Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Mozilla Flooded With Requests After Apple Privacy Changes Hit Facebook

Mozilla Flooded With Requests After Apple Privacy Changes Hit Facebook

Mozilla volunteers have recently been flooded with online merchants and marketers’ requests for their domains to be added to what’s called a Public Suffix List (PSL).

Public Suffix List (PSL) is an initiative of the Mozilla community volunteers to maintain a list of top-level domains (TLDs) and domains that should be treated as one to prevent the mixing of cookies between distinct domains.

That is because cookies set at a domain level could be used to on all of its subdomains, even if the subdomains are not related to each other or owned by the same organization.

Although maintained by Mozilla’s open-source community volunteers, the list is honored by various apps and projects and helps them distinguish between a separate TLD/suffix and a subdomain.

However, recent privacy enhancements brought forth by Apple have led to online marketers flooding Mozilla with requests for their domains to be added to the list after Facebook suggested this as a remedy for the newer privacy enhancements.

Apple’s iOS 14.5 hits online ads, merchants, and analytics

Recently, Apple introduced a new privacy feature in version 14.5 of iOS, iPadOS, and tvOS, which asks users to grant permissions to apps or websites that track them.

Apps and websites tracking users by collecting specific data also need to comply with Apple’s App Tracking Transparency (ATT) framework.

Apple iPhone privacy feature
iOS 14.5 users prompted to grant permission to an app or website tracking them via cookies
Source: Apple

The policies introduced by Apple’s ATT framework forbid data collection and sharing unless users explicitly opt-in to enable tracking (cookies) on devices running iOS 14.5.

But, as more and more users opt-out of tracking on Apple devices, online ad networks and stores will be limited in serving ads or collecting personalization and analytics data from users, impacting businesses.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

Since Facebook Pixel, Facebook’s analytics platform, was also impacted by these changes introduced by Apple, Facebook proposed some workarounds that online businesses could use.

For businesses interested in delivering ads optimized for conversion events, Facebook’s advice was for businesses to verify their domains.

But the company added, they would also respect domains included in Mozilla’s Public Suffix List (PSL).

“This would enable businesses to verify their eTLD+1 domains if the hosting domain (eTLD) is registered in the Public Suffix List.”

“For example, if ‘myplatform.com’ is a registered domain to the Public Suffix List, then an advertiser ‘jasper’ with the subdomain ‘jasper.myplatform.com’ would be able to verify ‘jasper.myplatform.com’,” explained Facebook.

However, according to Mozilla, an earlier version of the page had Facebook mistakenly imply PSL as a potential remedy.

In simple words, PSL exists so that cookies from different domains are not mixed up or become accessible by domains they shouldn’t be accessible to.

This is because there is no authoritative way on the internet of knowing what is a proper Top-level domain (TLD) and what is a sub-domain.

An example is, the .uk and .co.uk TLD extensions. co.uk is not a “.uk” (sub)domain of but a separate TLD. 

As such, cookies set for *.uk domains, should not be accessible by *.co.uk domains.

And, that is the original purpose of PSL—it helps apps, web browsers, and services parsing PSL make the distinction between what qualifies as a separate TLD and what is a mere subdomain.

For example, web browsers will not accept cookies being set by a server for any domain present on the PSL, since the “domain” is now treated as a public suffix (or TLD).

A snippet from the latest copy of PSL is shown below:

mozilla psl
A snippet from the Mozilla Public Suffix List (PSL), as of today

Mozilla’s PSL volunteers swamped with requests

Soon after Facebook stated that domains in the PSL would be honored as a part of their domain verification process, online store owners rushed to flood the maintainers of the grand old PSL with requests to have their domains added.

Multiple issue threads spun up on GitHub have PSL maintainers raising their concerns and even rejecting requests [1234].

As a result of Apple’s ATT framework, online advertisers, such as those using Facebook’s pixel-based tracking mechanism for measuring conversions, might find their cookies blocked.

This could greatly impact (reduce) the efficacy of ad targeting and performance measurement in some cases, mainly for eCommerce platforms that allow a lot of distinct subdomains for every storefront.

For example, booksforcheap.shopnow.comfamilypizza.shopnow.commidnightcookies.shopnow.com, and so on.

Benjamin Savage, a Facebook engineer, explained that PCM could not be supported by Facebook as of this time by taking Etsy and its merchants as an example:

“We can’t support these merchants using ‘Private Click Measurement’ right now. The way the spec is currently written, ALL ads that run on facebook.com and direct to ANY part of etsy.com would be eligible to take credit for ANY conversion fired from ANY part of etsy.com.”

“Unfortunately, this is not a particularly useful statistic for the individual merchants who sell their wares on etsy.com,” explained Savage.

The addition of etsy.com to PSL, in this example, will ensure the subdomains are treated as separate properties (origins) and allow different store owners to individually collect metrics, such as Private Click Measurement (PCM) specific to their store.

But, this was never the original purpose of the PSL.

Also Read: Practitioner Certificate In Personal Data Protection: Everything You Need To Know

A Mozilla representative told BleepingComputer:

“The Public Suffix List was started by Mozilla many years ago to identify domains that are actually not standalone domains but suffixes like co.uk or tokyo.jp.”

“Today, the maintainers are, simply volunteers from the Web community. Naturally, more volunteers are always welcome!”

“But the best thing that companies can do to support this project is, understand whether or not it’s appropriate for them to request additions to the list.”

“A surprising number of people and projects depend on this dataset, and mistakenly adding a domain to the list can quite often lead to unexpected issues down the road,” a Mozilla spokesperson told BleepingComputer.

A PSL volunteer and gTLD industry expert Jothan Frakes told BleepingComputer that PSL is a group of volunteers that are helping maintain a widely used resource, and don’t want to get swamped by a thundering herd of requests that may or may not have been appropriate, to begin with:

“We at PSL often get a first request from a new submitter, followed by getting questions, then refinements once they see a change is needed, so each request can take a cumulative amount of time.”

“The validation process takes some time as well.  Someone can break their expected cookie behavior in the first request unintentionally if they don’t understand what they are asking for – and there’s no SLAs or other things involved, other than to ensure that a person is in fact [the] operator of a domain that they submit by checking in DNS for a specific record tied to the pull request,” Frakes explained to BleepingComputer in an email interview.

All of this can put a considerable burden on the PSL community of volunteers.

Frakes stated that he is a big fan of what Apple is striving to achieve with these newly introduced privacy enhancements but hoped that this issue could be worked out in the near future.

BleepingComputer contacted Apple and Facebook for comment well in advance of publishing this article, but we have not heard back.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us