Hacker News

9 days ago by jefftk

Summary: Apple introduced PCM [1], and to keep people from using it for cross-site tracking it limits the bits available to a single site (as defined by the PSL). If shop-a.retail.example and shop-b.retail.example are completely separate, and don't want to compete for bits, Apple will still treat them as a single site unless retail.example is on the PSL. Being on the PSL is a big change (partitioned cookies, etc) but could be appropriate for different shops.

FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...

[1] https://webkit.org/blog/11529/introducing-private-click-meas...

9 days ago by devrand

It sounds like there's two cases:

1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.

2. Sites that want to abuse an eTLD to do something like give all users on their social network a custom subdomain so that they're not polluting the same pool.

--

I think it was actually reasonable for Apple to consider the PSL as it's basically the most comprehensive eTLD list that we have and would allow them to match browser behavior.

The problem now is that case (1) is sending a bunch of requests at once as something will now actually break for these sites. Before now it was really just them being lax with security and not considering that cookies should be siloed. This isn't a unique situation btw, PSL also saw a large increase in inclusion requests when LetsEncrypt added rate limits based on eTLDs.

(2) is obviously bad and there's really no other justification for these sites being in the PSL.

Therefore I think it's reasonable for PSL to deny inclusion requests that are solely for PCM reasons.

This all being said, the PSL is a massive hack [1] and really needs to be replaced by something else. It probably is about time for these companies to invest in a replacement.

[1]: https://github.com/sleevi/psl-problems

9 days ago by TechBro8615

Nice link to the GitHub issue which explains the problems clearly.

Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?

9 days ago by gumby

> Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?

The idea is to be able to use it without a network access, such as looking for unstructured URLs in text (e.g. "get a discount code at example.com/hn-reader"), formatting a URL in a browser bar (e.g. put the non-eDLD+1 in bold, or at least show the site name properly and not abbreviate all UK sites to "co.uk") or managing the cookie name properly (again, so everyone in co.uk doesn't share the same cookie).

Presumption is that the eTLDs are a tiny fraction (by orders of magnitude) from the domains registered under them so this db doesn't have to get too large.

I am not sure how to manage these strings automatically without them being spammed. They aren't all under the control of the TLD administrators (com.au is but cheapo-shop-hosting.com.au is not).

9 days ago by undefined

[deleted]

9 days ago by merb

1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.

uff, well I did not know about that list and we have a domain that uses multi-tenacy.

I mean I'm unsure to include it but it probably adds a security benefit, so that it is impossible to add bad cookies from subdomains.

edit: can't add it anyway I'm not sure but our provider only allows to renew for 1 year (I'm not sure if that is a tld limit, since I also do not see other additional domains with de inside the list)

9 days ago by ghughes

That thread between FB & Apple is fascinating. The potential solutions being discussed have significant implications:

1. Apple: "not support eTLDs in PCM and only support TLDs" - so no more ad attribution for multi-tenant domains.

2. Facebook: "some sort of vetting process to determine who is using subdomains in a way that is aligned with the intended purpose of the PSL" - so Apple takes over the PSL inclusion process and institutes strict vetting to prevent abuse of PCM, which would presumably take months to implement.

This looks like a serious design problem with no solution that could be implemented before ATT drops.

9 days ago by 3np

> That would cause tremendous harm to all the small businesses who operate on subdomains of TLDs like myshopify, and for what?

This was the giveaway that it was an FB person. Parts of that comment is verbatim from FB propaganda ads[0]. Maybe that awkward video from ~last month[1] was targeted more at aligning FB employees internally around the message, not the general public.

[0] https://www.bloomberg.com/news/articles/2020-12-16/facebook-...

[1] Which I can’t find now

9 days ago by jefftk

> This was the giveaway that it was an FB person.

I mean, they also say "Facebook finds itself in the position of trying to help advertisers navigate Apple’s ATT changes - answering a wide variety of questions. We ..." I think everyone involved knows this is an issue from FB?

9 days ago by ankmathur96

Do you have an actual response to this point or are you just criticizing that multiple people made that same argument?

9 days ago by geocar

These people believe they’re lucky to work at a place like Facebook, and after reading some of these asinine comments, I'm inclined to agree.

The idea that they shit in the pool and get the swimmers to defend them sounds crazy, but people do defend Facebook’s doo-doo, and it makes sense that if you’re already covered in shit, it’s probably easier to pay people like this to walk around with shit all over themselves and say with a straight face “Apple should pay for our shit” than I ever thought.

9 days ago by donmcronald

The biggest problem is that no matter what “scale” of tracking is tolerable on a single domain / subdomain, Facebook still gets the aggregate.

So if you fix it for small multi-tenant domains, nothing changes for Facebook and they still get all the aggregate data, right?

There’s going to be a lot of collateral damage before ads and tracking get fixed IMO.

9 days ago by cma

ATT?

9 days ago by Zelphyr

App Tracking Transparency

9 days ago by wdb

After limited reading on the subject only the quoted issue.

Maybe shops like Etsy or Shopify should make tracking a premium benefit that is possible when getting your own domain :) Feels like a upsell opportunity to me

9 days ago by rectang

PSL: Public Suffix List

https://publicsuffix.org/

> A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.

> The Public Suffix List is an initiative of Mozilla, but is maintained as a community resource.

9 days ago by fotta

> It is inappropriate for presence or absense in PSL to be used by Facebook as a means to include or reject entries due to the IOS14 change, as PSL is not any form of security screen whatsoever, and the volunteer team maintaining the PSL is receiving the burden of being a sieve for the changes on interaction between those systems, which is taxing our resources.

> The ONLY validation performed by PSL volunteers and Github process to add listing in the PSL is to check that a DNS entry is added by the domain administrator that can be tied to, and this can be completely illusory and lite in reality in contrast to perhaps the deisred level of security that had been intended between Facebook Pixel and Apple.

> We are freezing the approval of new submissions that cite the FB / IOS 14 interop issue in order to provide Facebook or Apple, with a much more robust set of resources, the opportunity to sort this out amongst/betwixt themselves.

https://github.com/publicsuffix/list/issues/1245#issuecommen...

~~Seems like FB was abusing the work of volunteers here as a reaction to changes in iOS 14.~~ I don't see why they can't run their own PSL a la NTP servers.

edit: Seems like Apple was the one to declare PSL as canonical.

9 days ago by marketingtech

Apple is the company that declared this the canonical Public Suffix List. Facebook is just directing their customers towards it. "If you need to be considered a public suffix for Apple's new policy, you'll need to send your pull request to this repo."

9 days ago by HappyTypist

Apple should be officially supporting this project and turn it into an independent, but full-time gig. If the maintainers decline, Apple should hire someone to manage their own.

9 days ago by fotta

Ah I just read the links in jefftk's comment and it seems like you're right.

9 days ago by tialaramex

The existence of multiple independent definitions for eTLD+1 would be very likely to create security holes, via a Confused Deputy-type scenario.

If I was a security researcher, or a blackhat, and I found that bar.example is on the Mozilla PSL, and so Firefox considers foo.bar.example and quux.bar.example to be separate sites - while it isn't on the Apple PSL and so Apple's APIs treat foo.bar.example and quux.bar.example as parts of the same site (or vice versa), then I know I'm going to find weird bugs where Apple and the Firefox browser understand things about these two names differently and I can likely exploit that.

The preference from PSL team members is to do less with this hack over time, to put it behind us. But alas instead it motivates people to turn a hand-wavy notion "You know, a web site" into further reliance on the PSL instead of actually building a robust solution to their problem.

This is particularly inexcusable from Apple because it's not like Apple is hurting for resources. If they actually wanted to solve problems, they could put the work in; so I think we can conclude they weren't much interested in solving the problem, only as usual in ensuring somebody else takes the blame.

9 days ago by NovemberWhiskey

>edit: Seems like Apple was the one to declare PSL as canonical.

Dependency on the Public Suffix List is already baked into essentially 100% of the global browser market for purposes like control of setting cookies - I'm not sure Apple made it any more 'canonical' by depending on it here.

5 days ago by user3939382

It kind of reminds me of the manually-shared HOSTS.TXT list of domain names before we had DNS, and seems like a problem we also need formal infrastructure to solve long term.

9 days ago by marketingtech

This is a result of Apple limiting the entropy of marketing data that can be received from a domain (defined as an eTLD+1) to 6 bits.

This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.

This solution? Leverage the "public suffix" list to define your domain as an eTLD and give every seller a separate subdomain so that everyone gets their own data entropy namespace.

Now every hosting provider or online marketplace is scrambling to re-architect their site into subdomains with public suffixes to maintain the status quo.

9 days ago by tekstar

Pretty much all Shopify shops have their own domains, only a minority drive traffic to their .myshopify.com subdomain

9 days ago by bredren

I was a bit surprised that a shopify biz that could not be bothered to use its own domain would be very concerned about monitoring ad performance.

Seems someone would first effect to have a better branded site. As in, a decent TLD.

And that if anything, this is a kick in the pants of an ecommerce site to get its own domain(s) to deal with this.

Do I have that right?

9 days ago by 43920

There's probably a decent number of sites that get most/all of their traffic from impulse purchases off of Facebook ads, and who have no actual branding. Obviously they should go ahead and just get a domain name, but they likely haven't had any reason to care up until this point either.

9 days ago by cblconfederate

Maybe shopify domains have better SEO than randomwebsite.com

9 days ago by simlevesque

Well, I could own google.myshopify.com and be happy with it but have no way to buy the .com

9 days ago by gsnedders

> This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.

This is essentially https://github.com/privacycg/private-click-measurement/issue....

Effectively it boils down to, "how can you distinguish the seller from the website owner?", if you want to give both seller and website owner entropy.

9 days ago by 3np

> One thing that will not change is the existence of small businesses; in particular, small merchants who do not have their own eTLD+1 registered. Registering an eTLD+1, and hosting a website specific to a your business is a pretty high bar to demand of all businesses.

Benjamin savage is with FB I assume...? Registering a domain name should be table stakes if you want to run a business and have ad tracking with increased entropy online.

Is it reasonable to deny access to individuals without a phone number but unreasonable to give less ad tracking entropy to businesses without their own domain? Something about mosquitoes and camels there, no?

If a business cares more than 10$/year, registering a domain is a nobrainer. “Small businesses” are just being pawns in the chess game here - I’m yet to see an legit “small business” owner who cares or thinks this is an actual issue

9 days ago by FemmeAndroid

This followup issue seems to have a more clear writeup, especially for someone like me who is a bit out of the loop when it comes to the PSL:

https://github.com/privacycg/private-click-measurement/issue...

9 days ago by djrogers

While it does have quite a bit of details, this followup issue is clearly written by someone from FB or one of the other AdCos who wants to point the finger back at Apple. The tone and wording used here is rather rich and entitled.

9 days ago by pandemicsyn

you're not joking: https://github.com/privacycg/private-click-measurement/issue...

>Who will vet such a list continuously at a global scale? >Apple should. >Apple created this issue in the first place. The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because Apple's planned ATT enforcement.

9 days ago by wffurr

They seem to think that people can’t really “opt out” of “tracking” (scare quotes theirs). Talk about entitled.

9 days ago by dialtone

The quotes are entirely appropriate because adding some domain to the PSL makes the subdomains siloed cookie-wise so they can't share cookies and the PSL cannot use cookies anymore. Since they can't share cookies you can't track across even the same domain when added to the PSL.

This is a feature needed for sites like Rakuten, Shopify, Alibaba that have multiple merchants under the same domains.

Nothing to do with entitlement.

9 days ago by romanhn

Ben Savage is a pretty high-level engineer from Facebook's Ads org

9 days ago by dswalter

According to the comments in the history of that user on Github, it is someone who claims to be an engineer from Facebook in an earlier post: https://github.com/WICG/trust-token-api/issues/28#issue-6447...

9 days ago by marketingtech

This is fascinating to see Apple and Facebook engineers politely yet publicly arguing over potential technical implementations of Apple's privacy policies.

9 days ago by tgragnato

Benjamin Savage doesn’t look polite to me. Is it because I’m not a native speaker?

9 days ago by Doctor_Fegg

You're right, it's not that polite. "If Apple can develop a scaled process to review the millions of apps submitted to the Apple store, surely it is also capable of reviewing the few dozen multi-tenant domains that exist on the internet" is very passive-aggressive.

9 days ago by vHMtsdf

The linked discussion makes me wonder, how much of our existence on the internet is just an unintended consequence of some minor engineering decision? Whim of an unknown engineer creating or destroying million dollar industries down the line...

9 days ago by lmb

Seems like the right move from a volunteer run project, what will the future will hold though? Artificial scarcity is always a problem.

On another note, for just 20k$ I can offer you exclusive use of the xxgfzrf.dinglebop.me Public Suffix so that you can keep tracking your users. Please reach out to sales@example.com if you are interested.

9 days ago by dialtone

It's interesting because being added to the PSL reduces your ability to track users. So yeah, I have a bridge to sell you, interested?

9 days ago by djrogers

> being added to the PSL reduces your ability to track users

Not really, in fact it can increase your ability to track users if it's (ab)used in specific ways - see use case #2 and #3 here:

https://github.com/privacycg/private-click-measurement/issue...

9 days ago by dialtone

There's an approval process to be added to the PSL so abuses would be quite surprising and easy to remove when discovered.

9 days ago by devrand

To make things worse, it's basically impossible to remove a domain from the PSL as no one knows how software built against the PSL would handle it. A removal could break tremendous amount of software that people rely on.

9 days ago by pornel

Reminder that the Public Suffix List is a non-scalable hack, and platforms should be reducing their reliance on it, not increase it:

https://github.com/sleevi/psl-problems

9 days ago by dwaite

It doesn't really propose an alternative to the PSL for 'same site' behavior, instead just pushes for 'same origin' (aka exact match) behavior.

I would agree that e.g. Apple would be better to support both same-site and same-origin, and say, clobber PCM if it receives a request for one after it has already received a request for the other.

9 days ago by gruez

Can someone provide more context here? How does being added to the PSL affect tracking? Why are businesses adding themselves to the PSL en masse?

9 days ago by twobitshifter

PSL is used to determine the level that a unique domain is registered at. This restricts cookies and privileges to that domain. It’s just a simple list because both .com and .co.uk are valid suffixes. Ios14 is using this list to prevent apps from tracking you across sites by limiting the data that can be stored per site. If you can get your domain recognized as a suffix as mysite.com then you can split information between all higher level domains. client1.mysite.com and client2.mysite.com. This allows you to store as much information as you want.

9 days ago by TechBro8615

The PSL has always been a giant hack and totally unmaintainable in the long term. It's only a matter of time before someone mistakenly relying on it for security purposes gets owned by a rogue PR. Also, as mentioned in some of these issues, browsers don't even update it on any sort of guaranteed schedule.

9 days ago by jakear

The fun thing is you can s/PSL/DNS/g and the statement still holds. Same for BGP

Daily digest email

Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.