Facebook will nur Daten haben um Werbung zu verkaufen. … Sollen sie Geld für die Apps nehmen und die Nutzer nicht an Facebook verkaufen. Man weiß ja gar nicht wo Facebook überall drin ist.

I. INTRODUCTION

[…]

Safari defaults to a choice of start page that prefetches pages from multiple third parties (Facebook, Twitter etc, sites not well known for being privacy friendly) and so potentially allows them to load pages containing identifiers into the browser cache. Start page aside, Safari otherwise made noextraneous network connections and transmitted no persistent identifiers, but allied iCloud processes did make connections containing identifiers.

[…]

V. DATA TRANSMITTTED ON BROWSER STARTUP

[…]

D. Apple Safari
Figure 6(a) shows the connections reported by appFirewall when a fresh install of Safari is first started and left sittingat the startup window shown in Figure 6(b). By default Safari displays a “favorites” page. Resources are fetched for each of the 12 services displayed. This results in numerous connections being made, most of which respond with multiple set-cookie headers. These cookies are scrubbed and not resent in later requests to the prefetched pages. However, we also saw evidence of embedding of identifiers within the prefetched html/javascript, which may then be passed as parameters (rather than as cookies) in requests generated by clicking on the displayed icon.

Once startup was complete, the URL http://leith.ie/nothingtosee.html was pasted into the browser top bar. In addition to connections to leith.ie this action also consistently generated a connection to configuration.apple.com by processcom.apple.geod e.g.


This extra connection sent no identifiers.

Safari was then closed and reopened. No data is transmitted on close. On reopen Safari itself makes no network connections (the leith.ie page is displayed, but has been cached and so no network connection is generated) but a related processnsurlsessiond consistently connects to gateway.icloud.com onbehalf of com.apple.SafariBookmarksSyncAgent e.g.


This request transmits an X-CloudKit-UserId header valuewhich appears to be a persistent identifier that remains constantacross restarts of Safari. Note that iCloud is not enabledon the device used for testing nor has bookmark syncingbeen enabled, and never has been, so this connection isspurious. From discussions with Apple it appears this requestis unexpected and so may well be a bug.

In summary, Safari defaults to a choice of start page that leaks information to third parties and allows them to cache prefetched content without any user consent. Start page aside, Safari otherwise appears to be quite a quiet browser, making no extraneous network connections itself in these tests and transmitting no persistent identifiers. However, allied processes make connections which appear unnecessary.

We have proposed to Apple that (i) they change Safari’s default start page and (ii) unnecessary network connections by associated processes are avoided.

[…]

[b]VII. DATA TRANSMITTTED BY SEARCH AUTOCOMPLETE[/b]

[…]

In this section we look at the network connections made by browsers as the user types in the browser top bar. As before, each browser is launched as a fresh install but now rather than pasting http://leith.ie/nothingtosee.html into the top ba rthe text leith.ie/nothingtosee.html is typed into it. We try to keep the typing speed consistent across tests.

In summary, Safari has the most aggressive autocomplete behaviour, generating a total of 32 requests to both Google and Apple. However, the requests for Google contain no identifier and those to Apple contain only an ephemeral identifier (which is reset every 15 mins). Chrome is the next most aggressive, generating 19 requests to a Google server and these include an identifier that persists across browser restarts. Firefox is significantly less aggressive, sending no identifiers with requests and terminating requests after the first word, so generating a total of 4 requests to Google. Better still, Brave disables autocomplete by default and sends no requests at allas a user types in the top bar.

In light of these measurements and the obvious privacy concerns they create, we have proposed to the browser developers that on first start users be given the option to disable search autocomplete.

[…]

VIII. CONCLUSIONS

[…]
Safari defaults to a choice of start page that potentially leaks information to multiple third parties and allows them to preload pages containing identifiers to the browser cache. Safari otherwise made no extraneous network connections and transmitted no persistent identifiers, but allied iCloud processes did make connections containing identifiers.
[…]

Start page aside, Safari otherwise appears to be quite a quiet browser,

In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex.
Used “out of the box” with its default settings Brave is by far the most private of the browsers studied. We did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.