[HN Gopher] iOS 17 automatically removes tracking parameters fro...
___________________________________________________________________
iOS 17 automatically removes tracking parameters from links you
click on
Author : belfalas
Score : 585 points
Date : 2023-06-08 15:51 UTC (7 hours ago)
(HTM) web link (9to5mac.com)
(TXT) w3m dump (9to5mac.com)
| NotYourLawyer wrote:
| I assume that everybody will now start implementing user-unique
| URLs to share like TikTok, instead of just tacking on parameters
| to a single canonical URL.
| paulddraper wrote:
| So.....now everyone encodes tracking parameters in the URL path?
|
| Yay!
| tinus_hn wrote:
| I hope the end result is not people encrypting the path and
| parameters so you can't manipulate it anymore.
| indymike wrote:
| Get ready for everything to be a redirect.
|
| mysite.com/aZdi
|
| instead of mysite.com/invitation/?uid=1234
| nwienert wrote:
| In the end most of these have to end up at some sort of public
| URL. Only truly closed platforms like FB could really work
| around this, but anything that ultimately has a public URL will
| be pretty easy to find.
| indymike wrote:
| Not really, any website can implement a url scheme that makes
| url params unneeded. You see this all the time with SEO
| friendly stuff where mysite.com/cool-product/details is
| displaying the same thing that
| mysite.com/product/?product_id=124&view=detail
|
| It's extra work, but it's not hard.
| nwienert wrote:
| i think you missed my point though, even with that it still
| stands
| Xenoamorphous wrote:
| Well Safari could remove the parameters on the fly before
| performing the redirect I guess?
| indymike wrote:
| Maybe. For the past few years I've had the pattern of making
| is so we can permalinks that carry all the parameters in the
| database... so if you click on https://mysite.com/uDFOD it
| might display the same thing that
| https://mysite.com/products/really-cool-
| product/?lotsa=param... whould, but there is nothing in the
| url that needs to be displayed. If your web app is hosting
| the redirect, you can just skip to C and respond with the
| correct body to the redirect url.
| betimsl wrote:
| Apple is killing it at the moment. Just wow and I hope they don't
| take away good features in the future.
| tyingq wrote:
| Interesting, as they have to be using some sort of blacklist,
| like "fbclid" and so on. I'm curious if there will be an
| escalation cat-and-mouse thing with less easily identifiable
| params, rotating names, etc.
| pantulis wrote:
| Will it remove Amazon referral trackers? That could destroy a
| publishing sub-industry in one fell swoop.
| wouldbecouldbe wrote:
| Can it cause issues with urls like /?p=:uuid? What logic are they
| using for stripping? Or invite links with tokens?
| graypegg wrote:
| Massively useful just because I do this manually already when
| sharing links.
|
| However, could become an arms race where we start putting
| correlation IDs in params named page= or video=.
| scrollaway wrote:
| TikTok already does the latter iirc.
| ilyt wrote:
| That's gonna be fun to debug when it will hit inevitable false
| positive
| WirelessGigabit wrote:
| Have you seen current applications like Reddit and YouTube? They
| all have their own 'share' menus which essentially bypass any
| protections put in place by iOS.
| anandnair wrote:
| I don't think there is a foolproof way to tackle this.
| v8xi wrote:
| If companies try to hash the direct and referral link into a
| single link (or use a redirect link). Apple could visit the
| site internally, return the actual, tracking-free webpage, and
| forward that to the user. This would mean the referral link is
| actually just tracking how many times Apple decodes it and
| would devalue the use of a referral link since it would just be
| reporting "how many times this link was forwarded" and not "how
| many times this link was clicked"
| jensensbutton wrote:
| That is a MUCH larger investment than shipping some client
| side code though.
| function_seven wrote:
| Yup. Same way Gmail neutered tracking pixels in emails back
| in the day. They open each one as soon as the email is
| received, rather than when the recipient opens it.
| polyomino wrote:
| Why do the people even want the internet anyways, they like
| getting everything from apple
| dinobones wrote:
| Yeah this is a very naive and somewhat potentially harmful
| measure. Think of all the old .asp and .php websites that
| basically route you to a page by just throwing a big old fat
| query string into the URL.
|
| The way this can be bypassed is:
|
| Before: mylink.mydomain?tracking_id=abc123 After:
| mylink.mydomain/home/abc123/
|
| Yeah, it might wreck SEO. But if you're really trying to track
| users and see who clicked on your email or whatever, it's
| probably the case that you don't care about SEO in this
| specific case.
| ezfe wrote:
| It doesn't blanket-remove query parameters
| coldpie wrote:
| There is some kind of blanket-remove bug with bookmarks.
| Try bookmarking a URL with query parameters in Safari on
| iOS. I don't know if it happens with every URL, but with
| this one[1] specifically, it drops the query parameter from
| the bookmark. You have to go add it in manually by editing
| the bookmark afterwards. I wonder if it's motivated by the
| same kind of change as this article is about, or if it's a
| separate bug. (I haven't tested this recently, but it was
| true as of late last year.)
|
| [1] https://www.twintown.com/collections/acoustic-
| guitars?sort_b...
| LukeLambert wrote:
| That's likely due to the page having a canonical URL meta
| tag: <link rel="canonical"
| href="https://www.twintown.com/collections/acoustic-
| guitars"/>
| indymike wrote:
| It breaks the web. There are literally no real rules on how
| you use them, so you have a lot of things that will be
| confused with tracking (gclid,clickid,campaign, etc). Even
| stuff that was originally tracking gets re-used. I've
| worked on systems where utm_medium=web and
| utm_keyword=socks were used to literally query the landing
| page for the user and effectively were the U in URL.
| dinobones wrote:
| I mean presumably they have some decent heuristic for what
| are "user-identifiable" parameters.
|
| But I don't trust that heuristics works for every query
| parameter for every website on the internet.
|
| Here's one: Imagine you run a small website and send signup
| confirmation emails. Suddenly, 20-30% of your users can no
| longer complete signups and you have no idea why. Oh yeah,
| our URL is:
|
| mysite.foo/signup?uid=139191238123.
|
| And apple filtered out the uid parameter.
| joenathanone wrote:
| This is exactly what I am afraid of, we use url query
| parameters heavily to prefill forms for our employees and
| clients, think online training and service agreements.
| This will break a lot of our operation.
| alvarezbjm-hn wrote:
| "This will break a lot of our operation"
|
| >> For safari users >> Until apple own the internet so
| the site is forced to adapt.
| narrator wrote:
| The net effect of this Apple "privacy" stuff is to make it very
| hard for small niche businesses with a limited budget to
| advertise effectively. There were tons of startup CPG brands like
| Dollar Shave Club that popped up during the great Facebook Ad
| banaza of the mid 2010s when tracking worked. This privacy
| crusade has just essentially cemented the big brands who can
| afford to do poorly targeted ad campaigns like TV advertising.
| bamfly wrote:
| They can advertise _without_ tracking people. Maybe on websites
| the readers of which are a good fit for their products.
|
| One wonders how any product launched or small business survived
| prior to the current millennium.
| cynicalsecurity wrote:
| Honestly, I don't want any company to track me, neither big nor
| small.
| matheusmoreira wrote:
| Whatever. I don't want them tracking me for any reason. If that
| kills a bunch of startups so be it.
| hospitalJail wrote:
| This is barely privacy related, its more like an anti-referal
| system.
| villgax wrote:
| Won't work with unique links like reddit or Instagram for
| content. Maybe just the share ID or device params might go
| acchow wrote:
| Too bad tiktok generates URLs not only from which content is
| being linked to, but also the user generating the link.
|
| And once the industry realized that users don't revolt at this
| privacy invasion, it has been spreading.
| jonas-w wrote:
| Thats why I instantly put these links into a service like
| https://unshorten.me/ and then send/open them.
|
| I use urlchecker [0] for this on my phone and have it set as
| my" browser" that way, every link i click on, I see a popup
| with the link and with one or two button presses I can remove
| the tracking parameters and/or unshorten it and then open it.
| Works like a charm. May be to much friction for some, but I
| like it.
|
| [0]
| https://www.f-droid.org/de/packages/com.trianguloy.urlchecke...
| pvo50555 wrote:
| [dead]
| wunderland wrote:
| I wonder if Apple uses any data from the Shortcuts app when
| deciding what features to build next
| andelink wrote:
| I also thought about this, because this is an exact shortcut I
| have already and use constantly, everywhere it is in my Share
| Sheet
| carvking wrote:
| Explaine ?
| Xenoamorphous wrote:
| You mean Apple is tracking their users behavior? Impossible!
| construct0 wrote:
| Good for PR, practically useless against tracking.
| pretext-1 wrote:
| It's not all or nothing. It _does_ improve privacy.
| tick_tock_tick wrote:
| I'd assume it hinders it actually. It doesn't accomplish
| anything and you can tell what additional information about
| the customers device based on some parameters being stripped.
| dixie_land wrote:
| > As a partial mitigation, Apple is enabling an alternative way
| for advertisers to measure campaign success, with Private Click
| Measurement ad attribution now available in Safari Private
| Browsing mode. Private Click Measurement allows advertisers to
| track ad campaign conversion metrics, but does not reveal
| individual user activity.
|
| While as a consumer I do objectively like the privacy measures
| Apple is adding, at end of the day they're simply consolidating
| all tracking power to themselves.
| cmelbye wrote:
| Yeah whenever I see "Privacy" segments in their marketing, it's
| hard for me to avoid thinking of it as "Here's how our anti-
| competitive moat works."
| rodgerd wrote:
| Ah yes, the web which is dominated by _checks notes_ not-
| Chrome.
| X-Istence wrote:
| Private Click Measurement is a standard that Apple has proposed
| and is working with the W3C to standardize, as well as working
| with other browser manufacturers:
|
| https://webkit.org/blog/11529/introducing-private-click-meas...
| ilyt wrote:
| "Let's fight tracking by embedding tracking in the core of
| the browser" yeah, great idea.
|
| But I'm sure W3C will bend over as usual
| [deleted]
| wunderland wrote:
| I don't understand what's preventing me from manually
| removing these URL parameters as well, just like I currently
| do with UTM params when I copy/paste something into a chat
| app.
| ryandrake wrote:
| It's a convenience feature. Manually cutting parameters out
| of a huge URL is a pain, and this feature might help to
| remove that pain. Nothing stops users from continuing to do
| it manually when they cut and paste URLs.
| anamexis wrote:
| Nothing.
| capableweb wrote:
| It's about clicks instead of sharing it. So it'll strip it
| when you click it, instead of copying the link, pasting it,
| then stripping and hitting enter. Workflow optimization
| basically :)
|
| Also, more privacy by default seems like a good thing, not
| everyone understands URLs.
| samstave wrote:
| I would like this capability on any home router/cable-
| modem/FW
| bee_rider wrote:
| That would be neat. I suspect the browser and/or OS would
| have to be aware of it though, in order to cooperate, in
| which case why not just have the browser/OS implement it?
| cyral wrote:
| With HTTPS it cannot read the URL query params
| edgineer wrote:
| Not saying it's practical but you could add your own CA
| on each client device and the router MitMs.
|
| Or, e.g. you can set a flag when building Firefox that
| will store the secrets necessary to decrypt those
| packets, and the client sends the secrets to the router
| which sniffs and decrypts on the fly.
| throwaway290 wrote:
| I am guessing you never receive links?
| bmikaili wrote:
| [flagged]
| nicolaslem wrote:
| Ah yes, the AMP strategy.
| kergonath wrote:
| Exactly what people say they should have done with
| FaceTime, right? So, which one is it? Should they do it or
| should they not?
| candiodari wrote:
| If they were really working with standardization, they'd wait
| ...
| Someone wrote:
| Are there any examples of using that approach in the
| history of web browsers?
|
| I thought that mostly boiled down to _"IE
| /Netscape/Chrome/..." implements it, and if enough browsers
| implement it, we'll document it as standard"_
| jedberg wrote:
| No they wouldn't. I can't think of a single thing in any
| browser that was implemented _after_ a standard was
| created. It 's always been driven by one browser just doing
| a thing, then other browsers do it slightly differently,
| then the standards body comes together and they settle on
| the-one-true-way and everyone updates their support to
| match the standard.
| mvonballmo wrote:
| It very much used to work like this, pretty much
| exclusively.
|
| More recently, though (especially, the last couple of
| years), browser vendors work very closely with standards
| groups, contributing there, and looking for feedback from
| other browser vendors. At least in the CSS and JS space,
| the extensions to those standards have proceeded largely
| as a group effort rather than as you described.
| mnw21cam wrote:
| > ... everyone updates their support to match the
| standard.
|
| Oh, the boundless optimism. How cute.
| jedberg wrote:
| Lol ok let me say "most everyone mostly matches the
| standard" :)
| reaperducer wrote:
| _Oh, the boundless optimism. How cute._
|
| Oh, pointless condescension on the internet. How cute.
| ArchOversight wrote:
| Wait until Google implements something and shoves it down
| everyones throat in Chrome and then has all the Google
| fanboys claiming that its the best thing since sliced bread
| and thus should get implemented by every other browser just
| because Google did it?
|
| That's how we ended up in the situation where Google
| shipped U2F, sites implemented their implementation and
| then when the standard WebAuthN was built it was not
| compatible so sites had to be updated to be standards
| compliant, and it took a while to do so.
|
| Or when Google added WebP without clear consensus. Or when
| they added FLoC or Topics API, or whatever else they have
| cooked up. Or things like WebUSB, WebMIDI and others?
|
| There's a glut of Chrome only sites out there, and it
| continues to grow as web developers test just on Chrome but
| not the other browser engines. It's turning into the next
| IE 6, I remember the time there were a lot of "Made for IE
| 6" logos and graphics on sites and they did not render well
| or at all in Netscape.
| bee_rider wrote:
| As much as the locking down of iOS is annoying for
| everybody technical, we should be somewhat thankful that
| Apple has ensured a large population of mobile safari
| users.
| MBCook wrote:
| Except in every thread about iOS or Safari are a ton of
| people crying for _real_ Chrome on iOS because Safari is
| the new IE 6 holding the web back by not implementing the
| new WebDogCam4 "standard" Google pushed out 2 days ago.
| freedomben wrote:
| Honest question: do you think Apple is holding back the
| web?
| michaelt wrote:
| The mention of "the new WebDogCam4 "standard" Google
| pushed out 2 days ago." didn't register as sarcasm with
| you, huh?
| AmenBreak wrote:
| Chrome is not "the web."
| pjmlp wrote:
| Apple is holding ChromeOS back, which is what the Web
| will turn into if Google has free reign.
| pjmlp wrote:
| Actually Chrome is the new IE.
|
| Many forget that Microsoft was introducing many
| incompatible standards, and only let IE stagnate after
| they won over Mozzilla.
|
| Safari isn't the one turning the Web into ChromeOS.
| nwienert wrote:
| ^ This, 100%. Chrome is by far the bad actor, and not
| only that, Safari is arguably the better browser even if
| strictly looking at "support for web standards" (but in
| many other ways as well).
|
| The vitriolic hate it gets in many threads are completely
| misguided and likely the result of years-old opinions on
| it. In the last 3 years Safari dramatically accelerated
| development, leapfrogged Chrome in performance to a
| staggering degree, and basically became close to an ideal
| browser.
|
| And nearly every so-called standard people point to to
| "prove" Safari is lagging behind is almost always just
| something Chrome pushed out without any consensus.
|
| It's funny because I think the hate comes from Webkit
| being forced on iOS, but it often comes out as "Safari
| sucks it's the new IE" which is pretty much the opposite
| of true and undermines the point.
| roody15 wrote:
| Hmm I find browser plug-in support limited. Can safari
| run ublock origin?
| seba_dos1 wrote:
| Safari used to be "the new late-IE" a few years ago. It
| lagged significantly behind other browsers and it kept
| intentionally holding back support for open standards and
| codecs, forcing websites to make Safari-specific
| workarounds whenever you wanted to do basic things (I had
| to write scripts to transcode Vorbis to MP3 when
| deploying a web game just so it could have sounds on
| Safari, for example).
|
| These days Safari gets better indeed (through it's still
| a PITA in some areas), while Chrome is clearly "the new
| golden-days-IE" - which long-term is probably much worse
| than Safari could ever be.
| Taywee wrote:
| "dearth" means "lack" or "scarcity". I think it's the
| opposite of what you meant.
| ArchOversight wrote:
| You are correct. Edited and replaced the word with glut.
| Thank you!
| tantalic wrote:
| Becoming a standard requires independent, working
| implementations. So this is very much part of the process.
|
| https://www.w3.org/2021/Process-20211102/#implementation-
| exp....
| rektide wrote:
| It'll be interesting to see how this goes. Google and
| Mozilla+Meta each have competing standards.
|
| https://github.com/WICG/turtledove
|
| https://blog.mozilla.org/en/mozilla/privacy-preserving-
| attri...
|
| To my knowledge, Mozilla's design is the only one where
| someone other than the browser collects & reports on click
| activity, and with a fairly trustless anonymizing double
| blind strategy for those intermediaries.
| wunderland wrote:
| This is completely wrong. They are saying they only don't strip
| PCM parameters because these are anonymous and somewhat privacy
| preserving. Apple is still uninvolved in the link attribution
| or other tracking here.
| bradgessler wrote:
| This is a very important revelation for people to have: the
| deal with Apple is they have complete control over your
| identity and data. It's slightly better than the deal with
| Google, FB, & Microsoft where they both control and sell your
| data to the highest bidder.
|
| Apple's position on privacy is somewhat of an illusion and
| could disappear whenever they decide. Remember the CSAM
| debacle? https://www.wired.com/story/apple-photo-scanning-csam-
| commun...
|
| I still think Apple is doing the best in the marketplace with
| respect to security and privacy, but if we're being honest
| they're playing the role of benevolent dictator.
| lanza wrote:
| > Google, FB, & Microsoft where they both control and sell
| your data to the highest bidder.
|
| Can we please keep this nonsense to lower quality sites like
| reddit? I like to pretend hacker news hasn't degraded this
| far yet.
| ilyt wrote:
| Ad networks are running realtime bidding for ad space
| already in case you didn't know.
|
| At the very least Google and FB got punished for doing that
| already in the past
| HDThoreaun wrote:
| While not technically correct "sell your data to the
| highest bidder" is close enough to what Google and FB are
| doing, and the distinction is irrelevant for most people.
| HWR_14 wrote:
| Remember that Apple's "debacle" there was to comply with US
| law. Their issue was that (at the time) they were responsible
| for encrypted data backup's contents. So they could either
| scan on your device before backing up, or scan on the cloud.
| Scanning on your device, while it sounds scarier, actually
| offered more privacy protections, because otherwise their
| cloud needed to see your unencrypted data. And it only
| scanned on your device if you wanted to move things to the
| cloud.
| sneak wrote:
| This is false. Apple already scans everything on iCloud for
| banned material serverside, as iCloud Photos and iMessage
| are, for most people, not e2ee, and never will be so long
| as e2ee is opt-in.
|
| Even if you enable the e2ee features rolled out in the last
| 12 months, your iMessages are still not e2ee unless all of
| your conversation partners have as well.
|
| Also there is no US law demanding scanning of user data,
| your opening assertion refers to nonexistent requirements.
| shuckles wrote:
| Basically every claim in your comment is wrong:
|
| * iCloud Photo Library was not scanned for CSAM content
| at the time of the announcement, which Apple confirmed at
| the time.
|
| * iMessage E2E encryption is not opt-in. There isn't even
| an opt-out.
|
| * The "E2EE features" you might be referring to is
| Advanced Data Protection for iCloud Backups, which is not
| related to the iMessage protocol at all. You don't have
| any guarantees about what your recipients are doing with
| the data you send them, ever.
|
| There is US law which is ambiguous about the requirement
| on data providers to check content for CSAM material,
| which many have interpreted to require a check. This is
| why every other major cloud provider does scan for the
| content.
| astrange wrote:
| It's more about proposed EU laws than US laws.
| GoofballJones wrote:
| The thing is, the terms-of-service they give you that you
| agree to. That thing everyone skips. In it, Apple
| specifically says they don't track you or sell your data (but
| as you say, that could change). This is why when they do have
| any breach of that agreement...like when they said that some
| humans listen to Siri requests to make sure it's being
| accurate, they were sued for it. People hold their feet to
| the fire over anything they may flub. And since Apple doubles
| down on saying they're the best at privacy, more and more
| people are chomping at the bit to sue them or call them out
| on it. They have to tread carefully.
|
| Google and Microsoft on the other hand blatantly say "yeah,
| we look over your shoulder at everything you do on the
| Internet...you know, to "help" you find what you're looking
| for or to feed more of it to you. And also, our advertisers
| would be very interested too". I mean, read THEIR TOS and
| marvel at it.
| AnonCoward42 wrote:
| Of all of them isn't Google the only one that is actually
| incentivized to keep the data they get on you to
| themselves, because of their business model? It sounds bad
| for Google when they sell their data to others, so they'd
| feed a competitor for personalized ads. I might be wrong
| tho.
|
| It's obvious, but I want to make clear, that this doesn't
| make Google less scary or more trustworty. Avoiding Google
| is still advised imo.
|
| edit: replace "private" with "to themselves"
| spogbiper wrote:
| Right as I understand it at least. Google's business
| model has never been to sell your data, despite how
| persistent that idea seems to be. Your data is Google's
| most valuable resource and they should be extremely
| motivated to protect it.
| onlyrealcuzzo wrote:
| Google doesn't sell your data.
|
| It allows advertisers to bid on you.
|
| Apple will do the same thing.
| ShaunK wrote:
| Apple already does the same thing. Apple Search Ads is not
| limited to the same restrictions that Facebook and Google
| are with regards to iOS tracking and reporting for
| advertising attribution.
| ec109685 wrote:
| Google also collects your data outside Google owned
| experiences.
| onlyrealcuzzo wrote:
| So does Apple now.
|
| What's your point?
| ActorNightly wrote:
| Sending your data to Apple is not privacy.
| tibbon wrote:
| Good. I wish the internet would go the way of the Gemini Project
| and, by default have privacy-centric behavior. I'm tried to every
| company thinking I want to be tracked; I do not. I want simple
| services that do the thing I ask them to do and no more.
| nottorp wrote:
| So can I configure Safari to do this all the time, not only in
| private browsing?
|
| And especially when I copy links out of it to share with people.
| PaulHoule wrote:
| ... I built that into my RSS reader
| sir_brickalot wrote:
| Question:
|
| When I click in my Gmail android app on a link from a received
| E-Mail, the opened Firefox browser opens a google domain for a
| second and only after that the domain from the link opens... any
| idea what that is? Tracking?
| jeffbee wrote:
| Google bounces all URLs through a redirector which strips
| referrer information and also allows them to warn about malware
| sites that were identified after the message itself was
| classified and delivered.
| sir_brickalot wrote:
| I would like to test that but when clicking different links I
| get mixed results. The URLs get modified alright but a lot of
| referrer info seems to not get removed.
|
| I guess its just Google collecting one more metric.
| Szpadel wrote:
| i think this is to remove real referer url from header, as this
| behavior is also present when you use web version of Gmail.
|
| but with that solution tracking is also possible
| [deleted]
| xahrepap wrote:
| It's for security. Checking against a list of banned URLs, etc.
| When you have user-submitted content, protecting your users
| from bad URLs is important.
|
| Also, I'm sure they're doing plenty of click tracking too :)
| justinator wrote:
| The affiliate program I use also allows you to create affiliate
| links with a link shortener.
| detrites wrote:
| Reframed: "iOS 17 arbitrarily modifies links you click on".
| creddit wrote:
| Absolutely wild to me that anyone is in favor of this for
| exactly this reason.
|
| If a user chooses to do this, more power to them. If my OS does
| this by default, it's an insane invasion of my use.
| hamhamed wrote:
| we work in the affiliate business and this has the potential to
| completely desotry the business model. Many of our partners rely
| on affiliate money to make ends meet, it is what powers most
| content creators.
|
| Safari is planning to use ML to detect click_id type of query
| parameters and strip that from URLs. That's just poor execution
| and business destroying. PCM restrictions are horrible too.. we
| have to design the link so it stays within safari's specs:
|
| > With an ad-click, an 8-bit ID can be transmitted (a number
| between 0 and 255, i.e. 256 possible values / campaigns) - per
| domain > For a conversion, a 4-bit ID is transmitted (a number
| between 00 and 15, i.e. 16 different types of conversion) - per
| domain
|
| Not to mention Chrome and Firefox has other ideas, each different
| on how their PCM will be integrated. Other than the mega corps,
| noone is benefitting from this privacy enhancement. Just more
| work to adapt.
| bamfly wrote:
| > Other than the mega corps, noone is benefitting from this
| privacy enhancement. Just more work to adapt.
|
| One time I was talking to a real estate agent, shortly after
| some of the post-'08-meltdown regulations had gone into effect.
| She said something like:
|
| "It makes it so appraisers can't fudge the numbers a little
| higher to make sure people get their loans, now. Which I know
| wasn't what they intended, but it's what they've done, and it's
| hurting people."
|
| She thought one of the things the regulation was _definitely
| supposed to do_ , entirely on purpose, was some accident, and
| that this thing happening before that _was not OK_ and was,
| over many iterations, partially responsible for the housing
| bubble happening in the first place, was in fact fine. She was
| totally unable to grasp that this behavior was _bad_ and that
| the regulation was _supposed_ to stop it, and that that was
| _definitely a good thing_ --but it was making it harder for her
| and her banker(!) husband to close deals and sell loans, that
| is, to make money, so _surely_ it can 't actually be a good
| idea and overall beneficial to lots and lots of people.
| moneywoes wrote:
| Is affiliate just url parameters?
|
| Is there no other way to measure?
| nicbou wrote:
| Yeah, I make money from affiliate links. That's how I can work
| full time making completely free content. Many of my partners
| use Google Analytics and already struggle to track leads. This
| won't help.
| bombcar wrote:
| Can't the tracking information just be stuck in the actual URL
| itself? Even in the domain name? So instead of
| amazon.de/product?affilate=hamhamed it would be something like
| hamhamed.amazon.de/product?
|
| And if that won't work, just encode the entire url as
| amazon.de/2ec1a277-0c96-40d3-8fe1-e418fd82986d
| polyomino wrote:
| Cacheing becomes more challenging, but you could
| theoretically decode the scheme at the cdn
| dorianmariefr wrote:
| Stack Overflow has links with user id, I think this will
| continue to work
| https://stackoverflow.com/a/70506056/12544391
| Maxburn wrote:
| All the little things like this that keep getting added are why I
| switched back to iphone.
| cj wrote:
| Google Ads sent an email out to advertisers (a few days ago I
| think) introducing their workaround.
|
| Normally clicks have a "gclid" query param. Google is introducing
| 2 new query params to somehow attribute clicks using modeling +
| machine learning (somehow).
|
| Edit: here's a detailed description of how Google is attempting
| to track conversions using machine learning. I have no idea how
| this could possibly work without some kind of fingerprinting or
| user profiling or IP address. Almost feels like "modeled
| conversions" powered by ML is a way to do fingerprinting without
| explicitly having an algorithm that blatantly uses
| fingerprinting.
|
| https://support.google.com/analytics/answer/10710245?sjid=85...
|
| Edit 2: The new query params are "gbraid" and "wbraid". Googling
| those turns up more details.
| suavesito wrote:
| It is not a work around in the sense that they will be able to
| track you, they won't.
|
| What Google tells them that _if_ they use Analytics 4, they can
| use modelling to give attribution of convertion. In this case,
| attribution means not fingerprinting but percentage of people
| that was converted thanks to Ads. For other analytic engines
| they set the fields as 'not set'.
|
| They day that in their models they aggregate data as geo, IP,
| and others and they won't give the fingerprinting data. The
| only problem is that they don't give details on the privacy
| preservation of their ML models. This means that if they fuck
| it up and give to much information, someone could try to
| reverse the aggregation (like doing a deconvolution) and do
| some fingerprinting.
| mrtksn wrote:
| Isn't this a cat and a mouse game? The moment this actually start
| causing problems they will change how parameters work. Maybe the
| easiest would be to use a single encoded parameter which would be
| decoded on the server and Apple or anyone else won't be able to
| change a thing about it.
|
| This is a MITM attack where Apple plays the good guy(or control
| freak, depending on how you feel about it) but MITM attacks are
| nothing new.
| ezfe wrote:
| Apple is pushing PCM (private click measurement) as a middle
| safe ground, but nobody would adopt it if more invasive and
| accurate measures continued working.
|
| They're probably hoping that advertisers will retreat to PCM
| instead of continuing the cat and mouse game.
|
| PCM is an in-progress standard that, at a high level, allows
| measuring ad campaign success without tracking individual
| users. No such restrictions apply to query parameters, of
| course - so PCM is inherently more private.
| dazbradbury wrote:
| Agreed. More simply couldn't any ad tracker just have a dynamic
| parameter name so it's impossible to distinguish between a
| parameter required to run the site and a parameter used for
| tracking?
|
| Or is this feature more advanced than just stripping known
| tracking parameter keys?
| josephcsible wrote:
| Didn't Facebook already start doing exactly that?
| https://news.ycombinator.com/item?id=32129100
| akavi wrote:
| I believe Tiktok basically does that already.
| partiallypro wrote:
| How does it determine what is a tracking parameter? You can often
| pass a string along in the URL because you're trying to call a
| function or pass simple data between pages.
| ryneandal wrote:
| The lowest-hanging fruit would be nuking any UTM-related
| tracking parameters
| (https://en.wikipedia.org/wiki/UTM_parameters). I'm sure the
| solution is sophisticated beyond simply handling these, though.
| GordonS wrote:
| Right... but Google and Microsoft already let you customise
| the names of query parameters containing tracking information
| - I can call the Google Click ID parameter "dave" if I want
| to.
| rjmunro wrote:
| Or maybe it's a recover password link that you've been emailed,
| with an auth token.
| jackdh wrote:
| Exactly what I was thinking, I've had false positives from
| uBlock thinking anything with /tracking/ in the URL was
| telemetry (when it could for instance be tracking of postal
| goods).
|
| Unless they keep an up to date list of known tracking
| parameters I assume this will just become a cat and mouse game
| or advertisers will find other ways to obfuscate the tracking.
| ljm wrote:
| It'll always be a cat and mouse game but I imagine that, even
| if they simply strip out utm_x parameters from the URL, there
| are enough websites out there that won't update their Google
| analytics script to work around it.
| hooverd wrote:
| Is there a way to accomplish this on Android?
| ezekg wrote:
| So does this mean that something like example.com/password-
| reset?token_id=2h2GV4nhySERT9pJ may get the random token
| stripped?
|
| I don't understand how you can have a heuristic that doesn't
| break things.
| Sohcahtoa82 wrote:
| I use an addon called NeatURL that strips out tracking
| parameters.
|
| It has a specific blacklist of parameters to strip. In the
| several years I've been using it, I've only had two websites
| break from it, both being legit surveys that I needed to take.
| pretext-1 wrote:
| I assume it only blocks known tracking. Using lists, similar to
| how content/ad blockers work.
| GordonS wrote:
| That wouldn't work - people would just start giving their
| query parameters different name, e.g. instead of "gclid", it
| might be "dave".
| mostlysimilar wrote:
| I use a Firefox extension for this same purpose. They maintain
| a large database of known tracker parameters and strip them.
| This means occasionally a new or unknown one slips through the
| cracks, but overall is very effective.
| agotterer wrote:
| Won't the tracking companies work around this by providing
| each account their own set of unique obfuscated tracking
| names and keywords that gets mapped back behind the scenes?
| Impossible to build a database that way.
| AviationAtom wrote:
| They already somewhat have.
|
| View the demo in normal mode at https://fingerprint.com/
| and then open it again in Incognito
| EscapeFromNY wrote:
| Probably one day, yes. And then the cat and mouse game will
| continue.
| flangola7 wrote:
| Not one day. Facebook started this practice a year ago.
| throwaway290 wrote:
| Or simply generate a whole new URL with an UUID for every
| share.
| lapcat wrote:
| In my testing, the tracking parameter removal in Safari 17 seems
| very limited. It'll be interesting to see if this turns up in the
| WebKit open source, to see how it's implemented.
| andy_xor_andrew wrote:
| My favorite part about this is how it basically forces services
| to accept this as a functional scenario.
|
| If it were UBlock Origin doing this, sites could just say "Sorry,
| we don't support this, your addin is breaking everything, please
| turn it off."
|
| But when Apple does something, there's no room for conversation.
| Sites can't say "Sorry, we don't work on iPhones." For better or
| worse, what Apple decides becomes acceptable. In this case for
| better.
| reaperducer wrote:
| _But when Apple does something, there 's no room for
| conversation. Sites can't say "Sorry, we don't work on
| iPhones."_
|
| Absolutely. There was no shortage of Windows-centric corporate
| IT departments that swore that they'd never support Apple
| products.
|
| Then iPhones started showing up in boardrooms, and they quickly
| changed their tune.
|
| I brought my iPhone to work shortly after launch and showed it
| to curious coworkers. The head of IT for that particular
| multinational corp said it was garbage and would never be
| allowed on his network. "Apple is crapple" was his favorite
| phrase.
|
| A few months later he got to peddle his anti-Apple mantra on
| the unemployment line.
| vxNsr wrote:
| Wow, are you seriously crowing about someone getting fired
| for not liking a particular company?
| bilbo0s wrote:
| In fairness to the people who fired him, fanboy-ism has no
| place in the dispassionate decision making process of a
| professional. You have to have people around who are making
| decisions based on realities and not mantras or you're going
| to lose money.
|
| If he wants a job where fanboy-ism can be helpful in climbing
| the ladder, he should try politics or something like that.
| Where all the money on the line belongs to other people. So
| no one really works to protect any of it.
| jejeyyy77 wrote:
| Well, actually this might break a significant portion of the
| internet/websites for iPhone users.
| humbleharbinger wrote:
| I wonder can they tell the difference between tracking params
| and good old unobtrusive query params?
| thomaslord wrote:
| Ultimately I don't think they can. How would they handle a
| link like `https://example.com/password_reset?prid=ZXhhbXBs
| ZWNsaWNraWQ`?
|
| I'm sure somebody will figure out a way to use multiple
| seemingly-legitimate parameters to get the same result. Why
| use ?click_id=aqNERjsdfyqe when you can use
| ?category=10612550&subcategory=5929127&page=4257344 and
| transfer the same data without arousing suspicion?
| ok_dad wrote:
| Turn on iCloud private internet (apples vpn) and Google will
| make you do captchas all day long whenever they feel like it. I
| use DDG now, but Google really wants to track you.
| memco wrote:
| > My favorite part about this is how it basically forces
| services to accept this as a functional scenario.
|
| Maybe some services will accept it, but others will not. When I
| tried to sign in to Microsoft Teams from Safari yesterday it
| presented a screen that said that Teams will only load on
| Safari if I disable tracking prevention for the Teams site. So
| unless users put additional pressures on services to offer
| support for Apple those services may just force users to accept
| tracking one way or another: either by disabling Safari's
| mitigations or using an alternative client that does not use
| such mitigations.
| shepherdjerred wrote:
| A lot of the conversation here seems to be that you can't trust
| Apple, or that Apple is doing something user hostile.
|
| I don't get it.
|
| What's the alternative? Most people with a phone are going to be
| using iOS or Android. Those are the two options. Apple has the
| chance to improve data privacy, and they've done it. Android
| (essentially, Google) is certainly _not_ going to take such
| action.
|
| Apple could always use this to their advantage, or double-back on
| it. Who cares? They've moved the needle in a positive direction,
| that's all that should matter.
| kergonath wrote:
| > I don't get it.
|
| It's Apple. There is nothing else to understand. Just because
| of who they are, some people will claim it will change the
| world and some people will claim it's bullshit or not working
| or evil. There are many more of the latter and they are quite
| annoying, but the best that can be done is ignore them.
|
| > They've moved the needle in a positive direction, that's all
| that should matter.
|
| Some people cannot seem to understand that a company whose
| interests align with those of the consumers, however
| imperfectly, is better than a company whose policy relies only
| on ideology. Then you have the contrarians who will claim that
| they are lying and black is white anyway.
| Waterluvian wrote:
| I think it's completely healthy to remain skeptical of a
| massive corporation. But that doesn't mean we have to be tribal
| about it. I dunno. Sometimes I wonder if it's just
| intellectually less exhausting to "black and whiteify"
| everything rather than explore the nuances of a corporation
| doing stuff that we sometimes benefit from.
|
| We should remain skeptical and scrutinize and shape their
| actions through consumer feedback.
| lanza wrote:
| > Apple could always use this to their advantage, or double-
| back on it. Who cares? They've moved the needle in a positive
| direction, that's all that should matter.
|
| Because all of business history has told us that the market
| dominant company strong-arming its opposition has never worked
| out for the consumer.
| Calvin02 wrote:
| > They've moved the needle in a positive direction
|
| They've moved the needle towards building their ads business.
| As hardware refresh cycles become longer, Apple is moving
| towards other sources of revenue, including ads.
|
| These changes, while positioned as Privacy, give them a huge
| moat and in the end, harm consumers.
|
| Before these changes, if an app wanted to drive installs on
| iOS, they could choose FB or Google. Now, Apple is the only
| game in town and their cost-per-install are already exceeding
| FB's last published cost-per-install.
|
| The Apple consumers pay for this additional revenue to Apple.
| err4nt wrote:
| The hyperlink is the building block of the web - without links
| there is no web. Please just leave links alone. I don't
| particularly enjoy tracking any more than the next person, but
| don't automatically alter links people may be intentionally
| trying to access. I hope this is a feature that's disabled by
| default in the future even if it's offered for people to turn on
| and off any time.
| purpleblue wrote:
| I wonder what companies will do now, probably embed the tracking
| information within the URL without using parameters, like dynamic
| URLs that are unique to a particular user/cookie?
| williamcotton wrote:
| Catchall subdomains?
| jalgos_eminator wrote:
| I could see the writing on the wall. Offerup I think does this.
| If you click through an item in a search the URL has a UID in
| it. Then if you click on the seller and find the item from
| there, its an integer (which is likely a database index).
| kitsunesoba wrote:
| There's not a whole lot that can be done to combat this, but I
| suppose Apple could do something like keep a database of known
| tracking URL patterns and when encountering such URLs,
| "unwrapping" them in an isolated background webview which is
| fully generic across machines and doesn't have the user's
| cookies or other data, which would limit the information
| gathered, and then finally passing the untracked URL back to
| the user's webview instance.
|
| EDIT: They could also do something similar to what they've done
| with Content Blocking Extensions, maybe call them "URL Cleaning
| Extensions", which allow third parties to maintain tracking URL
| pattern lists which Safari can then follow to do its
| unwrapping.
| Avamander wrote:
| Already ahead of you. They're already generating custom links
| with all the tracking parameters embedded. Tumblr, TikTok and
| Facebook have done it for a while now.
| est31 wrote:
| I often remove tracking parameters from URLs and I notice that
| some services/websites return an error if you visit it without
| a tracking parameter. If a service does this, apple can't
| remove the tracking parameter from the URL any more.
| sergiotapia wrote:
| Tiktok does this. If you share anything on Tiktok, and someone
| clicks on the URL they get an alert "purpleblue shared this
| video with you!" and you can leak your private account to
| someone.
| graftak wrote:
| There is a TikTok setting to disable this. It still tracks
| you as the origin of the share action (naturally), but it's
| hidden from the receiver.
| matheusmoreira wrote:
| They're already doing it. I stopped clicking on links the
| second I realized this.
| ipsin wrote:
| Yeah, all you need is to encrypt the URL (which includes
| tracking query parameters), and then the URL you give out is
| the encrypted blob.
|
| When the web server gets a request, it can validate & decrypt,
| update any tracking values, and redirect to the real URL.
| altairprime wrote:
| Historical patterns with Mail.app on iOS suggests that Apple
| will simply code something that fetches all such links in
| order to collect a preview, whether or not the preview is
| ever shown to the user, just as they do with Mail.app images
| today when iCloud Private Relay is enabled. At which point
| the tracking value becomes less than zero, because it
| pollutes the core dataset attribution "a human saw this".
| hospitalJail wrote:
| Sounds great, I already use an addon to do this, but its nice to
| fight against marketing whenever we can. Good to have more users
| doing this.
|
| The only negative I can see, is that this might long-term reduce
| functionality. I personally have a bad habit of passing data
| through URLs out of laziness/practicality.
|
| Real quick, could you not download an addon that did this before?
| If you could, this seems potentially malicious, need to keep
| everyone on the App store and hurt the web.
| cush wrote:
| > this might long-term reduce functionality... passing data
| through URLs
|
| Are you somehow passing the data within the tracking params?
| Don't worry, Apple isn't going to remove all QSPs. That would
| break the internet.
| spogbiper wrote:
| Your addon for this works because it's not widespread enough
| for the marketers to implement a workaround. Apple just changed
| that, so now the marketers _will_ find a new way and your addon
| won 't be effective.
| Caligatio wrote:
| I use uBlock Origin on Firefox on Android with "Actually
| Legitimate URL Shortener Tool" added but am weirdly conflicted on
| this news. If a user opts to kneecap advertising, that is soundly
| within their rights. If a company does the same against another
| company's advertising as a part of their normal business, I feel
| like the user becomes a pawn in some corporate warfare strategy.
|
| Maybe it's because I think Apple is slowly building a parallel
| advertising ecosystem that is slightly less intrusive for users
| but massively more lucrative for themselves.
| wernercd wrote:
| "I feel like the user becomes a pawn"
|
| A company that makes a 30% cut on apps using customers as a
| pawn to make a worse browser experience pushing people into
| using app store apps?
|
| Nothing is "less intrusive"... it's simply Apple making sure
| they get a larger cut of a larger market.
|
| It's also why they enforce a shitty Safari unto their customers
| instead of allowing real browser choice. They are the new MS
| bundling shitty software to harm competitors and limit consumer
| choice.
| notaustinpowers wrote:
| Google also takes a 30% cut on apps. Microsoft takes 15% on
| Windows apps. Would that mean that Google and Microsoft are
| doing the same thing?
|
| And while Apple does require Google and Microsoft to use
| WebKit for their iOS browser apps, it's a rendering engine.
| And you can set Chrome/Edge as defaults on both iOS and
| macOS.
|
| Tell me how this limits real browser choice.
| cma wrote:
| > Tell me how this limits real browser choice.
|
| How does Mozilla implement extensions on iOS >_<? It is
| much more than the rendering engine they are forced to use.
| notaustinpowers wrote:
| Chrome doesn't even let you install extensions on
| Android. And for Firefox on Android it's a buggy
| workaround that doesn't even work half the time. This
| isn't just an Apple thing.
| yesbabyyes wrote:
| Wait, how is Firefox for Android a buggy workaround? I
| use it exclusively, with uBlock Origin, and it works
| great,every single time.
| notaustinpowers wrote:
| That's one extension, there are thousands that may or may
| not work. It was buggy the way Firefox used to handle
| extensions. The current Firefox extensions are ones that
| are made specifically for Firefox on Android, they're not
| direct extensions for the Chromium browser. It's another
| silo'd set of extensions separate from Chrome.
|
| So iOS allows extensions only for Safari from the App
| Store. Android Chrome doesn't allow extensions at all.
| Android Firefox allows some extensions that were made for
| Firefox on Android.
| scarface_74 wrote:
| It came out in the Epic trial that 80% of App Store revenue
| comes from games. They would never be in the browser anyway.
|
| Then most other apps that could just be websites don't
| monetize through the App Store.
| can16358p wrote:
| Shitty is subjective. I'd personally pick Safari hands down
| over Chrome or Firefox or anything else.
|
| Also many other companies follow a similar pattern, if not
| worse.
| matheusmoreira wrote:
| I have no problems with corporations eating each other alive as
| long as the end result is less surveillance capitalism.
| skrowl wrote:
| [dead]
| glanzwulf wrote:
| > I use uBlock Origin on Firefox on Android with "Actually
| Legitimate URL Shortener Tool" added
|
| That's the problem. This is too complicated/too much trouble
| for the end user who just uses his iPhone via Safari. Do they
| the privacy and all that? Yes, will they go out of their way
| with all that trouble? No.
|
| While you're not wrong that it's a company A fighting company B
| with users as pawns, it still is a win for the normal end user.
| TechBro8615 wrote:
| If there are two warring corporations, and one of them has a
| warfare strategy based on selling its customers tools to
| prevent the other corporation from tracking their content
| consumption, then sign me up for battle. I know which
| corporation I want to support.
| hospitalJail wrote:
| False dichotomy
| TechBro8615 wrote:
| Why?
| woah wrote:
| They are both corporations. There can be no ethical
| consumption under capitalism.
| astrange wrote:
| Capitalism isn't the only economic system with
| corporations.
| TechBro8615 wrote:
| Strawman
| fooker wrote:
| brave new world indeed
| e44858 wrote:
| Apple sells ads, so they're financially motivated to
| track you just like the other ad companies. They might
| promise to not track us, but unless they're audited by a
| 3rd party, we can't assume they're telling the truth.
| HWR_14 wrote:
| AFAIK, Apple only sells ads within their own products.
| Meanwhile, I trust a company with $2.8T to lose more than
| almost any other actor to abide by the letter of their
| agreements.
| chongli wrote:
| Don't blame me! I voted for Kodos!
| highwaylights wrote:
| Good grief this was well done. Bravo to you!
| _the_inflator wrote:
| I agree.
|
| And in the end they are manipulating links. While no advocate
| for ads, this has implications on the freedom of the internet.
| dev_tty01 wrote:
| No, they are allowing users to manipulate links. Also, this
| only happens in Private Browsing mode.
| artificial wrote:
| Browsers are/were User Agents. The focus should be on
| maximizing that experience across the board.
| kergonath wrote:
| > If a user opts to kneecap advertising, that is soundly within
| their rights.
|
| If it is a switch somewhere with the user actually getting a
| choice, then it is the user choosing it and Apple is just
| providing a mean to do it. Exactly like when the user chooses
| to install an extension, except that this is much easier, and
| therefore much more likely to be used because users _hate
| tracking_. This is well documented.
| shockeychap wrote:
| > Maybe it's because I think Apple is slowly building a
| parallel advertising ecosystem that is slightly less intrusive
| for users but massively more lucrative for themselves.
|
| No. It's probably just because Apple is slowly building a
| parallel advertising ecosystem that is slightly less intrusive
| for users but massively more lucrative for themselves.
| bamfly wrote:
| Nah. This is like popup blocking: it should be standard and on
| by default in every browser, with an option to turn it off if
| you don't want it.
| aspyct wrote:
| Oh, that would explain why some of my users suddenly can't access
| URLs that worked forever.
|
| I send those URLs through facebook messenger, which add its
| 'fbclickid' nonsense to them.
|
| I don't care for that tracking information, however it seems the
| URL becomes malformed after iOS "cleans" it, resulting in a
| redirect loop on my server.
|
| When was iOS 17 released?
|
| EDIT: Oh, nevermind, it's not released yet. Must be something
| else then... I blame facebook
| poglet wrote:
| It was released 2 days ago in a public beta.
| ActualHacker wrote:
| And the walls around the Spaceship are raised another few inches
| EGreg wrote:
| Wait what??
|
| So now if there is a link to, say, mysite.com/f/ajdheke and the
| last part is different for each user, and I choose to send this
| link to a friend, then the friend will get mysite.com/f ?
| Breaking the site?
|
| Apple is going too far with this. Cookies is one thing, but how
| are people supposed to confirm email addresses now, copypaste a
| code?
| activiation wrote:
| Do they block Google from tracking which search results you click
| on? Google changes search results link on-click to make sure they
| know where you go... Just right-click on a link and then hover it
| to see where it really points to
| dorianmariefr wrote:
| Doesn't work for me, I'm on Chrome, no adblockers (disabled
| uBlock), maybe it's because I said no to tracking
| activiation wrote:
| I don't get your comment
___________________________________________________________________
(page generated 2023-06-08 23:01 UTC)