Apple accused of sending user browsing data to China's tech giant Tencent

“Fraudulent Website Warning” function included in Safari reveals user's IP addresses to Chinese company Tencent

"Fraudulent Website Warning" in Safari allows leaking browsing data such as the IPs to China

Recently, reports about Apple transferring user browsing data to China and Google have appeared on different Internet news channels.^[1] While relations to Google by now are not surprising, privacy advocates were concerned about the fact that Apple sends out the IP address of some users to its partner Tencent (a Chinese entertainment and internet giant) – and everybody in the West by now knows the controversy surrounding Chinese privacy laws.

According to the reports, Apple included a service “Tencent Safe Browsing” in the Safari web browser application since at least the release of iOS 12.2, and it was used for the “Fraudulent Website Warning” feature that warns users when they are about to enter a phishing website on macOS or iOS devices that run the Safari web browser:^[2]

Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address

To check the potentially malicious site's security, Safari may record information from the website URL and transfer it to Google and Tencent. As a result, the users' IP address might get spied on while engaging with safe browsing providers.^[3] According to Apple, however, the Tencent connections are only used to deliver warnings to Chinese residents, as Google is banned in China.

Apple defends its stance and claims that visited URLs are not revealed to the safe browsing provider

Before iOS version 12.2 release, Apple held an entire list of unsafe websites that have been generated by Google's Safe Browsing feature, and users' IP addresses were recorded.^[4] However, since it became clear that now this service is also shared with China, many became deeply concerned.

According to some news sources, Google was able to track the information provided by Apple, including the visited website data along with users' IP addresses. However, the feature is a little bit more complicated than it may seem, as Google relies on a complicated system that hashes the malicious URLs, and the piece of the code is then linked to Safari. Once a potentially dangerous website is about to be visited, Safari checks certain components of those hashes, without revealing the true URL.^[5]

However, when it comes to China, Concerns about similar activities have been directed towards Tencent's and Beijing's relations. China's government has a lousy reputation when it comes to its own citizens tracking and censoring various content. Thus, many are concerned that the information may be passed on to the Chinese government, resulting in unwanted spying.

Disable the unwanted feature on your iPhone device or macOS machine

According to news reports, it is not accurate if Apple shares browsing information via Tencent outside of China as the company has not written much about it in its Privacy Policy. However, experts believe that the list of fraudulent websites that are included in Tencent is exposed only to China.^[6]:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning <…> To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

If you got worried about the new browsing data tracking activities that are used by Apple nowadays, you always have the chance of turning the “Fraudulent Website Warning” option off on your device. However, keep in mind that once you disable this feature, you will no longer be warned about deceptive sites ahead.

If you have already decided to turn the function off, use these steps for iPhone devices: Settings > Safari > Turn off Fraudulent Website Warning. Also, if you are using a macOS-based machine, you should do this: Safari > Preferences > Security > deselect Warn when visiting a fraudulent website.