It seems like Apple’s China-related controversies aren’t over just yet. It appears that Safari in iOS 13 now sends browsing data to Tencent, a giant Chinese conglomerate that owns the country’s biggest digital platforms, including QQ, WeChat, and Qzone. It’s also known for helping the Chinese government keep its iron grip over what citizens can see and interact with on the internet.
The feature in question is Safari’s Fraudulent Website Warning. At face value, this sounds like a good thing—it’s meant to protect users from bad websites often used in phishing scams. In fact, Apple has long used Google’s Safe Browsing technology. How that works is if a user tries to visit a URL that’s been flagged as malicious, you’ll see a pop-up warning you not to visit the site. The main change here is that in iOS 13, the “Safari & Privacy” fine print now says, “Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
While it wasn’t initially clear if non-China users’ data was being sent to Tencent, Apple has since clarified in a statement that it only impacts users in mainland China.
“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing,” an Apple spokesperson told Gizmodo in an email. “To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent.”
That sounds above board, but safe browsing isn’t entirely private. In a blog about the update, Johns Hopkins University professor Matthew Green noted the first iteration of Google’s technology was a “privacy nightmare.” Originally, Google’s servers basically received the entire URL of sites you visited, as well as your IP address. Realizing this, Google changed how its safe browsing tech worked, implementing partial hashes to give you a degree of privacy. However, the Google servers still see your IP address and other types of identifying information. According to Green, because a typical user will visit thousands of URLs, a malicious provider could still de-anonymize users as they “will gradually leak details about their browsing history to the provider, assuming the provider is malicious and can link the requests.”
Which brings us back to Tencent. As mentioned earlier, Tencent owns a number of popular internet platforms in China. As such, it’s an active participant in censoring content online. WeChat, a messaging app owned by Tencent, censors private conversations automatically in real-time, as well as filtering images. Earlier this year, Tencent’s QQ browser, among others, was found blocking access to a GitHub page where developers vented workplace grievances. It’s also been reported Tencent will develop “patriotic” video games for the Chinese Communist Party. Apple’s warning acknowledges the Fraudulent Websites Warning feature will send your IP to Tencent—and users will just have to trust it won’t succumb to possible government requests to de-anonymize that data. Given its history of bowing to pressure from the Chinese government with regard to censorship, that isn’t encouraging.
Apple told Gizmodo its feature never shares the exact URLs you visit with providers. Safari regularly receives a list of URL prefix hashes that apply to malicious sites. If that matches the hash of a site you try to navigate to, Safari asks the provider for the full list of malicious URLs with the same hashed prefix. If your URL matches one on the list, you’ll be shown a warning that you’re navigating to a dangerous site. All of these checks are done on your device, so the provider never receives the actual URL you visited. However, because Safari directly communicates with the safe browsing provider, that provider will still get your IP address.
This comes at a time where Apple has reportedly caved to demands from the Chinese government. Last week, it pulled a smartphone app used by pro-democracy demonstrators in Hong Kong. Apple CEO Tim Cook later doubled down on the decision, stating in a letter that the app was “in violation of Hong Kong law” despite some calling into question the legitimacy of Cook’s claims. Likewise, a Buzzfeed News report alleges Apple told some Apple TV+ show developers to “avoid portraying China in a poor light.”
While safe browsing does have its benefits, if this news gives you pause, you can turn off Safari’s feature by going to Settings > Safari > Fraudulent Website Warning.