You down with ITP?

Building and keeping trust among web users is paramount to publishers and content creators alike, and many people feel betrayed when their web activity and private data are acquired by third parties without consent. The developers at Webkit, the browser engine that powers Safari, have worked towards improving security by reducing cross-site tracking for a long time now. When they first introduced Intelligent Tracking Prevention (ITP) back in June 2017, it required users to actually interact with a third party in a first-party context (like clicking on a banner ad) in order for the domain to harvest data. There was a 24-hour grace period for single-sign-on cookies. After 24 hours, cookies were partitioned for 30 days and then purged. However, trackers were quickly able to poke holes in this framework, leading Webkit to establish more aggressive methods to reduce trackers’ ability to establish user identities across different sites. With the release of ITP 2.1, now on beta releases of iOS 12.2 and Safari 12.1 on macOS High Sierra and Mojave, both third-party and first-party cookies are affected.

While Webkit’s goal to entirely eliminate cross-site tracking is ultimately a win for privacy and security, ITP 2.1 will potentially affect site owners who use first-party cookies for legitimate purposes, such as analytics. So, site owners beware: In Safari 12.1, all persistent client-side cookies are now capped to 7 days of storage, down from 2 years. This affects all cookies created through document.cookie, including the cookie set in the browser by Google Analytics.

Simo Ahava, Google Developer Expert for Google Analytics, sums up the problem in his excellent article, ITP 2.1 and Web Analytics, as follows:

  • “Day 1: User visits www.simoahava.com, the _ga cookie is written on simoahava.com. It is set at a 7-day expiry (rather than the 2 years that analytics.js defaults to).”
  • “Day 3: User visits blog.simoahava.com. The _ga cookie is found on simoahava.com, so its value is available to blog.simoahava.com, and the 7-day expiry is reset.”
  • “Day 13: User visits www.simoahava.com. The _ga cookie has expired, so a new Client ID is generated in a new _ga cookie, and the visitor is treated as a new user in Google Analytics.”

This presents an obvious problem for site owners who need to accurately track new unique users. A secondary problem is that users may be automatically logged off if a site’s authentication cookies are not set to Secure and HTTPonly. However, if properly configured (i.e. not created through document.cookie), authentication cookies will not be subject to the 7-day expiry, and this won’t be an issue.

To recap, the original ITP had few implications for Google Analytics users as GA operates in a first-party context, and ITP only prevented third-party cookies from cross-site tracking. Now that first-party cookies are also affected, site owners will need to implement workarounds until GA addresses the issue. As of April 2019, Google has not released a statement addressing how it plans to work with ITP 2.1, but it’s likely that they (and along with other analytics vendors) will eventually engineer a long-term solution.

In the meantime, Ahava summarizes a few potential workarounds that could be considered. In brief:

  • “If you are tracking just root domains and do not need cross-subdomain tracking to work without explicit linker parameters, you can use the localStorage workaround. See this chapter for more information.”
  • “If you think Safari has a big enough share of your traffic to seriously impact your data quality, you should look into writing the _ga cookie using HTTP cookies. See here for a recap.”
  • “Follow John Wilander on Twitter.” (ed. John Wilander is the Apple Webkit Engineer behind Safari’s Intelligent Tracking Prevention.)
  • “Await an official announcement from Google (or whatever your favorite analytics vendor is) on how they intend to tackle ITP’s stranglehold on cookies written with document.cookie.”

At Alley, we value the balance between user security and privacy with publishers’ legitimate need to gather useful analytics. If you have questions on implementing workarounds for ITP 2.1 please get in touch with us on Twitter. For more detailed information, please check out Simo Ahava’s blog and, as he suggests, follow John Wilander on Twitter.