Safari in iOS 13 was sending browsing data to Chinese tech giant Tencent
Apple believes the issue is overstatedBy Adrian Potoroaca
The big picture: As trade tensions between China and the US continue to make headlines, Apple has found itself in the general conversation once again. Apparently, the company shares some data with a Chinese tech giant, which has led some to believe that it isn't able to hold up to its high standards for privacy. While most people would take that as "Apple bowing to China," it's more important to reflect on the fact that we don't live in an ideal world where things are that simple.
Most may not be aware of it, but Apple's web browser has been sending data to Google Safe Browsing for years. This is done to protect users against phishing scams, by using an interstitial screen that prevents you from visiting a known fraudulent website from Google's list.
Now it appears that for everyone running the latest version of iOS, Apple is sending some of your web browsing history to Chinese Internet giant Tencent. This has sent critics up in flames about the potential privacy implications, especially since the feature is enabled by default and requires some digging to find it.
If you go to Settings > Safari, you'll find some small print that has recently been changed to say that "before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address."
Cryptography expert Matthew Green explains that this poses a privacy risk because it could reveal both your IP address as well as the web pages you are visiting. He says there's also a great possibility that Google "may drop a cookie into your browser during some of these requests." This essentially means that someone could use this information to piece together a profile of your browsing behavior.
Fortunately, Google has made some changes to the relevant API that should, in theory, provide anonymity using a locally stored database which contains hashes instead of the actual addresses of known malicious websites. Every time you visit a new website, Safari will hash the URL and check if it matches something from the local database.
However, this approach isn't perfect. As you visit hundreds or even thousands of websites over time, you gradually leak your browsing history. It's also worth noting that you need to trust Google not to make use of this vulnerability. The company is already under investigation by the Irish Data Protection Commission under allegations that it may have been circumventing GDPR rules to perform a more subtle form of data mining for advertisers.
The good news is you can easily turn off the "Fraudulent Website Warning" feature in Settings under Safari, but this still doesn't explain why Apple didn't see the need to be more transparent about it. The company released a statement to say that Tencent is only used as a source for the list of fraudulent websites if the region setting on the device is set to mainland China.
This isn't the first time the company has been criticized for working with a Chinese entity to handle sensitive data. Last year it transfered iCloud servers for Chinese users to a state-run company, which yielded similar privacy concerns.
More recently, Apple has been under fire for its somewhat peculiar relationship with China. CEO Tim Cook had to defend the company's stance after it removed a Hong Kong protest app from the App Store, a move that led many to believe Apple may be favoring Chinese interests as a way to appease the government of its third largest market.