Apple cops flak for deleting local browser storage after 7 days

Apple this week released iOS and iPadOS 13.4, and Safari 13.1 for macOS, with updates to its WebKit browser framework doubling down on the company's strong privacy protections for users.

Most of the new features under Apple's Intelligent Tracking Prevention (ITP) such as full blocking of third-party cookies which among other things disables login fingerprinting and a class of cross-site request forgery attacks against website have been welcomed by developers and users.

One ITP feature however, a seven-day cap on a website's script-writeable storage in Safari, has been met by howls of protest as developers fear it could kill offline web apps.

Apple WebKit engineer John Wilander who developed the ITP explained that from now, script-writeable storage has been aligned with existing client side cookie restrictions.

Once seven days has passed and users not interacted with a specific site in that period of time, Safari will delete all the script-writeable storage for it.

Wilander said the policy change affects data types and application programming interfaces such as Indexed DB, LocalStorage, media keys, SessionStorage and Service Worker registrations.

The reason for deleting the stored data after seven days is to block third-party scripts from getting around restrictions introduced a year ago that curbed cross-site tracking of users.

Script developers were quick however to move their tracking data elsewhere such as LocalStorage that have no expiry functions for it, meaning there's no way to limit how long it should remain on users' computers.

Boosting user privacy in this way sparked concern that it could stop offline web apps from working reliably however.

Activist and open source developer Aral Balkan wrote: 

"Block all third-party cookies, yes, by all means.

But deleting all local storage (including Indexed DB, etc.) after 7 days effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network.

And that’s a huge blow to the future of privacy."

Another developer, Andre Garzia, echoed Balkan's sentiments, and accused Apple of "crippling the web" with the change, as it could stop decentralised Progressive Web Apps (PWAs) that don't use a backend server and store data locally, from working.

"Basically, you go on vacation and the data is lost.

This means apps must necessarily keep the data on a server, or they risk losing it all because Apple thinks this equates to privacy," Garzia wrote.

Wilander later added to his original announcement and clarified that the seven-day local data deletion deadline is for Safari only.

Web apps added to the home screen are not part of Safari, and have their own days of use counter.

"We do not expect the first-party in such web applications to have its website data deleted," Wilander wrote and encouraged users to report it to the WebKit team as a serious bug.

Wilander's update did little to mollify Garzia, who said that installing apps to the home screen is not what makes a PWA. 

"A PWA is still a PWA if the user accesses it only occasionally by typing the URL in the browser, or keeping a bookmark," Garzia wrote.

Garzia views the change as Apple preventing web apps from working local-only.

Building native apps for Apple's platform isn't an answer either, Garzia pointed out, as these are subject to strict App Store restrictions which developers don't have to consider for web apps.