My hacker thriller ”Identified” is now available as audiobook! 🤩🎧 Narrated by the awesome Kristin Price.
Some links:
• Audible
• Apple Books
• Google
• Storytel, Sweden
When you finish a PhD in computer science, they take to a special room and explain that you must never use recursion in real life. Its only purpose is to make programming hard for undergrads.
“Facebook reads accelerometer data all the time. If you don't allow Facebook access to your location, the app can still infer your exact location only by grouping you with users matching the same vibration pattern that your phone accelerometer records.”
My opinion: The Google AMP cache is the cross-site tracking stunt of the decade. How did they get away with serving others' content under google·com for all these years, with full access to people's Google login cookies, while making the actual content providers into 3rd-parties?
As I said, the Google AMP cache is the cross-site tracking stunt of the decade. How did they get away with serving others' content under google·com for all these years, with full access to people's Google login cookies, while making the actual content providers into 3rd-parties?
Work update: Since last month, I’m the manager of WebKit Security & Privacy at Apple. Huge responsibility in this day and age, but it's the kind of challenge I like. Here’s a thread about this Silicon Valley team and jobs you can apply to today!
“The new tracking-free ad server was performing so well that NPO decided to abandon cookies entirely beginning in 2020. As of January, visitors aren’t even asked to opt in or out; the site simply doesn’t track anyone. The results have been striking.“
DuckDuckGo just released their own tracker list, ready to be used by privacy tools such as content blockers. They even open sourced the code that generates it, bringing transparency to how domains end up on their list:
Ten years at Apple today. 🎉❤️ What a journey. I’m so happy I took the chance and that my family took the leap of faith in moving to the US. Apple is a place where you can change the world for the better, and that’s what I’m focused on. Here’s to another amazing ten!
The long wait is over and the latest update to Safari's Intelligent Tracking Prevention is here: Full third-party cookie blocking and more Safari users, welcome to the future and a safer web!
“[Google is] continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd.”
”WordPress announced today that they plan on treating Google's new FLoC tracking technology as a security concern and plans to block it by default on WordPress sites.”
”EU interior ministers want to exempt professional accounts of staff of intelligence agencies, police and military from the envisaged scanning of chats and messages. The regulation should also not apply to ‘confidential information’”
"Two years ago, Apple launched an aggressive battle against ads that track users across the web. Today executives in the online publishing and advertising industries say that effort has been stunningly effective"
Potential class-action lawsuit: "Google violated federal wiretap laws when it continued to collect information about what users were doing on the internet without their permission even though they were browsing in so-called private browsing mode"
”I deleted everything from Google I could find, restarted the computer, and it was like night-and-day. Everything was instantly and noticeably faster, and WindowServer CPU was well under 10% again.”
Pro tip: When you revise history and say “When other browsers started blocking third-party cookies by default, we were excited about the direction,” you first need to pay off the people who were in the W3C meeting 2017 where you shared your “excitement.”
A day to celebrate – new installs of Firefox get cross-site tracking protection turned on by default! 🎉🎈🎂
Now two of the major browsers – Safari in 2017 and Firefox in 2019 — have decided that tracking should be opt in, not opt out:
3.5 years after I had to endure an ITP hate storm at W3C, including a TAG representative calling me stupid in public, Google has now said tracking prevention *is* key to the future of the web. The WebKit team’s love for the web is solid. We stood up to the bullies.
“Keeping the internet open and accessible for everyone requires all of us to do more to protect privacy — and that means an end to not only third-party cookies, but also any technology used for tracking individual people as they browse the web.”
Privacy protections, just like security protections, should be on by default.
Let me say that again.
Privacy protections, just like security protections, should be on by default.
I’ve spent my whole professional career making sure people are safe on the web. All kinds of people, not just specialists. I dream of not having to tell friends to stay vigilant when they browse.
Some interpret that as not wanting the web to succeed.
So let me say it: I ❤️ web
Zero mentioning of the fact that the Google AMP cache makes Google the (faux) first party of all those news links. First party as in unpartitioned cookie access.
I’m half Indian, half Swedish => more melanin. This created an issue for me throughout my upbringing in small town Sweden. I was called things including the N word and they made up stories about what we ate and that our townhouse had dirt floors.
All because of skin color.
Thanks everyone who attended my talk on web privacy at
#usesec19
. My demos worked – yay!
By the way, we *just* announced the WebKit Tracking Prevention Policy:
Brave on FLoC: 'In general, the idea that privacy is, and is only, the absence of cross-site tracking, is wrong. Any useful concept of privacy should include some concept of “don’t tell others things you know about me, without my permission.”'
Happy CCPA Day!
Californians now have the right to:
• Know what personal information (PI) is collected, used, shared, or sold
• Delete PI held by businesses & service providers
• Opt-out of sale of PI
• Non-discrimination in price & service when exercising CCPA privacy rights
Prediction: We will start talking about Privacy Herd Immunity.
Enough people need to opt out of data collection and profiling to make sure that models of human behavior cannot be created and applied to the rest of the population.
WebAuthn with a platform authenticator, i.e. private keys protected and managed by hardware security on-device? Yes.
Anonymous attestation so that WebAuthn doesn't become a cross-site tracking vector? Yes.
Face ID and Touch ID for the web? Yes.
“Google uses its dominance in schools to ‘spy’ on millions of future customers, tracking the digital lives of kids as early as kindergarten, a lawsuit filed by New Mexico's attorney general alleges.”
Happy New Year!
My decade in review:
• Had two kids 👧🏻👧🏼
• Got married 👰🏼
• Defended my PhD 🎩
• Released an EP and two singles 🎤
• Relocated 🇸🇪–>🇺🇸
• Joined
• Organized an OWASP AppSec 🤹🏻♀️
• Deleted the most tracker cookies in the world 🍪🌎
2020 will be awesome!
”Google continued collecting location data even when users turned off various location-sharing settings, made popular privacy settings harder to find, and even pressured LG and other phone makers into hiding settings precisely because users liked them”
The latest update to Safari's Intelligent Tracking Prevention is here: "CNAME Cloaking and Bounce Tracking Defense" CNAME cloaking defense is another Safari first.
ITP is enabled by default in all WKWebView apps for the newly announced releases. Apps can't disable it on their own but users can, just like in Safari. Check it out in the session "Discover WKWebView enhancements": . The segment on privacy starts at 23:55.
"With iOS 14, iPadOS 14, and tvOS 14, you will need to receive the user’s permission through the AppTrackingTransparency framework to track them or access their device’s advertising identifier."
"When embedding a video using youtube·com, Google uses DoubleClick to track your users (…) When using youtube-nocookie·com, Google no longer uses DoubleClick to track your users."
Exciting news! Today's iOS/iPadOS betas have Private Click Measurement (PCM) enabled and it works for both web-to-web and app-to-web. PCM is a new, privacy-preserving way to measure click-through ad campaigns that navigate the user to a website.
Guess what just arrived at our house? I have to say the book looks gorgeous. The sales page goes live to subscribers tomorrow … together with my hacker review of The Matrix! –>
"Interestingly, none of the Chrome devs that I follow are saying anything about FLoC. They’re usually quite chatty about proposals for potential standards, but I suspect that this one might be embarrassing for them. It was a similar situation with AMP."
I don't get why people are celebrating the death of IE to such an extent. Its marketshare is long gone. I doubt the people posting have bothered with IE the last few years.
The fact that Microsoft gave up their independent web engine continues to be sad and bad for the web.
Mozilla flips the switch! “For today’s release, Enhanced Tracking Protection will automatically be turned on by default for all users worldwide as part of the ‘Standard’ setting in the Firefox browser and will block known ‘third-party tracking cookies’”
I wrote for hours today on the new MacBook Air M1. Browsed the web for research as I typically do. Plus some social media and some video clips. When I wrapped up, battery was at 93%. I didn’t even put it on the charger for tomorrow. 😮
We now have an explainer up for the proposed IsLoggedIn web API:
Please use the template for IsLoggedIn when filing issues, i.e. tap/click “New issue” and then "Raise an issue on the IsLoggedIn explainer.”
Tonight I for the first time realized that we might not be able to stay here. What’s left if democracy is overridden and the will of the people set aside?
I’m scared.
We’re lucky to have another democracy to relocate to and also the whole of EU open to us.
Privacy has to wait another year. 😔 At least for Chrome users.
“We now intend to begin phasing out third-party cookies in Chrome in the second half of 2024.”
Users deserve much better than full cross-site tracking by default. A sad day for the web.
@MSEdgeDev
Chrome 62? Firefox 58? Safari 11? Regardless of who's responsible for updating this, that's not a meaningful comparison. At least put the years instead of version numbers there so that people understand you're comparing a 2020 browser with other browsers from 2017-2018.
The Edge team is landing the Storage Access API in Chromium which means we’ll get it in Edge and Brave. Hopefully also Chrome. 🎉
This is a critical piece of functionality for the modern web since it allows for authenticated embeds without requiring general 3rd-party cookies.
The beginnings of the Storage Access API landed in upstream Canary builds today! Plumbing needs to be run and strings will be tweaked, but we're excited for this to land in Chromium! Huge thanks to
@johnwilander
,
@mikewest
, and
@ehsanakhgari
for support + guidance!!
"Companies are starting to combine FLoC IDs with existing identifiable profile information, linking unique insights about people’s digital travels to what they already know about them, even before third-party cookie tracking could have revealed it."
Privacy for Chrome users will have to wait another two years. “Google has delayed a major privacy change to its Chrome browser, pushing back a plan to block third-party cookies until late 2023” I’m sad for people and for the web.
I used to stress out over people who are much smarter than me. I enjoyed their company but I felt powerless faced with their brain capacity.
Now, as years of actual work have passed, I know other traits are immensely powerful too. Creativity, ambition, and being nice are huge.
@nekrtemplar
@romulof
@xeenon
It should never be referred to as a standard if it got proposed, got negative feedback from other vendors, and shipped anyway. It’s a single-browser feature. If you make it look like a standard and talk about as a standard anyway, you’re “standards washing.”
This is bogus news. It makes me sad that people would even believe we would move to the worst engine for privacy after 16 years of fighting for web privacy with our own engine. You want perf, great battery life, great privacy, and a people-friendly vision? You want WebKit.
Tuesday at 4 pm is my
#WWDC18
session on Securing Web Content: It’ll cover how to defend against XSS, CSRF, a compromised CDN, Spectre, and window control attacks. And at our labs we can discuss how it all fits with your specific setup and needs.
“The Danish Data Protection Agency has looked into the tool Google Analytics (…) On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully.”
“In the Mail app, Mail Privacy Protection stops senders from using invisible pixels to collect information about the user. The new feature helps users prevent senders from knowing when they open an email, and masks their IP address”