Back in June I briefly covered some of the changes to Safari with the upcoming operating system updated Apple had planned for the fall of 2023. Now that these updates have come, I wanted to get a deeper look at some of the files and behavior of Safari’s Advanced Privacy Protection features. Just how does Advanced Privacy Protection defend users?
How often is Private Mode Used?
This is a metric that is hard to measure, but Jason Packer over at Quantable gave it a try. Based on his testing the amount varies by both industry, operating system and form factor, which I found rather interesting but generally falls between 5 and 10%. It’s worth a read to fully understand the methodology.
Now what is important to realize is that while Advanced Privacy Protection is enabled by default in Safari’s Private mode – users who enter settings can enable it for all browsing. Since this requires user action of modifying default behavior – I would guess that for most, this would only increase the possible impact by a percentage point or two but this is important as you can’t assume that because a user isn’t in Private Mode everything will work.
It’d be worth understanding the possible impact to your specific data set before panicking.
Link Tracking Protection
The behavior of Link Tracking Protection hasn’t changed from my summer review, and the list of name / value pairs removed from the URL remains consistent with my list of vendors from July. A raw GIT file of the parameters can be seen here.
The affected vendors and their clients should begin to notice the impact from these changes in their reporting as of mid-September, when the iOS OS upgrade was released.
Tracker Domains
Apple identifies 627 domains as trackers in the TRACKING_DOMAINS.wplist file. This is the file that Safari appears to be using to determine if a network request should be routed through it’s Private Relay feature.
There’s also a TRACKING_SUBNET.wplist file – which has entries for Adobe, Criteo and Google.
Tracker Blocking
The tracker blocking is where it gets interesting.
There is a file known as URL_FILTER.wplist which has over 3800 entries. Each entry looks at a specific request type, does a RegEx match, determines if the request is third-party, and if so, performs an action – typically blocking the request outright. Some of the Regex appears to apply to specific companies usage of these systems where other strings are more far reaching to all companies which use the platform.
If you ever wondered who’s using specific vendors you may find that information in this file.
There’s some platform specific impacts that are worth mentioning.
Tag Managers
The gang’s all here. There are entries for Google Tag Manager, Adobe, Ensighten, Segment and Tealium.
In general – under Advanced Privacy Protection you can expect your tag managers to be blocked from loading. By extension anything they load will also be blocked from loading. If you are loading items like Consent Managers via your Tag Manager, it may be worth re-evaluating that decision.
Analytics Platforms
43 Entries return when searching for Regex targeting Analytics platforms, and this includes items such as Adobe Analytics, Google Analytics, Mix Panel, Amplitude, Heap and Site Improve.
Depending on how your loading your analytics – you can expect Advanced Privacy Protection to prevent data collection by blocking the required scripts from loading. There is also regex to apply to various Beacons or noscript pixel solutions.
Optimization Platforms
But what about A/B testing? Platforms which handle this service are also impacted with entries existing for platforms such as: Visual Website Optimizer and Monetate,
It seems that currently most Optimization platforms are not yet impacted.
Other callouts
There’s a lot of entries in this file – but a few other big names jumped out at me as likely having issues such as HubSpot & Treasure Data.
Next Steps
It’s worth testing how your site performs when viewed with Advanced Privacy Protection. Ideally, your site still works as intended, but if your developers got “clever” or didn’t practice defensive coding to account for the possibility a service may be unavailable then you may have issues that need to be addressed.
In general you’d want to understand your specific risk of adverse customer experience, as well as determine how any services you leverage are impacted (blocked, restricted feature access, etc.). From there you’ll be able to determine if these services are critical, and if so – determine how you may need to adjust your site to work without them, or to adjust the delivery of those services to be more compatible with the restrictions of Advanced Privacy Protection.
Advanced Privacy Protection is in public availability now, and adoption will continue to grow for the next several months as Apple pushes these changes out to users devices.
One final note worth mentioning is – these files can be updated by Apple at any time. Renaming files/paths to get around the Regex is, at best, a limited time option and effort may be better spent learning how to work with the new restrictions, rather than around them given Apple’s track record of closing loopholes created by industry.