We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW
Is Apple’s Safari browser the last, best hope for web privacy?
Privacy
Posted: by
What browser do you use?
There’s a good chance—roughly one in seven—that it’s Google Chrome. And even if you prefer a different browser, there’s a good chance that you’re using something that’s based on Google Chrome, such as Edge, Vivaldi, Chromium, Brave, or Opera.
After a decade and and a half of relatively healthy competition between vendors, the World Wide Web is trending towards a browser monoculture. We’ve been there before and history suggests it’s bad news.
Last time it was Microsoft in the driver’s seat, and open standards and security were left tumbling about in the rear without a seat belt. This time Google has its hands on the wheel, and it’s our privacy in the back seat, being taken for a ride.
Chrome needs a counterweight and, thankfully, it still has one in Apple’s Safari browser. It’s imperfect, for sure, and its glacial pace of development might even be holding us all up, as Scott Gilbertson thoughtfully illustrated in a recent article on The Register. But it might also be the last, best hope for browser privacy we have.
Hear me out…
Google Chrome first appeared in 2008 and rapidly established itself as a browser that couldn’t be ignored, thanks to some catchy marketing on Google’s massive advertising platform. It was an excellent product with a ravenous appetite for market share, and its noisy focus on speed and security forced its rivals to take notice and compete on the same terms. Everyone benefitted.
And because none of the major browser vendors had enough market share to “embrace, extend and extinguish“, as Microsoft had attempted when Internet Explorer was dominant, everyone was forced to follow the same open standards. This meant that web applications mostly worked the same way, no matter what browser you used.
However, as Chrome’s popularity increased, Google was able to exert more and more influence on the web in service of its ad-based business model, to the detriment of users’ privacy.
For example, in 2016 Google introduced AMP, a set of web standards that were designed to make websites faster on mobile devices. In a move that could have come straight out of Redmond circa 1996, the AMP rulebook was written by Google and varied wildly from the open standards everyone had been working towards for the past fifteen years or so.
AMP was superficially open, but there was no AMP without Google. To use AMP your pages had to load code from Google-owned domains, debugging your code required Google-owned tools, your pages were stored in a Google-owned cache, and they were displayed under a Google-owned domain, so that users weren’t really on your website anymore, they were looking at your web pages on Google, thank you very much.
To incentivise the use of AMP, Google leveraged its search monopoly by creating “reserved” slots at the top of its mobile search rankings that were only available to AMP pages. If you wanted to top the search rankings, you had to play the AMP game.
Google pulled another bullish move in 2018 when it decided that logging into and out of a Google website like GMail or YouTube was the same as logging into the Chrome browser, because it could. So instead of being logged into the giant surveillance monster while you were using its websites, you were logged into the giant surveillance monster all the time, unless you remembered to log out of the browser, which of course you didn’t, because people just don’t think about logging in and out of their browser.
And then this year we had a great illustration of the bind that Google’s in even when it tries to do the right thing. It’s got the message that users want less tracking and more privacy, but unlike Firefox and Safari, Chrome can’t simply block the third-party cookies used for tracking, because Google’s advertising business model (and therefore Chrome’s very existence) depends on them.
Chrome is planning to ban third-party cookies, but not until at least 2023—years after Safari—because it needs to establish a replacement tracking tech.
The replacement is called Federated Learning of Cohorts (FLoC), and it’s designed to thread the needle of enabling targeted ads while keeping users anonymous, by lumping similar users into great big groups, called Cohorts. It may yet deliver ads that disrespect your privacy less, but it’s a brand new technology and it’s off to a slow, rocky start.
FLoC shows us why even a benign Google monoculture would hold back user privacy, and why Chrome needs a counterweight.
On the face of it, Microsoft seems a good potential counterweight to Google (stop sniggering at the back, a counterweight doesn’t need to be perfect, it just needs to have different weaknesses and be hard to kill).
Everyone who uses Windows gets its browser for free, and Microsoft has been happy to use privacy as a stick to beat its rival when it suits. For example, when it launched Internet Explorer 10, Microsoft enabled the nascent Do Not Track feature by default, a pro-privacy step that it knew Google couldn’t follow without cutting off its ad revenue. (Admittedly, it probably crashed the entire Do Not Track program in the process, but it was a terrible idea that was never going to work.)
Unfortunately, Microsoft handed in its big stick when it adopted Chrome as the basis for its own Edge browser, effectively removing one of the last pillars holding up the open standards-based web.
Mozilla Firefox is my favourite browser and I would love to be talking it up as a potential counterweight to Chrome. After all, it walks the walk in terms of pro-privacy features, and it has already ended one browser monopoly, in 2002, when it emerged to challenge Internet Explorer’s lazy grip on the web.
Unfortunately, as good as it is, Firefox is on shaky ground. It costs a fortune to keep Firefox in the browser game, and the vast majority of the money it needs comes from Google, which pays hundreds of millions of dollars a year for the privilege of being Firefox’s default search engine. The deal is up in 2023 and Firefox’s market share is dwindling.
Our counterweight can’t stand in Google’s way while also depending on its largesse.
Apple’s Safari is very much the “also ran” in the pantheon of modern browsers. It has never been cutting edge, or coveted, it’s only ever been, well, there. It isn’t my favourite browser. It’s not even my second favourite browser.
Gilbertson’s Register article rightly points out that Safari is a laggard when it comes to new features, saying “Apple’s Safari lags considerably behind its peers in supporting web features … well behind the competition”. But how much does that matter, really? The web was mostly feature complete years ago, and modern web standards are often complex definitions of things that almost nobody needs.
It may be a bit “low energy”, but we don’t actually need Safari to be better than Chrome at web standards, or to become the best, or the most popular browser, it just needs to be good where Chrome is bad, too big to ignore, and unlikely to fail.
Well, Apple is good where Google is bad: It’s business model doesn’t rely on advertising, so it can be unabashedly pro-privacy. And it’s been pro-privacy long enough for us to judge it on its track record, which is actually pretty good, recent hiccups notwithstanding.
For example, where Chrome can’t afford to block third-party cookies for another year or more, Safari has been going one better since 2017, when it introduced Intelligent Tracking Protection, a clever box of tricks that blocks other forms of cross-site tracking. And there’s plenty more besides.
And, yes, Safari is currently too big to ignore, and even getting a bit bigger. In fact it’s the only major browser that’s gained market share since the arrival of Chrome.
Statcounter puts Safari’s share of the desktop browser market at a steady 9.5 percent, and its share of the mobile browser market at about 25. Even its modest share of the desktop market is too large to be ignored by anyone serious about building a web app, but it’s the iPhone that’s most likely to be a thorn in the side of anyone thinking of ignoring Apple’s browser.
According to Statista, the iPhone had a 14 percent global market share in the second quarter of 2021, but its data also shows that the iPhone’s global market share jumps to 20 percent in the last quarter of each and every year, presumably because of Christmas sales. This speaks to the platform’s continued desirability, which has always been Apple’s bulwark against cheaper and more capable competitors.
iPhone users also spend more money than Android users, and in rich countries like the USA, where you’ll find enormous software markets and lots of startups, the iPhone has a whopping 50 percent of the market or more.
The people who build the websites you use like Apple, and whether you like it or not, that matters.
When it comes to protecting privacy on the web, the most important thing might be the phones in the pockets of the web developers and the CEO.
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
Mac | Malwarebytes news
November 12, 2021 – It’s rare for Apple to walk back changes, but in October its new line of MacBook Pros did just that.
Exploits and vulnerabilities
October 27, 2021 – Apple has issued updates for iOS 14.8.1 iPadOS 14.8.1, iOS 15.1, and iPadOS 15.1. We take a look at some of the patched vulnerabilities.
Malwarebytes news
October 14, 2021 – Apple expert Thomas Reed learned a lot about Apple’s attitude to security at the Objective by the Sea security conference.
Malwarebytes news
October 12, 2021 – Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Here’s what he learned about macOS attacks.
Privacy
September 14, 2021 – Apple has released updates for iOS, MacOS, and WatchOS to combat an in-the-wild exploit called “FORCEDENTRY”.
ABOUT THE AUTHOR

Silouette of person
Contributors

Malware
Threat Center

Malwarebytes Podcast
Podcast

Book with bookmark
Glossary

Suspicious person
Scams

Pencil
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source