WebKit security engineer John Wilander explains how Safari’s new Intelligent Tracking Prevention feature works:
A machine learning model is used to classify which top privately-controlled domains have the ability to track the user cross-site, based on the collected statistics. Out of the various statistics collected, three vectors turned out to have strong signal for classification based on current tracking practices: subresource under number of unique domains, sub frame under number of unique domains, and number of unique domains redirected to. All data collection and classification happens on-device.
Cookies are then distributed into “buckets” and their behaviour is adjusted based on the user’s interaction with the first- and third-party domains. I’m curious to see how well this works over time, particularly when it’s faced with tracking scripts like those from Criteo and AdRoll, which re-route Safari users’ traffic through their tracking domains in order to create a pseudo first-party interaction.