Apple Under Fire for Sharing iOS Safari IP Addresses with China’ Tencent

Apple is under fire after it was discovered that the iOS edition of Safari is sending user data to the Chinese internet giant Tencent.

Matthew Green, a cryptographer and professor at Johns Hopkins University, has revealed Apple added Tencent Safe Browsing checks to the existing Google Safe Browsing checks as early as February of 2019.

As part of that service, when checking if a website is fraudulent or not, Apple may send the IP address of the Safari user to Tencent. Given the recent press cycle concerning Chinese influence over U.S. tech companies in general and apple in particular, this has raised some concerns.

The Safari feature — dubbed “Fraudulent Website Warning” in iOS and macOS — is meant to enhance online security by cross-referencing URLs against a blacklist service provided by safe browsing providers such as Google and Tencent.

The obvious issue that raises concern is what the latter company might do with that data. Both companies may log IP addresses to aid their anti-phishing systems, but Tencent’s frequent cooperation with the Chinese government raises concerns that its data could be used for surveillance or other nefarious ends.

While it’s not yet clear whose and what information is sent to Tencent, Appel does reveal in the privacy policy that Safari submits browsing data to the Chinese firm.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent,” Apple notes. “These safe browsing providers may also log your IP address.”

The Fraudulent Website Warning feature in Safari can be disabled from settings on iPhone and iPad running iOS 13 (it’s believed that older versions of the operating system could also send similar information to Tencent). However, blocking the feature means that you also lose access to Google’s system, so you end missing out on the security arsenal that could otherwise prove to be pretty useful.

Update Oct. 14, 10:40am: Apple has released a statement regarding this matter to iMore:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning,” Apple told iMore. “A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.