Apple said these 16 new web APIs are creating more ways for digital marketers to fingerprint consumers.
Apple said that it refused to introduce 16 modern application technologies (Online APIs) in Safari this week because they presented a challenge to consumer privacy by starting new potential device fingerprinting avenues.
Technologies which Apple has declined to provide in Safari due to user fingerprinting issues include:
Web Bluetooth-Allows websites to connect to Bluetooth LE devices nearby.
Web MIDI API-Allows the enumeration, configuration, and control of MIDI instruments through websites.
Magnetometer API-Permit websites to access data regarding a users local magnetic field, as measured by the primary magnetometer sensor of the system.
Web NFC API-Allows websites to connect with the NFC tags via the NFC reader of a device.
Device Memory API-Allows websites to access total gigabytes of computer power.
Network Information API-Provides details about the interface that a system uses to interact with the network and offers a way for notifying scripts if the type of connection changes
Battery Status API-Allows websites to collect details regarding the hosting device’s battery level.
Web Bluetooth Scanning-Enables the scanning of websites for nearby Bluetooth LE devices.
Ambient Light Sensor-Lets websites use the native sensors of the device to obtain the current lighting conditions or illuminance of the artificial light around the organizing device.
HDCP Policy Check EME extension-Helps websites to test for HDCP rules, which are included in media streaming/playback.
Proximity Sensor-Allows websites to collect data as determined by a proximity sensor regarding the distance between such a device and an object.
WebHID-Allows websites to collect details about Human Interface Device (HID) apps attached locally.
Serial API-Allows serial interface websites to write and read data, used by computers such as microcontrollers, 3D printers, and others.
Web USB-Lets websites connect through USB (Universal Serial Bus) to smartphones.
Geolocation sensor (background geolocation)-A more recent edition of the older Geolocation API that enables access to geolocation data through websites.
Detection of User Idle-Lets the server understands when a user is idle.
Apple says that the above 16 Web APIs will enable web marketers and data analytics firms to build scripts for consumers and their devices to fingerprint.
User fingerprints are small scripts that are loaded and run by an advertiser within the browser of each user. The scripts perform a number of predefined operations and calculate the result, typically against such a common Web API or popular web browser function.
Because each user has a specific setup of software and operating system, the results are unique to the user’s computer. Advertising agencies use this different reaction (fingerprint) to create unique identifiers for each user, combined with many other fingerprints and data points.
User fingerprinting has been the traditional practice for monitoring consumers in the online ad tech industry over the last three years.
The change to the app fingerprinting occurs when software developers have introduced anti-tracking tools that have restricted third-party (tracking) cookies functionality and scope.
A few other browsers makers have also deployed measures to prevent fingerprinting operations through some of the most popular ways — like fonts, HTML5 canvas, and WebGL — though not all user fingerprinting vectors are blocked today.
Additionally, because computer manufacturers add existing Site APIs to their technology, they are continually creating new ones.
Now, Apple has listed the 16 Web APIs above as some of the very worst violators; nevertheless, the software manufacturer stated it would rethink introducing it to Safari if some of these emerging innovations “reduced fingerprint ability down the path.”
“The first line of protection of WebKit against fingerprinting is not to introduce web applications that maximize fingerprint ability and provide no protected means of protecting the app,” said Apple.
Apple claims it has been working to restrict their fingerprint ability function for Web APIs actually implemented in Safari years ago. Apple has said it so far:
Support removed for custom fonts. This implies only adding built-in fonts that are compatible with all applications of the same program.
Erased minor software upgrade of user agent string information. The string changes only for the platform ‘s marketing edition and application.
Removed the Do Not Track flag, which was strangely used as a fingerprinting vector, contributing uniqueness to the users who’d already enabled it.
Support removed for all macOS plug-ins. Certain device ports may vary. (Plug-ins on iOS aren’t really a thing.)
Require user authorization for websites to access system orientation/position APIs on mobile devices, as app fingerprinting can be necessary due to the physical existence of the motion detectors.
The Web Real-Time Communication API (WebRTC) prevents fingerprinting of connected microphones and cameras.
