Skip to content
Home » An almost complete overview of Apple WebKit’s Intelligent Tracking Prevention

An almost complete overview of Apple WebKit’s Intelligent Tracking Prevention

  • by
  • 10 min read

Historically, browsers have had a great deal of control over the online experience of end users. Since their genesis, several different browsers have competed for dominant market share. With the arrival of Intelligent Tracking Prevention (ITP), it seems that big tech is now using browser standards to target each other’s business models.

A history of browser wars

During the first browser war in the nineties, both Microsoft and Netscape were aware that setting the standard in a market with strong network effects is crucial to business success. Both Microsoft and Netscape tried to wield returning benefits on adoption by setting standards on how websites should be developed and how their content should be visualized. Microsoft adopted Netscape’s standard, added some more and made sure that Internet Explorer was preinstalled on all new personal computers. Exit Netscape.

Mozilla Firefox, the phoenix that arose from the Netscape ashes, really challenged Internet Explorer. A grassroots movement, and a $100 million dollar fee by Google to have as the default search engine inside the browser, helped Firefox to a ~30% market share.

Image result for mozilla ad new york times
A 2004 ad in the New York Times advertising the Firefox launch

Chrome entered the story in 2008 and used a variety of tactics to gain momentum. Computer users installing Realplayer or Adobe Acrobat Reader implicitly gave consent to also install Google Chrome and make it their default browser. Chrome also adopted very innovative standards and managed to leverage its huge ecosystem by showing notifications to inform users when they are not using Chrome. Finally, Google is also developing applications that only work — or work better — in their Chrome browser such as the Chromecast.

Google makes money from showing targeted advertising to users across the internet. By owning the most popular technology that’s used to browse the internet, Google is in a position to set the rules. Or is it?

Apple’s customers are not a product

Unlike Google, Apple makes money by selling hardware. Although it briefly had an advertising platform – iAd – Apple has made privacy a selling proposition. Apple CEO Tim Cook said in an interview “The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.” It is a strategy that also found its way to Safari when it was equipped with intelligent tracking prevention, a feature that makes it harder for advertising platforms to track user behavior across the web. Safari has a market share of 10-15%.

Intelligent Tracking Prevention (ITP) is a tool, embedded in WebKit, the Safari browser engine that translates raw code to a visual web page. At the core of intelligent tracking prevention is a machine learning model that classifies cookies, set by websites on your computer, as potentially having cross-site tracking capabilities.

If this feels complicated to you, the WebKit blog has a crystal clear example of a third-party cookie with cross-site tracking capabilities.

Third party cookies, with cross-site tracking capabilities

Imagine a user who first browses for a new gadget and later browses for dinner ideas. If both these sites load resources from and has a cookie stored in the user’s browser, the owner of has the ability to know that the user visited both the product website and the recipe website, what they did on those sites, what kind of web browser was used, et cetera. This is what’s called cross-site tracking and the cookie used by is called a third-party cookie.


If you don’t care about tech companies tracking your every move on the internet, that’s great. Yet if you’re curious how this could be problematic, please read my (Dutch) blog post on health websites sharing your potential conditions.

Here’s what ITP does to cookies.

  • If they were third-party cookies, they were partitioned after 24 hours and could not longer be used for cross-site tracking.
  • If a third-party cookie was used within a first-party context, it was allowed to exist for another 30 days.
  • After 30 days, all cookies are deleted.
Intelligent Tracking Prevention Timeline

If you were Google or Facebook, this wasn’t really a problem for you. You could set cookies, and there is a high probability that users interact with that cookie in a first party context — i.e. you use or within 24 hours.

To counter this, ITP 2.0 was implemented in WebKit. This made the rules more even more rigid.

  • Third-party cookies are no longer allowed. Period.
  • After 30 days, all cookies are deleted.
0 days: Cookies are partitioned and not persisted in 3rd-part contexts. | 30 days: Existing cookies are purged. New cookies are blocked. | Days of use after the most recent interaction with the website or successful use of the Store Access API.

Yes, this was starting to become annoying for tech giants. They were creative however. Many of their technologies were adapted, they would only set first-party cookies. In other words, users could no longer by identified across different websites. However, to keep users identifiable they used ‘link decoration’. Every time you click a link within or, you would be redirected and a unique identifier would be passed using a URL parameter. This would set a cookie on the landing page you arrive on, and you would still be identifiable across multiple websites.

Image result for what is cross site tracking with link decoration

ITP 2.1 and 2.2 were implemented and were specifically designed to counter this behavior. First of all, it started targetting first-party cookies that were set using the document.cookie method. This is a very technical matter, but in layman’s terms: the server where the website is hosted was not asked explicitly to set a cookie. It’s set when a website is already fully or partially loaded.

  • First-party cookies, set using document.cookie, placed by domains known for cross-domain tracking activity and using link decorations are removed after one day.
  • Other first-party cookies, set using document.cookie, are removed after 7 days.
  • Again, third party cookies are no longer allowed.
  • Again, after 30 days, all other cookies are deleted.

That’s when marketers and big tech companies started to become really creative. Instead of storing information, usually a user id, inside a cookie, they started to store it in other places. This really started to feel like abuse of existing technology. Once again, WebKit came with an update: ITP 2.3.

  • Non-cookie data (such as localStorage), will be deleted if the user surfed to a web page, from a website known for having cross-site tracking capabilities.
  • First-party cookies, set using document.cookie, placed by domains known for cross-domain tracking activity and using link decorations are removed after one day.
  • Other first-party cookies, set using document.cookie, are removed after 7 days.
  • Again, third party cookies are no longer allowed.
  • Again, after 30 days, all other cookies are deleted.

While Google is turning its ecosystem in a perfect data harvesting tool (read my opinion about Google Signals where I’m wearing a marketer’s hat), Apple is fighting tooth and nail to counter that trend. Clearly, advertisers and Apple’s WebKit are in a true position war. Every time WebKit’s rules are adapted to the latest hack, advertisers are preparing their next moves.

By the way, where’s Mozilla in all this?

Mozilla, the privacy advocate that’s late to the table

Mozilla Firefox has also changed throughout the years. It challenged Microsoft in 2004, but clearly lost the battle against Google. However, Firefox has been reinvented around the core principle of privacy:

“And at our backs, a widely ingrained privacy philosophy has long guided how we develop products, manage data collection and, ultimately, serve the people who use our stuff.”

Firefox Privacy Policy

Some weeks ago, I read this announcement on the Firefox website. Although Firefox has only a 5-10% market share, web analytics apocalypse was around the corner, if you believed marketing pundits. Even I went with it, sadly.

As of september, Mozilla Firefox started blocking third-party cookies from a shitload of domains. Basically, Firefox’ Enhanced Tracking Protection is now on par with ITP 2.0. Most web analytics tools still function properly, there is no digital marketing apocalypse whatsoever.

What about Microsoft?

In June 2019, Microsoft announced Microsoft Edge tracking prevention. The functionalities are really in line with WebKit’s ITP.

Edge will come with Trust Protection Lists: a list of domain names of organizations that are trying to track your browsing behavior across multiple domain names: “To check if the URL is considered a tracker by our classification system, we check a series of hostnames, starting with an exact match and then proceeding to check for partial matches for up to 4 labels beyond the top-level domain.”

If we read what Microsoft Edge will block, we can see that Edge’s Tracking Prevention (in Balanced Mode) will be in line with the most recent versions of ITP: “If a known tracking resource tries to access any web storage where it may try to persist data about the user, we will block that access. This includes restricting the ability for that tracker to get or set cookies as well as access storage APIs such as IndexedDB and localStorage.” Not only will Edge restrict storage access, in Strict Mode, it will also block resource loads such as tracking pixels and iframes. If you’ve worked with stringent tracking settings in privacy extensions such as Privacy Badger or uBlock, you’ll know that this might break websites.

How it all works becomes very clear in this ZDNet article that trended on Hacker News over the weekend. Keep in mind that Microsoft is still experimenting with the functionalities:

“We are currently experimenting with ways to provide even greater privacy protection by investigating opportunities to expand the types of trackers we block for you. For the Balanced setting, we may start to consider your recent interactions with sites. For example, for sites that you interact with in a first party context on a regular basis, access to cookies, localStorage, IndexedDB and other storage may be allowed in a broader context to ensure web functionality, like login flows or social network commenting, just works.”

Wrapping up

Data leaks and scandals have put privacy high on the agenda of (some) big tech companies, governments, journalists and consumers. Luckily, although advertising trying to get access to your devices, having a private browsing experience is rather easy. Use Safari or Firefox and install an extension such as Privacy Badger.