New browser and login initiatives by Apple appear to be aimed at crushing third-party tracking of users. It’s a bid to make Apple’s Safari browser software more tuned into emerging user-privacy interests. But what could be the “unintended impact” — to use Apple’s own term? Could competing Single Sign On (SSO) services be affected?
Apple’s moves come in two contexts:
- Updates to its “Intelligent Tracking Protection” (ITP) service within its Safari desktop and mobile browsers.
- Requirements placed on app developers who want to offer “Sign In With Apple” as a federated single-sign-on (SSO) service across multiple apps or websites.
The idea of tracking users across sites stems from the basic architecture of the Internet. It is “stateless” — as you move from site to site your connection with each is autonomous. In the 1990s, as businesses started to use the web, they wanted a way to “remember you” between visits, so the old Netscape Communications Corp. invented the idea of a “cookie” file for storing information between visits within your web browser. Increasingly that has become used for opaque data surveillance.
So Apple’s ITP in Safari is being re-engineered to block certain uses of “cookies.” But it’s going a step further, and looking at the use of so-called “URL appends” — the stuff after the question mark in a web address — for similar tracking thought to be privacy violating.
But here’s the challenge — what if a cookie, or a URL append is being used for a purpose that has nothing to do with privacy violation or ad tracking, but rather is providing the user a service that the user understands and wants? The answer, say some observers, is that it will depend how Apple implements.
For it’s part, Safari developers at Apple are saying they want to avoid “unintended consequences.” In an Aug. 16 posting at Apple’s WebKit blog, they write: “There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact.” Among things they say may be “inadvertently affect” are “federated login using a third-party login provider” . . . “single sign-on to multiple websites controlled by the same orgnization.” The full list of possible effects is at the WebKit posting.
As for Sign In With Apple.
For years, Facebook and Google users have been able to use their login credentials to access other websites — and a somewhat similar service called EduRoam allows academics to log into local wifi on hundreds of campuses. Apple told developers June 6 it would ramp up this fall “Sign In With Apple” with a privacy-ehancing twist — you could make sure third-party websites would not receive your email address or any personal information other than your name.
Buried in the fine print was the requirement that if your application uses any form of third-party sign-in Apple will require (last paragraph at this link) the app also offer Sign In With Apple. So — it means Sign In With Apple is a forced option as a condition of staying in the Apply iOS ecosystem. The expected experience is shown here.
Writes Sarah Perez at TechCrunch: “Apple is requiring that its button is offered whenever another third-party sign-in option is offered, like Facebook’s login or Google, writes Sarah Perez at TechCrunch, adding: “Note that Apple is not saying ‘social’ login though. It’s saying ‘third-party,’ which is more encompassing.”
One other wrinkle — security: Although Sign In With Apple is using open-standard OAuth 2.0, its version of the open-standard OpenID Connect (both of these are used by Facebook and Google) is not in compliance with the OpenID standards, the OpenID Foundation standards body wrote in a letter to Apple and accompanying specification comparison. The letter said Apple’s implementation “reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks.” Apple doesn’t belong to the OpenID Foundation.