Here's Apple's statement on Safari Fraudulent Website Warning and Tencent

How to turn off System Integrity Protection on macOS (Image credit: iMore)

What you need to know

Safari Fraudulent Website Warning flags malicious websites.
It uses Google's malicious website list internationally and Tencent's list for devices set to China.
Actual URLs are not shared, though IPs have to be transmitted, and the feature can be turned off.

Apple and China have a complicated relationship and situation that's exploded in the news over the last week. (Much more on that in a future column.) It's led to some incredibly informative reporting, but also some ride-along FUD (fear, uncertainty, and doubt). A recent story about how Apple handles Safari Fraudulent Website Warning's, got caught up in the latter. Which is unfortunate, because it's something everyone should be informed about.

First, here's Apple's statement:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning," Apple told iMore. "A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

Second, here's how the system works:

Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.

In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.

So, for now, browse smart and browse safe.

VECTOR | Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

9 Comments

I wouldn't call this "FUD (fear, uncertainty, and doubt)." Apple's own documentation stated that both Tencent and Google may collect user IP addresses. There was no ambiguity there. We shouldn't minify the implications surrounding this.
We shouldn't minimise the implications surrounding this.
"But by no means do I ever overlook or minify the fact that this is one of the most extraordinary experiences of my life." -Mark Twain
https://www.dictionary.com/browse/minify
Thanks for the assist.
So, whenever you visit a blocked site (or a site with a matching hash, which could be a false positive) then Tencent or Google gets the hash for the URL prefix along with your IP address, and it looks up the list of forbidden sites corresponding to that hash. As you note, they know your IP address as swell as the pool of banned sites. This is not good news for anyone in China who doesn't want to be tracked by Tencent, or who may want to visit sites that are banned by Tencent. Hopefully Google does a better job of respecting user privacy.
I think Apple is better on the privacy-front overall when compared to Google, I don't agree with the Tencent sharing but you can disable it, hopefully Apple disables this by default or puts the information in an easier to find place
Smh. Leave it to you Rene to minimize another egg on Apple's face. Apple is not privacy-centric company, FAR from it. They've been caught over and over again and just like the good Apple Warrior you are you rush to defend them. There's zero fud here and your blind defending of Apple has reached a new low.
No company above a certain size is privacy-centric, with great power comes great responsibility, and big companies tend to care more about making money. In terms of the big companies, Apple does do a decent job with protecting user privacy, a lot better than other big companies, but "decent" isn't good enough. This is why the GDPR exists in Europe
Well there are 2 sides to a coin, head and tail, there will always be believers and haters.

Show more comments