Aral Balkan

Mastodon icon RSS feed icon

Apple just killed Offline Web Apps while purporting to protect your privacy: why that’s A Bad Thing and why you should care

A wood carving, colourised with a blue tint, of a woman throwing the baby out with the bathwater

Apple just threw the baby out with the bathwater by killing offline web apps (purportedly to protect your privacy).

Blocking third-party cookies, good. Killing offline web apps, bad.

On the face of it, WebKit’s announcement yesterday titled Full Third-Party Cookie Blocking and More sounds like something I would wholeheartedly welcome. Unfortunately, I can’t because the “and more” bit effectively kills off Offline Web Apps and, with it, the chance to have privacy-respecting apps like the prototype I was exploring earlier in the year based on DAT.

Block all third-party cookies, yes, by all means1. But deleting all local storage (including Indexed DB, etc.) after 7 days effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network. And that’s a huge blow to the future of privacy.

But Apple cares about your privacy…

Do they, though?

If they care about your privacy, why is the Apple News app a sewer of surveillance capitalism? If they did care about your privacy, here’s what they’d do:

  1. Implement all of the privacy protections they have in Safari in the Apple News app also.

  2. Allow content blockers like Better to protect your privacy in Apple News app.

Heck, they could even go further and ban apps from corporations like Facebook, Inc., and Alphabet, Inc., that have violating your privacy as the core tenet of their business model.

Instead, what do they do? They kill offline web apps.

You’d almost think they had an App Store to promote or something.

A reevaluation

In a blog post I wrote at the start of 2015 titled Apple vs Google on privacy: a tale of absolute competitive advantage, I said:

So riddle me this: if you have an absolute competitive advantage – if you have something that you can do that your competitors cannot – would you throw it away?

Only if you’re an idiot.

And something tells me Tim Cook isn’t an idiot.

Sadly, I was wrong.

Update (25 March, 9PM)

Looks like Apple updated their post (thanks for the heads up, Xerz!) to add the following:

A Note On Web Applications Added to the Home Screen

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.

Now I’m confused and have questions:

Take Jim Pick’s excellent Collaborative Shopping List Built On Dat

  1. If I use the app in Safari on iOS without adding it to Home Screen and leave it for seven days, will my shopping list be deleted?

  2. If I do the same thing on Safari for macOS (which doesn’t have a Home Screen), will my shopping list be deleted?

I really hope this was just a badly-thought out decision (this is your out guys, take it) and that it will be reversed entirely.

Andre Garzia has also written on the subject in a post titled Private client-side-only PWAs are hard, but now Apple made them impossible. Go read that one too.

Like this? Fund us!

Small Technology Foundation is a tiny, independent not-for-profit.

We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.

  1. Not that blocking third party cookies is going to kill off surveillance capitalism by any means. Remember that Google is on board with this and plans to implement it themselves by 2022. Which means that by that date they don’t foresee themselves needing third-party cookies to track you. ↩︎