Apple refused to implement 16 web APIs in Safari due to privacy concerns


Apple said this week that it declined to implement 16 new web technologies (web APIs) in Safari because they posed a threat to user privacy by opening new avenues for users’ fingerprints.

Technologies that Apple declined to include in Safari due to concerns about users’ fingerprints include:

  • Bluetooth Web: Allows websites to connect to nearby Bluetooth LE devices.
  • Web MIDI API – Allows websites to list, manipulate, and access MIDI devices.
  • Magnetometer API – Allows websites to access data about the local magnetic field around a user, as detected by the device’s primary magnetometer sensor.
  • NFC Web API – Allows websites to communicate with NFC tags through a device’s NFC reader.
  • Device Memory API – Allows websites to receive the approximate amount of device memory in gigabytes.
  • Network Information API – Provides information about the connection that a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes
  • Battery Status API – Allows websites to receive battery status information from the hosting device.
  • Bluetooth Web Scan – Allows websites to scan nearby Bluetooth LE devices.
  • Ambient Light Sensor – Allows websites to obtain the current light level or ambient light illumination around the host device through the device’s native sensors.
  • HDCP Policy Check Extension for EME – Allows websites to verify HDCP policies, used in media streaming / streaming.
  • Proximity Sensor: Allows websites to retrieve data about the distance between a device and an object, measured by a proximity sensor.
  • WebHID – Allows websites to retrieve information about locally connected Human Interface Devices (HIDs).
  • Serial API: Allows websites to write and read data from serial interfaces, used by devices like microcontrollers, 3D printers, and others.
  • USB Web: Allows websites to communicate with devices via USB (Universal Serial Bus).
  • Geolocation sensor (background geolocation) – A more modern version of the older geolocation API that allows websites to access geolocation data.
  • User Inactivity Detection – Allows the website to know when a user is inactive.

Apple claims that the previous 16 web APIs would allow online advertisers and data analytics companies to create scripts that identify users and their devices.

User fingerprints are small scripts that the advertiser loads and runs within each user’s browser. The scripts execute a set of standard operations, usually against a common web API or a common web browser feature, and measure the response.

Since each user has a different browser and operating system configuration, the responses are unique per user device. Advertisers use this unique response (fingerprint), along with other fingerprints and data points, to create unique identifiers for each user.

In the past three years, user fingerprints have become the standard method of user tracking in the online ad technology market.

The change to users’ fingerprints comes as browser manufacturers have been implementing anti-tracking features that have limited the capabilities and scope of third-party cookies (tracking).

Some browser manufacturers have also implemented countermeasures to prevent fingerprint operations through the most common methods, such as fonts, HTML5 canvas, and WebGL, but not all user fingerprint vectors are currently locked.

Also, new ones are constantly being created as browser manufacturers add new web APIs to their code.

Currently, Apple has identified the 16 web APIs mentioned above as some of the worst criminals; however, the browser maker said that if any of these new technologies “reduce digital printing capacity in the future,” it would reconsider adding it to Safari.

“WebKit’s first line of defense against fingerprints is not to implement web features that increase digital printing capacity and do not offer a secure way to protect the user,” Apple said.

For the web APIs already implemented in Safari years before, Apple says it has been working to limit its fingerprint vector. Until now, Apple said so:

  • Support for custom fonts has been removed. This means only presenting built-in fonts that are the same for all users with the same system.
  • Minor software update information has been removed from the user agent chain. The chain only changes with the marketing version of the platform and the browser.
  • The Do Not Track flag has been removed, ironically used as a fingerprint vector, adding uniqueness to users who have enabled it.
  • Support for any plugin in macOS has been removed. Other desktop ports may differ. (Plugins were never a thing on iOS.)
  • Require user permission for websites to access device orientation / motion APIs on mobile devices, because the physical nature of motion sensors can allow fingerprinting of the device.
  • Avoid fingerprints from connected cameras and microphones through the Web Real-Time Communication API (WebRTC).