network uses a version of #5
We have two separate websites on different domains and want to track whether a user is a visitor/member to one via a cookie , so we can use that to influence their experience on the other site. Currently, I have GTM setting a cookie based on whether the user has visited certain pages but I'm tracking the effectiveness of this with a combination of events in GTM and Google Analytics and there looks like a 10% error. I'm fairly new to both GA and GTM so it could be either errors on GTMs side or GAs side. I was wondering if anyone had any experience with setting cookies in GTM and if you think this is a safe way to set the cookie?
The reliability of a cookie set by GTM is not a question.
The real question here is how you conduct your analysis, plus how you expect the said cookies to work.
Cookies are useless across top-level domains for this purpose, so if the cookies are set on one domain, they won't be seen on the other.
You're supposed to reset the cookie on every pageview to not lose the context of the visit.
In case you're measuring your tracking effectiveness against the access log, you have to keep in mind that quite a lot of people use adblockers. 10% of data loss due to adblockers sounds reasonable to me, in case you have a younger or more technically apt audience.
You may skip on edge cases when people visit site A from a normal source, then go to site B, so you set the cookie, but then they go back to site A from site B, and so you reset the cookie again.
I would suggest solving this either with referrer report in GA, or by joining the GTM tracking across the sites via GTM cross-domain linking and then analyzing unbroken user sessions, paying attention to the hostname dimension, and then building your analysis on top of that. If you need to track users being logged in on other site, you can then use a custom dimension for that.
I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !
Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.
I know a new cookie law was suggested (see here). But did it ever become required? And what's the penalty for not complying?
We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.
The ICO's website now shows that users must opt out, not opt in. The quote above shows how they have implemented it on their site.
This means that the best idea is probably to have a banner at the top of your site showing a similar message to theirs. If the user doesn't want to use cookies, they can disable them in the browser themselves. It's not up to the site owner to implement a cookie deletion policy, it would seem.
According to new EU laws I have to ask my users to opt into having cookies installed on their computers.
So every time I want to set a cookie I have to see if the user has opted in and if they haven't I shouldn't set the cookie.
When they come to the website a popup will ask if they want to opt in. Should they click "no" I cannot put a cookie on their computer to say they've clicked no. How do I then know, as they go through the website, that they've clicked "no"?
Do I just have to show the popup every page they go to? Or store it in a session variable? (is using sessions still ok under the new law? I assume a cookie is set with the session key?).
Thanks
I'm not a lawyer but I've been reading up on this recently and it is quite clear under the new regulations not every cookie is considered equal and opting in is not required for all of them.
The regulations are most keen on ensuring that cookies that allow tracking of users actions/data between websites must have an opt in, at the other extreme, cookies that contain no personal information and are, for example, only used for security on one particular site (like a session cookie) may not need permission at all.
The UK ICO website has some very clear pages & PDFs (including: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx) on the subject and is definitely worthwhile visiting.