While as a consumer I do objectively like the privacy measures Apple is adding, at end of the day they're simply consolidating all tracking power to themselves.

However, could become an arms race where we start putting correlation IDs in params named page= or video=.

Maybe it's because I think Apple is slowly building a parallel advertising ecosystem that is slightly less intrusive for users but massively more lucrative for themselves.

This is a MITM attack where Apple plays the good guy(or control freak, depending on how you feel about it) but MITM attacks are nothing new.

Normally clicks have a "gclid" query param. Google is introducing 2 new query params to somehow attribute clicks using modeling + machine learning (somehow).

Edit: here's a detailed description of how Google is attempting to track conversions using machine learning. I have no idea how this could possibly work without some kind of fingerprinting or user profiling or IP address. Almost feels like "modeled conversions" powered by ML is a way to do fingerprinting without explicitly having an algorithm that blatantly uses fingerprinting.

https://support.google.com/analytics/answer/10710245?sjid=85...

Edit 2: The new query params are "gbraid" and "wbraid". Googling those turns up more details.

If it were UBlock Origin doing this, sites could just say "Sorry, we don't support this, your addin is breaking everything, please turn it off."

But when Apple does something, there's no room for conversation. Sites can't say "Sorry, we don't work on iPhones." For better or worse, what Apple decides becomes acceptable. In this case for better.

mysite.com/aZdi

instead of mysite.com/invitation/?uid=1234

Safari is planning to use ML to detect click_id type of query parameters and strip that from URLs. That's just poor execution and business destroying. PCM restrictions are horrible too.. we have to design the link so it stays within safari's specs:

> With an ad-click, an 8-bit ID can be transmitted (a number between 0 and 255, i.e. 256 possible values / campaigns) - per domain > For a conversion, a 4-bit ID is transmitted (a number between 00 and 15, i.e. 16 different types of conversion) - per domain

Not to mention Chrome and Firefox has other ideas, each different on how their PCM will be integrated. Other than the mega corps, noone is benefitting from this privacy enhancement. Just more work to adapt.

And once the industry realized that users don't revolt at this privacy invasion, it has been spreading.

I don't get it.

What's the alternative? Most people with a phone are going to be using iOS or Android. Those are the two options. Apple has the chance to improve data privacy, and they've done it. Android (essentially, Google) is certainly _not_ going to take such action.

Apple could always use this to their advantage, or double-back on it. Who cares? They've moved the needle in a positive direction, that's all that should matter.

Wow, another heuristics software by Apple that automatically does something I didn't ask for? Is there a chance it removes a parameter from the link which renders the functionality broken? On the other hand, could advertisers just use random hashes without labeling them as the tracking param to avoid this? Apple is famous for producing bad software, I hope their programming would automatically interfere with as less things as possible.

They can't just blanket remove all GET parameters (because it would break legitimate non-tracking links), plus advertisers could use subpaths instead of GET params for writing the tracking data.

Therefore I suspect it's only going to be arms race between a blacklisted list of GET params and advertisers changing up the variable names to escape it, making it unsafe to use any GET param at all because you can't be sure a link that works today will still work tomorrow if they changed their list of banned properties.

EDIT: They could also do something similar to what they've done with Content Blocking Extensions, maybe call them "URL Cleaning Extensions", which allow third parties to maintain tracking URL pattern lists which Safari can then follow to do its unwrapping.

https://webkit.org/blog/11529/introducing-private-click-meas...

When the web server gets a request, it can validate & decrypt, update any tracking values, and redirect to the real URL.

The way this can be bypassed is:

Before: mylink.mydomain?tracking_id=abc123 After: mylink.mydomain/home/abc123/

Yeah, it might wreck SEO. But if you're really trying to track users and see who clicked on your email or whatever, it's probably the case that you don't care about SEO in this specific case.

They're probably hoping that advertisers will retreat to PCM instead of continuing the cat and mouse game.

PCM is an in-progress standard that, at a high level, allows measuring ad campaign success without tracking individual users. No such restrictions apply to query parameters, of course - so PCM is inherently more private.

That's the problem. This is too complicated/too much trouble for the end user who just uses his iPhone via Safari. Do they the privacy and all that? Yes, will they go out of their way with all that trouble? No.

While you're not wrong that it's a company A fighting company B with users as pawns, it still is a win for the normal end user.

No. It's probably just because Apple is slowly building a parallel advertising ecosystem that is slightly less intrusive for users but massively more lucrative for themselves.

Apple's position on privacy is somewhat of an illusion and could disappear whenever they decide. Remember the CSAM debacle? https://www.wired.com/story/apple-photo-scanning-csam-commun...

I still think Apple is doing the best in the marketplace with respect to security and privacy, but if we're being honest they're playing the role of benevolent dictator.

Absolutely. There was no shortage of Windows-centric corporate IT departments that swore that they'd never support Apple products.

Then iPhones started showing up in boardrooms, and they quickly changed their tune.

I brought my iPhone to work shortly after launch and showed it to curious coworkers. The head of IT for that particular multinational corp said it was garbage and would never be allowed on his network. "Apple is crapple" was his favorite phrase.

A few months later he got to peddle his anti-Apple mantra on the unemployment line.

Or is this feature more advanced than just stripping known tracking parameter keys?

And in the end they are manipulating links. While no advocate for ads, this has implications on the freedom of the internet.

Maybe some services will accept it, but others will not. When I tried to sign in to Microsoft Teams from Safari yesterday it presented a screen that said that Teams will only load on Safari if I disable tracking prevention for the Teams site. So unless users put additional pressures on services to offer support for Apple those services may just force users to accept tracking one way or another: either by disabling Safari's mitigations or using an alternative client that does not use such mitigations.

And if that won't work, just encode the entire url as amazon.de/2ec1a277-0c96-40d3-8fe1-e418fd82986d