When you finish a PhD in computer science, they take to a special room and explain that you must never use recursion in real life. Its only purpose is to make programming hard for undergrads. t.co/m3Qow2yW2q
Follow
John Wilander 
@johnwilander
Hacker fiction novelist + WebKitten behind Intelligent Tracking Prevention. He/him.
John Wilander 🇺🇦’s posts
“Facebook reads accelerometer data all the time. If you don't allow Facebook access to your location, the app can still infer your exact location only by grouping you with users matching the same vibration pattern that your phone accelerometer records.”
State of cross-site tracking 2020, default settings:
• Safari, algorithmic prevention
• Firefox, list-based prevention
• Edge, list-based prevention
• Brave, list-based block
• Chrome
Hiring experiment: Blind job auditions made women selected for interviews go from 5% to 54% cbsnews.com/news/when-tech I’ve said this for years
My opinion: The Google AMP cache is the cross-site tracking stunt of the decade. How did they get away with serving others' content under google·com for all these years, with full access to people's Google login cookies, while making the actual content providers into 3rd-parties?
As I said, the Google AMP cache is the cross-site tracking stunt of the decade. How did they get away with serving others' content under google·com for all these years, with full access to people's Google login cookies, while making the actual content providers into 3rd-parties?
Quote
People are spending $3 for an app to get rid of Google AMP twitter.com/ChristianSelig…
Work update: Since last month, I’m the manager of WebKit Security & Privacy at Apple. Huge responsibility in this day and age, but it's the kind of challenge I like. Here’s a thread about this Silicon Valley team and jobs you can apply to today!
OH: “Installing a WannaCry screenshot as a coworker’s screensaver.” Very evil. Very evil indeed.
“The new tracking-free ad server was performing so well that NPO decided to abandon cookies entirely beginning in 2020. As of January, visitors aren’t even asked to opt in or out; the site simply doesn’t track anyone. The results have been striking.“
DuckDuckGo just released their own tracker list, ready to be used by privacy tools such as content blockers. They even open sourced the code that generates it, bringing transparency to how domains end up on their list:
“[Google is] continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd.”
The long wait is over and the latest update to Safari's Intelligent Tracking Prevention is here: Full third-party cookie blocking and more webkit.org/blog/10218/ful Safari users, welcome to the future and a safer web!
Ten years at Apple today. 🎉❤️ What a journey. I’m so happy I took the chance and that my family took the leap of faith in moving to the US. Apple is a place where you can change the world for the better, and that’s what I’m focused on. Here’s to another amazing ten!
Please welcome the new W3C Privacy Community Group, chaired by people from Apple, Mozilla, and Microsoft. The web has a bright future! privacycg.github.io
”WordPress announced today that they plan on treating Google's new FLoC tracking technology as a security concern and plans to block it by default on WordPress sites.”
"Two years ago, Apple launched an aggressive battle against ads that track users across the web. Today executives in the online publishing and advertising industries say that effort has been stunningly effective"
#GodIsNotGreat pulled from trends because christians protest. But #ReasonsToBeatYourGirlfriend was allowed. Stay classy, .
Potential class-action lawsuit: "Google violated federal wiretap laws when it continued to collect information about what users were doing on the internet without their permission even though they were browsing in so-called private browsing mode"
”I deleted everything from Google I could find, restarted the computer, and it was like night-and-day. Everything was instantly and noticeably faster, and WindowServer CPU was well under 10% again.” chromeisbad.com
Company 1: “Don’t worry, we will never sell your information.”
Company 2 buys Company 1.
Safari has partitioned its HTTP cache since 2013. *Seven years* before Chrome. I hope they fix the article.
The Swedish word for six is sex. Here, a kids book on counting.
Quote
The Swedish word for goat is 'get' and the Swedish for kid is 'killing', resulting in this creepy instruction in a children’s educational book
Estimated breakage rate by the end of the 2nd year of ownership, for laptop computers. Hardware is hard.
Pro tip: When you revise history and say “When other browsers started blocking third-party cookies by default, we were excited about the direction,” you first need to pay off the people who were in the W3C meeting 2017 where you shared your “excitement.”
A day to celebrate – new installs of Firefox get cross-site tracking protection turned on by default! 🎉🎈🎂
Now two of the major browsers – Safari in 2017 and Firefox in 2019 — have decided that tracking should be opt in, not opt out:
It’s time to switch browser, if you’re not already on one with modern privacy protections turned on by default:
3.5 years after I had to endure an ITP hate storm at W3C, including a TAG representative calling me stupid in public, Google has now said tracking prevention *is* key to the future of the web. The WebKit team’s love for the web is solid. We stood up to the bullies.
Quote
“Keeping the internet open and accessible for everyone requires all of us to do more to protect privacy — and that means an end to not only third-party cookies, but also any technology used for tracking individual people as they browse the web.” blog.google/products/ads-c
Privacy protections, just like security protections, should be on by default.
Let me say that again.
Privacy protections, just like security protections, should be on by default.
I’ve spent my whole professional career making sure people are safe on the web. All kinds of people, not just specialists. I dream of not having to tell friends to stay vigilant when they browse.
Some interpret that as not wanting the web to succeed.
So let me say it: I ❤️ web
Zero mentioning of the fact that the Google AMP cache makes Google the (faux) first party of all those news links. First party as in unpartitioned cookie access.
Web privacy is not about transparency and additional controls.
Web privacy is about prevention and limitations, on by default.
Given today's news, I can only say this: We have to save the web, folks. If we don't, we may never get it back.
A 3% surcharge to “offset” having to pay your staff. How about you just show me the price of the food including salaries?
Opera sync system breached. Encrypted, synchronized passwords and hashed+salted auth tokens compromised.
Brave on FLoC: 'In general, the idea that privacy is, and is only, the absence of cross-site tracking, is wrong. Any useful concept of privacy should include some concept of “don’t tell others things you know about me, without my permission.”'
Thanks everyone who attended my talk on web privacy at #usesec19. My demos worked – yay!
By the way, we *just* announced the WebKit Tracking Prevention Policy:
Lastpass stores 2FA secret seed in a URL that can be derived from your password which beats the purpose of 2FA: martinvigo.com/design-flaws-l
I’m half Indian, half Swedish => more melanin. This created an issue for me throughout my upbringing in small town Sweden. I was called things including the N word and they made up stories about what we ate and that our townhouse had dirt floors.
All because of skin color.
Safari 10.1. Now with Fetch, IndexedDB 2.0, Custom Elements, EcmaScript 2016/2017, CSS Deep Colors, Grid Layout etc: developer.apple.com/library/prerel
Happy CCPA Day!
Californians now have the right to:
• Know what personal information (PI) is collected, used, shared, or sold
• Delete PI held by businesses & service providers
• Opt-out of sale of PI
• Non-discrimination in price & service when exercising CCPA privacy rights
Prediction: We will start talking about Privacy Herd Immunity.
Enough people need to opt out of data collection and profiling to make sure that models of human behavior cannot be created and applied to the rest of the population.
ITP 2.2 – Addressing the problem with cross-site tracking via link decoration:
“Google uses its dominance in schools to ‘spy’ on millions of future customers, tracking the digital lives of kids as early as kindergarten, a lawsuit filed by New Mexico's attorney general alleges.”
Introducing a privacy-first technology and another important step for a healthier web – Privacy Preserving Ad Click Attribution:
WebAuthn with a platform authenticator, i.e. private keys protected and managed by hardware security on-device? Yes.
Anonymous attestation so that WebAuthn doesn't become a cross-site tracking vector? Yes.
Face ID and Touch ID for the web? Yes.
developer.apple.com/videos/play/ww
”Google continued collecting location data even when users turned off various location-sharing settings, made popular privacy settings harder to find, and even pressured LG and other phone makers into hiding settings precisely because users liked them”
Happy New Year!
My decade in review:
• Had two kids 👧🏻👧🏼
• Got married 👰🏼
• Defended my PhD 🎩
• Released an EP and two singles 🎤
• Relocated 🇸🇪–>🇺🇸
• Joined
• Organized an OWASP AppSec 🤹🏻♀️
• Deleted the most tracker cookies in the world 🍪🌎
2020 will be awesome!
Joke making the rounds among Swedes:
It used to be you faked a cough to cover up a fart. Nowadays you fart to cover up a cough.
Here are my thoughts on yesterday's privacy announcement from the Chrome team (blog.chromium.org/2019/05/improv). [Thread]
"With iOS 14, iPadOS 14, and tvOS 14, you will need to receive the user’s permission through the AppTrackingTransparency framework to track them or access their device’s advertising identifier."
"Safari 14 Beta Release Notes … Safari no longer supports Flash."
developer.apple.com/documentation/
The latest update to Safari's Intelligent Tracking Prevention is here: "CNAME Cloaking and Bounce Tracking Defense" webkit.org/blog/11338/cna CNAME cloaking defense is another Safari first.
"When embedding a video using youtube·com, Google uses DoubleClick to track your users (…) When using youtube-nocookie·com, Google no longer uses DoubleClick to track your users."
"We have removed all non-essential cookies from GitHub, and visiting our website does not send any information to third-party analytics services." github.blog/2020-12-17-no-
Safari’s Intelligent Tracking Prevention 2.0 – all the details:
“Fitbit says data of its 28 million users will not be sold or used for Google ads” theguardian.com/technology/201 Below, changes to Google’s privacy policy 1999-2019.
Exciting news! Today's iOS/iPadOS betas have Private Click Measurement (PCM) enabled and it works for both web-to-web and app-to-web. PCM is a new, privacy-preserving way to measure click-through ad campaigns that navigate the user to a website.
ITP is enabled by default in all WKWebView apps for the newly announced releases. Apps can't disable it on their own but users can, just like in Safari. Check it out in the session "Discover WKWebView enhancements": developer.apple.com/videos/play/ww. The segment on privacy starts at 23:55.
"Interestingly, none of the Chrome devs that I follow are saying anything about FLoC. They’re usually quite chatty about proposals for potential standards, but I suspect that this one might be embarrassing for them. It was a similar situation with AMP."
Amazing. It’s apparently called the EXOPULSE Mollii Suit. Description and FAQ here: exopulse.com/about-mollii/
Quote
A Swedish engineer has created a suit that helps people with Parkinson's disease and stroke get rid of tremors using electrical stimulation.
In case you didn't know, you can chat with WebKit folks on our open Slack: webkit.slack.com
I wrote for hours today on the new MacBook Air M1. Browsed the web for research as I typically do. Plus some social media and some video clips. When I wrapped up, battery was at 93%. I didn’t even put it on the charger for tomorrow. 😮
I don't get why people are celebrating the death of IE to such an extent. Its marketshare is long gone. I doubt the people posting have bothered with IE the last few years.
The fact that Microsoft gave up their independent web engine continues to be sad and bad for the web.
Guess what just arrived at our house? I have to say the book looks gorgeous. The sales page goes live to subscribers tomorrow … together with my hacker review of The Matrix! –> hackerfiction.net/subscribe/
WhatsApp blog, June 2012: "Why we don't sell ads (…) Remember, when advertising is involved you the user are the product." blog.whatsapp.com/why-we-don-t-s
“Forbes asked readers to turn off ad blockers then immediately served them pop-under malware.” engadget.com/2016/01/08/you
This is bogus news. It makes me sad that people would even believe we would move to the worst engine for privacy after 16 years of fighting for web privacy with our own engine. You want perf, great battery life, great privacy, and a people-friendly vision? You want WebKit.
Quote
This is bad news chromeunboxed.com/apple-safari-g
Mozilla flips the switch! “For today’s release, Enhanced Tracking Protection will automatically be turned on by default for all users worldwide as part of the ‘Standard’ setting in the Firefox browser and will block known ‘third-party tracking cookies’” blog.mozilla.org/blog/2019/09/0
Intelligent Tracking Prevention – Safari’s new default cookie policy on iOS and macOS:
We now have an explainer up for the proposed IsLoggedIn web API: github.com/WebKit/explain
Please use the template for IsLoggedIn when filing issues, i.e. tap/click “New issue” and then "Raise an issue on the IsLoggedIn explainer.”
Privacy has to wait another year. 😔 At least for Chrome users.
“We now intend to begin phasing out third-party cookies in Chrome in the second half of 2024.” blog.google/products/chrom
Users deserve much better than full cross-site tracking by default. A sad day for the web.
Replying to
Chrome 62? Firefox 58? Safari 11? Regardless of who's responsible for updating this, that's not a meaningful comparison. At least put the years instead of version numbers there so that people understand you're comparing a 2020 browser with other browsers from 2017-2018.
Tonight I for the first time realized that we might not be able to stay here. What’s left if democracy is overridden and the will of the people set aside?
I’m scared.
We’re lucky to have another democracy to relocate to and also the whole of EU open to us.
I used to stress out over people who are much smarter than me. I enjoyed their company but I felt powerless faced with their brain capacity.
Now, as years of actual work have passed, I know other traits are immensely powerful too. Creativity, ambition, and being nice are huge.
How can serious people still suggest that tracking should be the default when we know the majority doesn’t want to be tracked?
Think of it like tobacco. Imagine everyone had to smoke unless they opted out. And that they had to opt out of smoking at every new place they went to.
WarGames, Sneakers, and Hackers are all currently $5 on the US iTunes store.
Privacy for Chrome users will have to wait another two years. “Google has delayed a major privacy change to its Chrome browser, pushing back a plan to block third-party cookies until late 2023” cnet.com/news/google-de I’m sad for people and for the web.
Biometric authentication for the web is here. Here's how you can create great user experiences with it: "Meet Face ID and Touch ID for the Web" webkit.org/blog/11312/mee
Tuesday at 4 pm is my #WWDC18 session on Securing Web Content: developer.apple.com/wwdc18/207 It’ll cover how to defend against XSS, CSRF, a compromised CDN, Spectre, and window control attacks. And at our labs we can discuss how it all fits with your specific setup and needs.
“The Danish Data Protection Agency has looked into the tool Google Analytics (…) On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully.”
TIL: Every position of Rubik's Cube can be solved in twenty moves or less. cube20.org
It should never be referred to as a standard if it got proposed, got negative feedback from other vendors, and shipped anyway. It’s a single-browser feature. If you make it look like a standard and talk about as a standard anyway, you’re “standards washing.”
The Edge team is landing the Storage Access API in Chromium which means we’ll get it in Edge and Brave. Hopefully also Chrome. 🎉
This is a critical piece of functionality for the modern web since it allows for authenticated embeds without requiring general 3rd-party cookies.
Quote
The beginnings of the Storage Access API landed in upstream Canary builds today! Plumbing needs to be run and strings will be tweaked, but we're excited for this to land in Chromium! Huge thanks to @johnwilander, @mikewest, and @ehsanakhgari for support + guidance!!
"Companies are starting to combine FLoC IDs with existing identifiable profile information, linking unique insights about people’s digital travels to what they already know about them, even before third-party cookie tracking could have revealed it."
In iOS 10.3 and later, when you manually install a certificate it isn't automatically trusted for SSL/TLS:
“In the Mail app, Mail Privacy Protection stops senders from using invisible pixels to collect information about the user. The new feature helps users prevent senders from knowing when they open an email, and masks their IP address” apple.com/newsroom/2021/
"Google Says It Doesn’t 'Sell' Your Data. Here’s How the Company Shares, Monetizes, and Exploits It." eff.org/deeplinks/2020