Safari in iOS 13 was sending browsing data to Chinese tech giant Tencent

nanoguy

TS Addict
Staff member

Most may not be aware of it, but Apple's web browser has been sending data to Google Safe Browsing for years. This is done to protect users against phishing scams, by using an interstitial screen that prevents you from visiting a known fraudulent website from Google's list.

Now it appears that for everyone running the latest version of iOS, Apple is sending some of your web browsing history to Chinese Internet giant Tencent. This has sent critics up in flames about the potential privacy implications, especially since the feature is enabled by default and requires some digging to find it.

If you go to Settings > Safari, you'll find some small print that has recently been changed to say that "before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address."

Cryptography expert Matthew Green explains that this poses a privacy risk because it could reveal both your IP address as well as the web pages you are visiting. He says there's also a great possibility that Google "may drop a cookie into your browser during some of these requests." This essentially means that someone could use this information to piece together a profile of your browsing behavior.

Fortunately, Google has made some changes to the relevant API that should, in theory, provide anonymity using a locally stored database which contains hashes instead of the actual addresses of known malicious websites. Every time you visit a new website, Safari will hash the URL and check if it matches something from the local database.

However, this approach isn't perfect. As you visit hundreds or even thousands of websites over time, you gradually leak your browsing history. It's also worth noting that you need to trust Google not to make use of this vulnerability. The company is already under investigation by the Irish Data Protection Commission under allegations that it may have been circumventing GDPR rules to perform a more subtle form of data mining for advertisers.

The good news is you can easily turn off the "Fraudulent Website Warning" feature in Settings under Safari, but this still doesn't explain why Apple didn't see the need to be more transparent about it. The company released a statement to say that Tencent is only used as a source for the list of fraudulent websites if the region setting on the device is set to mainland China.

This isn't the first time the company has been criticized for working with a Chinese entity to handle sensitive data. Last year it transfered iCloud servers for Chinese users to a state-run company, which yielded similar privacy concerns.

More recently, Apple has been under fire for its somewhat peculiar relationship with China. CEO Tim Cook had to defend the company's stance after it removed a Hong Kong protest app from the App Store, a move that led many to believe Apple may be favoring Chinese interests as a way to appease the government of its third largest market.

Permalink to story.

 

brucek

TS Maniac
Shall we guess that Apple is being paid for sending data to these services?

If all Apple wanted was to provide a safe browsing service for their users, they could implement a no-leak solution involving either on-device checks only (if blacklist is small enough), or on Apple server-side checks vs a one-way hash where those servers were configured to keep no logs and where the protocol was encrypted. No need to share any user data with any third party.

The fact they didn't do it that way tells you there were other motives at play.

That said it's hardly fair to bash just Apple for this. We are maybe more surprised with this deviation from their normal privacy stance, but the competition isn't even pretending.
 

Theinsanegamer

TS Evangelist
Shall we guess that Apple is being paid for sending data to these services?

If all Apple wanted was to provide a safe browsing service for their users, they could implement a no-leak solution involving either on-device checks only (if blacklist is small enough), or on Apple server-side checks vs a one-way hash where those servers were configured to keep no logs and where the protocol was encrypted. No need to share any user data with any third party.

The fact they didn't do it that way tells you there were other motives at play.

That said it's hardly fair to bash just Apple for this. We are maybe more surprised with this deviation from their normal privacy stance, but the competition isn't even pretending.
The competition also didnt market privacy as a selling point. Bit of a difference there.

"it's more important to reflect on the fact that we don't live in an ideal world where things are that simple"

That is a cop out. It's a pretty simple choice, comply with china or dont comply with them. Apple is one of the few companies that could easily do without china altogether. They have the cash and purchasing power to take their business elsewhere. Apple prefers making money in china to protecting the security of its own users. If china has access to your data, in any way, consider it compromised, same goes if any of your systems if they communicate with china.