Sergey Nivens - Fotolia
Apple plans to disable Facebook web tracking capabilities
News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more.
Apple plans to disable some Facebook web tracking capabilities in the next version of iOS and Mac operating systems.
At the Apple Worldwide Developers Conference (WWDC), the company's senior vice president of software engineering Craig Federighi explained the new antitracking features that will be rolled out in the next iteration of Apple's web browser Safari. The features are meant to prevent Facebook and other companies from collecting user data automatically.
Specifically, Federighi called out the "Like" and "Share" buttons that appear on countless websites. In order to use either of those buttons, or leave a comment in the comments section, the user has to be logged into Facebook. But even if the user doesn't click on the buttons, they can still be used to track that person just because they loaded the webpage.
"We've all seen these like buttons and share buttons," Federighi said on stage at WWDC. "Well, it turns out these can be used to track you, whether you click on them or not. So this year, we're shutting that down."
With the Facebook web tracking features disabled, Safari users will see a pop-up on sites with the Facebook buttons that will ask if they want to allow 'facebook.com' -- or any other site with web trackers enabled -- to use cookies and website data. Users will be able to opt out of tracking and keep their browsing activity private. Safari will change how it loads websites so that it requires users to consent to their data being tracked.
Facebook web tracking was called out specifically by Federighi, but Google has similar tracking abilities and will also be affected. Both Facebook and Google use web tracking to deliver targeted ads to users and collect data.
In the next version of the macOS Mojave, Apple will also disable what it calls "fingerprinting" by data companies. The companies collect information on the configuration of a particular device, including the fonts it has installed and the plug-ins that are enabled, to create a unique device profile and then use that to track the device from site to site.
"With Mojave, we're making it much harder for trackers to create a unique fingerprint," Federighi said. "We're presenting webpages with only a simplified configuration system. We show them only built-in fonts. And legacy plug-ins are no longer supported, so those can't contribute to a fingerprint. And as a result, your Mac will look like everyone else's Mac, and it will be dramatically more difficult for data companies to uniquely identify your device and track you."
These are not the first steps Apple has taken to reduce web tracking. At the 2017 WWDC, the company introduced Intelligent Tracking Prevention, which limited the capabilities of third-party trackers and their use of cookies. However, this is the first time Apple has directly called out and taken steps to prevent tracking by Facebook and Google specifically.
In other news
- The U.S. Department of Defense (DoD) is looking to purchase and set up a cloud browser for its employees. According to a request for information (RFI) from the Defense Information Systems Agency, the DoD intends to have its 3.1 million employees move to a cloud browser because the department believes it would be more secure to have employees browse the web via a remote server that operates outside the DoD network than to have it happen on their own devices. This is a technique the RFI called "cloud-based internet isolation" and has been gaining interest among enterprises. In 2017, security company Symantec acquired the company Fireglass with the intention of bolstering its browser isolation capabilities.
- The email and password data of 92 million users of the genealogy website MyHeritage was exposed in a data breach, according to the company. A security researcher found a file named 'myheritage' on a private server not connected to MyHeritage that contained the email addresses and hashed passwords of users who had signed up before October 26, 2017, which is the date of the data breach. In a statement, MyHeritage said that the hackers don't have the actual passwords and there was no evidence that any of the information had been used. "We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised," the blog post MyHeritage said credit card data is stored with third-party providers and actual DNA and family-related data are all on segregated systems, so they weren't affected by the breach." We have no reason to believe those systems have been compromised."
- The malware VPNFilter targets more devices than previously thought, according to updated research from Cisco Talos. VPNFilter was previously found to be infecting small office and home office routers and network-attached storage devices from several different vendors. Now, the researchers at Cisco Talos believe the malware is targeting more makes and models of those devices, and doing so with additional capabilities. New vendors now affected by VPNFilter are Asus, D-Link, Huawei, Ubiquiti, Upvel, ZTE, Linksys, MikroTik, Netgear and TP-Link. VPNFilter also now has the ability to deliver exploits to endpoints using a man-in-the-middle attack. "With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," Cisco Talos' William Largent wrote in the blog post detailing the new findings.