Bug 255450

Summary: ITP Bounce tracking defense not efficient enough
Product: WebKit Reporter: webkit.gently881 <webkit.gently881>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: sihui_liu, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Mac (Apple Silicon)   
OS: macOS 13   

Description webkit.gently881@simplelogin.fr 2023-04-14 05:29:08 PDT
Hello,

I contact you because I noticed adtech companies selling their Safari deterministic cross-domain tracking capabilities. From Taboola some time ago (cf. this thread https://twitter.com/WolfieChristl/status/1356547088692240386) to First.id (cf. this thread https://twitter.com/pixeldetracking/status/1645123172671389696). When I noticed Taboola tracking and read John Wilander answer https://twitter.com/johnwilander/status/1356638414880215040, I assumed I was protected (and I remembered Criteo tried this a long time ago, without success).

But then, I noticed that Safari didn't flag first-id bounce tracking if the user only consulted one, two or three different websites using first-id.fr tracking. It wasn't until the fourth website that first-id.fr was flagged by ITP (cf. this thread https://twitter.com/pixeldetracking/status/1646816439486099463). And in some circumstances, Safari might even not flag the website after 4+ domains (first-id made this video to "prove" their tracking was efficient: https://www.youtube.com/watch?v=cDKc7xALi1w).

Here are a few of the websites with first-id tracking. If you click on one of the website links (for the bounce tracker to be triggered, you have to consult 2 pages), and accepting cookies if you see the consent pop-up (but this pop-up might be dependant on you being in European Union):
- allocine.fr
- marmiton.org
- liberation.fr
- aufeminin.com
- doctissimo.fr
- marieclaire.fr
- capital.fr
- jeuxvideo.com

Their website: https://www.first-id.fr/
As they are not the only one, Taboola is using the same mechanism, I am afraid a few other adtech companies might also rely on this "ITP limitation".

ITP bounce tracking defense is working well if the user consult enough websites with first-id.fr tracker included, but I would have assumed ITP was protecting me from their tracking even if I only consulted 2 different domains, hence this bug filling.

Thanks in advance
Comment 1 Radar WebKit Bug Importer 2023-04-14 16:46:36 PDT
<rdar://problem/108071412>
Comment 2 John Wilander 2023-04-14 16:52:51 PDT
Thanks for filing! Yes, there is a fan-out threshold for classification of a domain. We'll take your feedback into consideration.