Most may not be aware of it, but Apple’s web browser has been sending data to Google Safe Browsing for years. This is done to protect users against phishing scams, by using an interstitial screen that prevents you from visiting a known fraudulent website from Google’s list.
Now it appears that for everyone running the latest version of iOS, Apple is sending some of your web browsing history to Chinese Internet giant Tencent. This has sent critics up in flames about the potential privacy implications, especially since the feature is enabled by default and requires some digging to find it.
If you go to Settings > Safari, you’ll find some small print that has recently been changed to say that “before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
Cryptography expert Matthew Green explains that this poses a privacy risk because it could reveal both your IP address as well as the web pages you are visiting. He says there’s also a great possibility that Google “may drop a cookie into your browser during some of these requests.” This essentially means that someone could use this information to piece together a profile of your browsing behavior.
Fortunately, Google has made some changes to the relevant API that should, in theory, provide anonymity using a locally stored database which contains hashes instead of the actual addresses of known malicious websites. Every time you visit a new website, Safari will hash the URL and check if it matches something from the local database.
However, this approach isn’t perfect. As you visit hundreds or even thousands of websites over time, you gradually leak your browsing history. It’s also worth noting that you need to trust Google not to make use of this vulnerability. The company is already under investigation by the Irish Data Protection Commission under allegations that it may have been circumventing GDPR rules to perform a more subtle form of data mining for advertisers.
The good news is you can easily turn off the “Fraudulent Website Warning” feature in Settings under Safari, but this still doesn’t explain why Apple didn’t see the need to be more transparent about it. The company released a statement to say that Tencent is only used as a source for the list of fraudulent websites if the region setting on the device is set to mainland China.
This isn’t the first time the company has been criticized for working with a Chinese entity to handle sensitive data. Last year it transfered iCloud servers for Chinese users to a state-run company, which yielded similar privacy concerns.
More recently, Apple has been under fire for its somewhat peculiar relationship with China. CEO Tim Cook had to defend the company’s stance after it removed a Hong Kong protest app from the App Store, a move that led many to believe Apple may be favoring Chinese interests as a way to appease the government of its third largest market.