• jefftk 6 days ago
    Summary: Apple introduced PCM [1], and to keep people from using it for cross-site tracking it limits the bits available to a single site (as defined by the PSL). If shop-a.retail.example and shop-b.retail.example are completely separate, and don't want to compete for bits, Apple will still treat them as a single site unless retail.example is on the PSL. Being on the PSL is a big change (partitioned cookies, etc) but could be appropriate for different shops.

    FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...

    [1] https://webkit.org/blog/11529/introducing-private-click-meas...

    • devrand 6 days ago
      It sounds like there's two cases:

      1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.

      2. Sites that want to abuse an eTLD to do something like give all users on their social network a custom subdomain so that they're not polluting the same pool.


      I think it was actually reasonable for Apple to consider the PSL as it's basically the most comprehensive eTLD list that we have and would allow them to match browser behavior.

      The problem now is that case (1) is sending a bunch of requests at once as something will now actually break for these sites. Before now it was really just them being lax with security and not considering that cookies should be siloed. This isn't a unique situation btw, PSL also saw a large increase in inclusion requests when LetsEncrypt added rate limits based on eTLDs.

      (2) is obviously bad and there's really no other justification for these sites being in the PSL.

      Therefore I think it's reasonable for PSL to deny inclusion requests that are solely for PCM reasons.

      This all being said, the PSL is a massive hack [1] and really needs to be replaced by something else. It probably is about time for these companies to invest in a replacement.

      [1]: https://github.com/sleevi/psl-problems

      • TechBro8615 6 days ago
        Nice link to the GitHub issue which explains the problems clearly.

        Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?

        • gumby 6 days ago
          > Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?

          The idea is to be able to use it without a network access, such as looking for unstructured URLs in text (e.g. "get a discount code at example.com/hn-reader"), formatting a URL in a browser bar (e.g. put the non-eDLD+1 in bold, or at least show the site name properly and not abbreviate all UK sites to "co.uk") or managing the cookie name properly (again, so everyone in co.uk doesn't share the same cookie).

          Presumption is that the eTLDs are a tiny fraction (by orders of magnitude) from the domains registered under them so this db doesn't have to get too large.

          I am not sure how to manage these strings automatically without them being spammed. They aren't all under the control of the TLD administrators (com.au is but cheapo-shop-hosting.com.au is not).

        • merb 6 days ago
          1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.

          uff, well I did not know about that list and we have a domain that uses multi-tenacy.

          I mean I'm unsure to include it but it probably adds a security benefit, so that it is impossible to add bad cookies from subdomains.

          edit: can't add it anyway I'm not sure but our provider only allows to renew for 1 year (I'm not sure if that is a tld limit, since I also do not see other additional domains with de inside the list)

        • ghughes 6 days ago
          That thread between FB & Apple is fascinating. The potential solutions being discussed have significant implications:

          1. Apple: "not support eTLDs in PCM and only support TLDs" - so no more ad attribution for multi-tenant domains.

          2. Facebook: "some sort of vetting process to determine who is using subdomains in a way that is aligned with the intended purpose of the PSL" - so Apple takes over the PSL inclusion process and institutes strict vetting to prevent abuse of PCM, which would presumably take months to implement.

          This looks like a serious design problem with no solution that could be implemented before ATT drops.

          • 3np 6 days ago
            > That would cause tremendous harm to all the small businesses who operate on subdomains of TLDs like myshopify, and for what?

            This was the giveaway that it was an FB person. Parts of that comment is verbatim from FB propaganda ads[0]. Maybe that awkward video from ~last month[1] was targeted more at aligning FB employees internally around the message, not the general public.

            [0] https://www.bloomberg.com/news/articles/2020-12-16/facebook-...

            [1] Which I can’t find now

            • jefftk 5 days ago
              > This was the giveaway that it was an FB person.

              I mean, they also say "Facebook finds itself in the position of trying to help advertisers navigate Apple’s ATT changes - answering a wide variety of questions. We ..." I think everyone involved knows this is an issue from FB?

              • ankmathur96 5 days ago
                Do you have an actual response to this point or are you just criticizing that multiple people made that same argument?
                • geocar 5 days ago
                  These people believe they’re lucky to work at a place like Facebook, and after reading some of these asinine comments, I'm inclined to agree.

                  The idea that they shit in the pool and get the swimmers to defend them sounds crazy, but people do defend Facebook’s doo-doo, and it makes sense that if you’re already covered in shit, it’s probably easier to pay people like this to walk around with shit all over themselves and say with a straight face “Apple should pay for our shit” than I ever thought.

                • donmcronald 6 days ago
                  The biggest problem is that no matter what “scale” of tracking is tolerable on a single domain / subdomain, Facebook still gets the aggregate.

                  So if you fix it for small multi-tenant domains, nothing changes for Facebook and they still get all the aggregate data, right?

                  There’s going to be a lot of collateral damage before ads and tracking get fixed IMO.

                  • cma 6 days ago
                • wdb 5 days ago
                  After limited reading on the subject only the quoted issue.

                  Maybe shops like Etsy or Shopify should make tracking a premium benefit that is possible when getting your own domain :) Feels like a upsell opportunity to me

                • rectang 6 days ago
                  PSL: Public Suffix List


                  > A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.

                  > The Public Suffix List is an initiative of Mozilla, but is maintained as a community resource.

                  • fotta 6 days ago
                    > It is inappropriate for presence or absense in PSL to be used by Facebook as a means to include or reject entries due to the IOS14 change, as PSL is not any form of security screen whatsoever, and the volunteer team maintaining the PSL is receiving the burden of being a sieve for the changes on interaction between those systems, which is taxing our resources.

                    > The ONLY validation performed by PSL volunteers and Github process to add listing in the PSL is to check that a DNS entry is added by the domain administrator that can be tied to, and this can be completely illusory and lite in reality in contrast to perhaps the deisred level of security that had been intended between Facebook Pixel and Apple.

                    > We are freezing the approval of new submissions that cite the FB / IOS 14 interop issue in order to provide Facebook or Apple, with a much more robust set of resources, the opportunity to sort this out amongst/betwixt themselves.


                    ~~Seems like FB was abusing the work of volunteers here as a reaction to changes in iOS 14.~~ I don't see why they can't run their own PSL a la NTP servers.

                    edit: Seems like Apple was the one to declare PSL as canonical.

                    • marketingtech 6 days ago
                      Apple is the company that declared this the canonical Public Suffix List. Facebook is just directing their customers towards it. "If you need to be considered a public suffix for Apple's new policy, you'll need to send your pull request to this repo."
                      • HappyTypist 6 days ago
                        Apple should be officially supporting this project and turn it into an independent, but full-time gig. If the maintainers decline, Apple should hire someone to manage their own.
                        • fotta 6 days ago
                          Ah I just read the links in jefftk's comment and it seems like you're right.
                        • tialaramex 6 days ago
                          The existence of multiple independent definitions for eTLD+1 would be very likely to create security holes, via a Confused Deputy-type scenario.

                          If I was a security researcher, or a blackhat, and I found that bar.example is on the Mozilla PSL, and so Firefox considers foo.bar.example and quux.bar.example to be separate sites - while it isn't on the Apple PSL and so Apple's APIs treat foo.bar.example and quux.bar.example as parts of the same site (or vice versa), then I know I'm going to find weird bugs where Apple and the Firefox browser understand things about these two names differently and I can likely exploit that.

                          The preference from PSL team members is to do less with this hack over time, to put it behind us. But alas instead it motivates people to turn a hand-wavy notion "You know, a web site" into further reliance on the PSL instead of actually building a robust solution to their problem.

                          This is particularly inexcusable from Apple because it's not like Apple is hurting for resources. If they actually wanted to solve problems, they could put the work in; so I think we can conclude they weren't much interested in solving the problem, only as usual in ensuring somebody else takes the blame.

                          • >edit: Seems like Apple was the one to declare PSL as canonical.

                            Dependency on the Public Suffix List is already baked into essentially 100% of the global browser market for purposes like control of setting cookies - I'm not sure Apple made it any more 'canonical' by depending on it here.

                            • user3939382 1 day ago
                              It kind of reminds me of the manually-shared HOSTS.TXT list of domain names before we had DNS, and seems like a problem we also need formal infrastructure to solve long term.
                          • marketingtech 6 days ago
                            This is a result of Apple limiting the entropy of marketing data that can be received from a domain (defined as an eTLD+1) to 6 bits.

                            This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.

                            This solution? Leverage the "public suffix" list to define your domain as an eTLD and give every seller a separate subdomain so that everyone gets their own data entropy namespace.

                            Now every hosting provider or online marketplace is scrambling to re-architect their site into subdomains with public suffixes to maintain the status quo.

                            • tekstar 6 days ago
                              Pretty much all Shopify shops have their own domains, only a minority drive traffic to their .myshopify.com subdomain
                              • bredren 6 days ago
                                I was a bit surprised that a shopify biz that could not be bothered to use its own domain would be very concerned about monitoring ad performance.

                                Seems someone would first effect to have a better branded site. As in, a decent TLD.

                                And that if anything, this is a kick in the pants of an ecommerce site to get its own domain(s) to deal with this.

                                Do I have that right?

                                • 43920 6 days ago
                                  There's probably a decent number of sites that get most/all of their traffic from impulse purchases off of Facebook ads, and who have no actual branding. Obviously they should go ahead and just get a domain name, but they likely haven't had any reason to care up until this point either.
                                  • cblconfederate 6 days ago
                                    Maybe shopify domains have better SEO than randomwebsite.com
                                    • bredren 6 days ago
                                      This is a good point. It looks like google treats subdomains as internal links to the main domain. No idea if they treat myshopify.com this way.

                                      FWIW, it looks like a 301 to a new domain should transfer the seo juice. If the site is valuable, a new domain should stand up pretty well. It also decamps from myshopify.

                                      This all seems more valuable to the store owner, but I get why people would want to avoid all those changes and just try to figure out the thing "Apple is making them do."

                                    • simlevesque 6 days ago
                                      Well, I could own google.myshopify.com and be happy with it but have no way to buy the .com
                                      • Macha 6 days ago
                                        Just suck it up and buy google-calculatorstore.com or whatever - if you're happy with the myshopify domain you clearly don't care _that_ much.

                                        Of course, that specific example, since Google is trademarked and well known might get you on the wrong end of Shopify's ToS or a UDRP request either way.

                                  • gsnedders 6 days ago
                                    > This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.

                                    This is essentially https://github.com/privacycg/private-click-measurement/issue....

                                    Effectively it boils down to, "how can you distinguish the seller from the website owner?", if you want to give both seller and website owner entropy.

                                    • 3np 6 days ago
                                      > One thing that will not change is the existence of small businesses; in particular, small merchants who do not have their own eTLD+1 registered. Registering an eTLD+1, and hosting a website specific to a your business is a pretty high bar to demand of all businesses.

                                      Benjamin savage is with FB I assume...? Registering a domain name should be table stakes if you want to run a business and have ad tracking with increased entropy online.

                                      Is it reasonable to deny access to individuals without a phone number but unreasonable to give less ad tracking entropy to businesses without their own domain? Something about mosquitoes and camels there, no?

                                      If a business cares more than 10$/year, registering a domain is a nobrainer. “Small businesses” are just being pawns in the chess game here - I’m yet to see an legit “small business” owner who cares or thinks this is an actual issue

                                  • FemmeAndroid 6 days ago
                                    This followup issue seems to have a more clear writeup, especially for someone like me who is a bit out of the loop when it comes to the PSL:


                                    • djrogers 6 days ago
                                      While it does have quite a bit of details, this followup issue is clearly written by someone from FB or one of the other AdCos who wants to point the finger back at Apple. The tone and wording used here is rather rich and entitled.
                                      • pandemicsyn 6 days ago
                                        you're not joking: https://github.com/privacycg/private-click-measurement/issue...

                                        >Who will vet such a list continuously at a global scale? >Apple should. >Apple created this issue in the first place. The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because Apple's planned ATT enforcement.

                                        • wffurr 6 days ago
                                          They seem to think that people can’t really “opt out” of “tracking” (scare quotes theirs). Talk about entitled.
                                          • dialtone 6 days ago
                                            The quotes are entirely appropriate because adding some domain to the PSL makes the subdomains siloed cookie-wise so they can't share cookies and the PSL cannot use cookies anymore. Since they can't share cookies you can't track across even the same domain when added to the PSL.

                                            This is a feature needed for sites like Rakuten, Shopify, Alibaba that have multiple merchants under the same domains.

                                            Nothing to do with entitlement.

                                            • kelnos 6 days ago
                                              FB seems to believe they are entitled to the ability to track people on iOS. Apple is under no obligation to allow that.
                                              • dialtone 6 days ago
                                                Apple literally built a feature that requires addition to PSL to support a usecase that was addressed multiple times in the PrivacyCG meetings. How is this entitlement, they are following the Apple requirements.
                                                • slenk 5 days ago
                                                  Another thing that would follow Apple's requirements is just buying myweirdwebsite.com
                                                  • ankmathur96 5 days ago
                                                    The entire point of these generated subdomains is that you do not have to buy a domain name...
                                                    • kalleboo 5 days ago
                                                      If you're at the point you're spending money on ads and need to track them, you can spend $10 on a domain name? Lots of these platforms also give away free domain names.
                                                      • ankmathur96 5 days ago
                                                        It's not about whether or not it's foolish - the point is buying and setting up a subdomain, handing SEO, etc. is often more complex than some small business owners want to deal with.
                                                      • slenk 5 days ago
                                                        Which seems foolish if a company is serious about tracking revenue...
                                            • romanhn 6 days ago
                                              Ben Savage is a pretty high-level engineer from Facebook's Ads org
                                              • dswalter 6 days ago
                                                According to the comments in the history of that user on Github, it is someone who claims to be an engineer from Facebook in an earlier post: https://github.com/WICG/trust-token-api/issues/28#issue-6447...
                                                • dkonofalski 6 days ago
                                                  Seriously. I can see reasons that aren't entirely altruistic for Apple in trying to increase these privacy protections but trying to offload it back to Apple as if Facebook's abuse of consumer data isn't the real reason for this is ridiculous.
                                                • marketingtech 6 days ago
                                                  This is fascinating to see Apple and Facebook engineers politely yet publicly arguing over potential technical implementations of Apple's privacy policies.
                                                  • tgragnato 5 days ago
                                                    Benjamin Savage doesn’t look polite to me. Is it because I’m not a native speaker?
                                                    • Doctor_Fegg 5 days ago
                                                      You're right, it's not that polite. "If Apple can develop a scaled process to review the millions of apps submitted to the Apple store, surely it is also capable of reviewing the few dozen multi-tenant domains that exist on the internet" is very passive-aggressive.
                                                  • vHMtsdf 6 days ago
                                                    The linked discussion makes me wonder, how much of our existence on the internet is just an unintended consequence of some minor engineering decision? Whim of an unknown engineer creating or destroying million dollar industries down the line...
                                                  • lmb 6 days ago
                                                    Seems like the right move from a volunteer run project, what will the future will hold though? Artificial scarcity is always a problem.

                                                    On another note, for just 20k$ I can offer you exclusive use of the xxgfzrf.dinglebop.me Public Suffix so that you can keep tracking your users. Please reach out to sales@example.com if you are interested.

                                                    • dialtone 6 days ago
                                                      It's interesting because being added to the PSL reduces your ability to track users. So yeah, I have a bridge to sell you, interested?
                                                      • djrogers 6 days ago
                                                        > being added to the PSL reduces your ability to track users

                                                        Not really, in fact it can increase your ability to track users if it's (ab)used in specific ways - see use case #2 and #3 here:


                                                        • dialtone 6 days ago
                                                          There's an approval process to be added to the PSL so abuses would be quite surprising and easy to remove when discovered.
                                                          • iudqnolq 6 days ago
                                                            This entire discussion is literally about how that's not the case.
                                                      • devrand 6 days ago
                                                        To make things worse, it's basically impossible to remove a domain from the PSL as no one knows how software built against the PSL would handle it. A removal could break tremendous amount of software that people rely on.
                                                      • pornel 6 days ago
                                                        Reminder that the Public Suffix List is a non-scalable hack, and platforms should be reducing their reliance on it, not increase it:


                                                        • dwaite 5 days ago
                                                          It doesn't really propose an alternative to the PSL for 'same site' behavior, instead just pushes for 'same origin' (aka exact match) behavior.

                                                          I would agree that e.g. Apple would be better to support both same-site and same-origin, and say, clobber PCM if it receives a request for one after it has already received a request for the other.

                                                        • gruez 6 days ago
                                                          Can someone provide more context here? How does being added to the PSL affect tracking? Why are businesses adding themselves to the PSL en masse?
                                                          • twobitshifter 6 days ago
                                                            PSL is used to determine the level that a unique domain is registered at. This restricts cookies and privileges to that domain. It’s just a simple list because both .com and .co.uk are valid suffixes. Ios14 is using this list to prevent apps from tracking you across sites by limiting the data that can be stored per site. If you can get your domain recognized as a suffix as mysite.com then you can split information between all higher level domains. client1.mysite.com and client2.mysite.com. This allows you to store as much information as you want.
                                                            • TechBro8615 6 days ago
                                                              The PSL has always been a giant hack and totally unmaintainable in the long term. It's only a matter of time before someone mistakenly relying on it for security purposes gets owned by a rogue PR. Also, as mentioned in some of these issues, browsers don't even update it on any sort of guaranteed schedule.
                                                              • jakear 6 days ago
                                                                The fun thing is you can s/PSL/DNS/g and the statement still holds. Same for BGP
                                                                • therealx 6 days ago
                                                                  BGP and DNS survive due to relative obscurity, despite everyone using it in some way. Web devs do not give a shit about BGP (sadly.)
                                                          • sergiotapia 6 days ago
                                                            So much brain power and work wasted on this ad bullshit
                                                            • amelius 6 days ago
                                                              Yes and ads also stimulate over-consumption which hurts the planet.

                                                              The solution is to block all ads, or even better, ban them.

                                                            • layoutIfNeeded 6 days ago
                                                              Why are we using a centralized list for determining who's an eTLD and who's not? Why don't we store this metadata in the actual DNS records?
                                                              • throw14082020 6 days ago
                                                                What is a PSL inclusion request? Public Suffix List?
                                                                • pugworthy 6 days ago
                                                                  Same question - what is PSL?

                                                                  My best guess at the moment is Public Suffix List.

                                                                • towaytie4567 5 days ago
                                                                  As an aside, it's insane that decisions of such import are being made by folks working at a couple of large US companies. This is going to impact users and small businesses across the world. Where is the representation from African/Indian/Chinese businesses and technologists? This would require the big tech cos to truly be interested in "diversity" of course, instead of the lip-service they pay to it in practice.
                                                                  • kogir 6 days ago
                                                                    Isn’t the easiest solution here for companies to register their own domain? Why be company.service.tld and not just company.tld? What are these businesses doing for email?
                                                                    • mrweasel 6 days ago
                                                                      In this case I think the issue is trackers. If you owned a retargeting or tracking service, you might have customer1.retargetting.com and customer2.retargetting.com. Apple will now see these as being the same site, unless individually registered in PSL. This limits the amount of data that can be aggregated by retargetting.com, unless each subdomain is added to PSL.
                                                                      • 3np 5 days ago
                                                                        I think this is it - the only "small businesses" I see being actually hurt (as opposed to slightly inconvenienced) by this would be retargeting and tracking companies.
                                                                      • donmcronald 6 days ago
                                                                        Yes, it is. The main reason I can think of for using subdomains would be for super low value content that isn’t worth $10-30 / year for a real domain.

                                                                        There could also be a setup / maintenance angle I guess. Specifying a big list of custom domains is more work than *.example.com.

                                                                        • mangosquash 6 days ago
                                                                          I work on digital advertising for a franchise where each individual store manages their own shopify site at location.franchise.com. Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.

                                                                          I understand the PSL managers' position that this is an unfair burden to place on them though.

                                                                          • donmcronald 6 days ago
                                                                            Yeah, I didn’t quite understand it correctly at first. That’s a really good example of a legit use case that’s collateral damage from Apple vs Facebook.

                                                                            I can think of other issues now too. For example, I think government services should be structured as subdomains instead of each department registering a separate domain. This will encourage the use of separate domains if they need to track effectiveness and that’s bad IMO. We don’t want to normalize stuff like irsonline.com because of the boost it gives phishing.

                                                                            There’s definitely two sides to this one.

                                                                            • local_dev 6 days ago
                                                                              >these sites won't be able to run ads that track purchases

                                                                              Isn't that part of the purpose of the changes that Apple is making? As a user, this seems like a great change. Less tracking is a positive.

                                                                              • donmcronald 6 days ago
                                                                                Yeah, but if they’re talking about physical location franchises individually owned by local residents (there are a lot), the tracking they want to do probably isn’t nearly as pervasive as Facebook as a whole.

                                                                                For example, each location might want to track the effectiveness of ads for their locality. Facebook is probably a decent place for them to run ads too.

                                                                                The big problem is that Facebook has earned a reputation of abusing all the data they collect, so most people are going to say the same thing as you and not have any sympathy, but it probably screws over the poster you’re replying to pretty bad.

                                                                                • fshbbdssbbgdd 6 days ago
                                                                                  In principle, you can know that an ad click resulted in a purchase without knowing who clicked the ad and who made the purchase. Apple supports these kinds of measurements for its own Apple Search Ads product.

                                                                                  The “entropy limit” you see people talking about elsewhere in the thread is one means that attempts to allow ads to be measured like this without revealing information about the users. But if every store *.shopify.com is in the same entropy pool, there won’t even be enough information to tell which ad campaign led to a sale on which store.

                                                                                  • zp33 6 days ago
                                                                                    How can you give every subdomain in *.shopify.com their own entropy pool without also giving domains the ability to serve a distinct subdomain for each user (eg, user-1.example.com & user-2.example.com) and therefore bypassing the restrictions Apple is seeking to implement?
                                                                                    • fshbbdssbbgdd 6 days ago
                                                                                      That’s the debate happening in the GitHub issue. I think a natural answer is with carrots and sticks. Shopify will police their platform if that is what’s necessary to prevent Apple from destroying its business by cutting them all off.

                                                                                      There aren’t that many “build your own store” SaaS platforms, so it is feasible to maintain a whitelist.

                                                                                      It may sound strange at first to propose that Apple should be essentially auditing the behavior of other companies, but they have shown a willingness to pick up that mantle. Apple has already undertaken the huge effort of regulating the business practices of anyone on the App Store with the privacy label and other areas such as payments for digital goods. In this case, they’ve sort of delegated responsibility to a volunteer effort, which is understandable given how the situation evolved, but doesn’t seem sustainable.

                                                                                    • katbyte 5 days ago
                                                                                      Maybe I’m crazy but I don’t want to be tracked and I don’t want my purchase to be linked to an ad click* - I don’t want to be tracked so stop it?

                                                                                      *I haven’t clicked on an ad in a decade so I’m probably not the target audience

                                                                                      • fshbbdssbbgdd 5 days ago
                                                                                        If they know somebody clicked the ad and made a purchase, but they can’t know it was you, why are you bothered? Is it about something other than privacy?
                                                                                    • mangosquash 6 days ago
                                                                                      Apple is doing some cool things to make personally identifiable tracking from Facebook ads much less pervasive, while still providing advertisers/businesses data about whether or not their ads are working. These things include sending batches of data every 36-48 hours instead of data as it happens, etc. But in order for these tools to work, Apple is asking Facebook to rely on this list to see if subdomains would be able to set up conversion events to collect this anonymized batched data.

                                                                                      This system will make ads worse, but I think it's an alright balance. Not being able to have any conversion tracking will make ads dismal.

                                                                                      I wish that Apple would work to maintain their own list that served this purpose, or provided support to the volunteers that were tasked with keeping this updated.

                                                                                    • 3np 5 days ago
                                                                                      I think that's precisely according to intentions. Either they're separate entities with separate domains, or they're run by the same entity and get the same entropy.

                                                                                      > Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.

                                                                                      They still can, though, right? Just that they don't get more bits than if they had everything on one site. It's just that they can't "eat the cake and have it".

                                                                                • Aissen 5 days ago
                                                                                  It's past time we use a better solution for the PSL side-effects (cookies partitionning, TLD detection) than a centralized list. A dedicated DNS record comes to mind.
                                                                                  • kristofferR 6 days ago
                                                                                    Is this actually a problem? From the Github page it seems like the rate of invalid inclusion requests is very low, less than one per day:


                                                                                    • kelnos 6 days ago
                                                                                      That's not the issue; addition requests volume has suddenly gone way up because of this new Apple policy, and the volunteers that run the PSL are not prepared for it.
                                                                                    • varispeed 6 days ago
                                                                                      To be honest Facebook should offer a tracking free version with paid subscription. It is not acceptable that the only way to use Facebook and contact your family is to sacrifice your own and theirs privacy. When are we going to have a regulator step in and tackle this? It doesn't seem that GDPR has helped much, so I think more radical steps are needed. Such tracking that is being done online would be illegal offline (stalking), so I don't see how long this is going to go. It's not sustainable.
                                                                                      • PeterisP 6 days ago
                                                                                        I don't think that such a paid subscription would be feasible. Facebook currently earns more than 150 $/year on ads for each of their US/Canada user on average; and iPhone users who would be willing to pay for such services probably are worth more than the average, so the appropriate market-determined fee to replace invasive ad targeting would be quite large.

                                                                                        I don't think people would be willing to pay for tracking-free Facebook more than they pay for Netflix.

                                                                                        • varispeed 6 days ago
                                                                                          I don't think profits of a private company should be a justification for such invasion of privacy. There is plenty of ways they could make it work, but we need a legislation to compel them to do so. That option should be mandated by law even if it turned out to be niche.
                                                                                        • echelon 6 days ago
                                                                                          iPhone users are probably among Facebook's most valuable advertising demographic (ie. lots of disposable income). Apple's decisions to block tracking are hurting them in a big way, and offering a paid subscription probably won't seem attractive to users if Facebook prices it at the full value lost.

                                                                                          We've trained people that everything is free. We can't get away from that now that the genie is out of the bottle. Furthermore, people might just decide Facebook isn't worth it for them at the level of functionality they provide. As more churn happens, the overall value of the network decreases.

                                                                                          Apple just checkmated Facebook.

                                                                                          • dialtone 6 days ago
                                                                                            This has nothing to do with tracking to target ads. Facebook doesn't need Apple to execute that, people share data with FB voluntarily.

                                                                                            This is about measuring the impact of advertising while following a standard published by Apple itself and covering the usecase of big marketplaces with sub stores in it.

                                                                                        • nsxwolf 6 days ago
                                                                                          Paid Sick Leave?
                                                                                        • manzu 6 days ago
                                                                                          I’m just here to point the finger at Facebook, or anyone, for finding this workaround of declaring your legitimate website as a domain suffix just for tracking entropy purposes this is so laughable. like my ford fiesta identifies as an apache attack helicopter
                                                                                          • tick_tock_tick 6 days ago
                                                                                            Apple is the one that declared this list to be the source of truth. Facebook is just information customers of Apple's decision.......
                                                                                          • irrational 6 days ago
                                                                                            >PSL is maintained by volunteers and there should be zero expectation of turnaround times on PR (and a respect for the labor burden shifted onto them by orgs using PSL as a bozofilter)

                                                                                            What is to stop Facebook from assigning an engineering team to act as volunteers so the turnaround time drops to zero?

                                                                                            • seoaeu 6 days ago
                                                                                              Um, because those engineers don't have commit access to the repository? You can't just hire an engineering team and take over any open source project you want.
                                                                                              • irrational 6 days ago
                                                                                                Oh, I was assuming the engineering team would lie a pretend like they did not work for Facebook. I assumed they would slowly work to gain the confidence of those in control and little by little they gain the access they required themselves. Maybe they could pretend not to know each other and use that to their advantage. Surely a company with the resources of Facebook could manufacture fake alternate lives for the engineering team to make them look completely legitimate and harmless.
                                                                                                • willxinc 6 days ago
                                                                                                  Do you mean Apple, whose usage of the PSL caused this?
                                                                                                  • irrational 5 days ago
                                                                                                    No, Facebook. Facebook is telling companies to use the PSL. The PSL people are saying, “we give no guarantees about how long it will take us to add a domain to the PSL”. They could drag their feet so long as to make the PSL useless. To make sure it works, I could see Facebook wanting to get some of their people into position so that they can immediately approve PRs on the PSL.

                                                                                                    I can’t think of any reason Apple would want to support the PSL.