What you need to know
- Safari Fraudulent Website Warning flags malicious websites.
- It uses Google's malicious website list internationally and Tencent's list for devices set to China.
- Actual URLs are not shared, though IPs have to be transmitted, and the feature can be turned off.
Apple and China have a complicated relationship and situation that's exploded in the news over the last week. (Much more on that in a future column.) It's led to some incredibly informative reporting, but also some ride-along FUD (fear, uncertainty, and doubt). A recent story about how Apple handles Safari Fraudulent Website Warning's, got caught up in the latter. Which is unfortunate, because it's something everyone should be informed about.
First, here's Apple's statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning," Apple told iMore. "A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Second, here's how the system works:
Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.
In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.
So, for now, browse smart and browse safe.

Music MiniPlayer brings some 2007 iTunes nostalgia to your modern Mac
Fans of the classic iTunes Mini Player are in for a treat because someone came to our rescue and brought it to the Music app on modern macOS.

Apple begins notifying the winners of its WWDC22 Swift Student Challenge
Apple has begun to email winners of its WWDC22 Swift Student Challenge, with some taking to Twitter to share the news of their success.

Review: Multi-device charging has never looked so good with this power bank
Take the Excitrus Power Bank along when you have a lot of devices on-hand and not enough juice. This battery pack can charge four devices at once, including a MagSafe-compatible iPhone and a MacBook.

Keep an eye on the front door with the best HomeKit video doorbells
HomeKit video doorbells are a great way to keep an eye on those precious packages at your front door. While there are just a few from which to choose, these are the best HomeKit options available.