UPDATE: Apple has sent iMore the following statement. We've also explained how the Fraudulent webite warning system works and how you can disable it if you don't like it:
A report via Reclaim the Net has revealed Apple added Tencent Safe Browsing checks to the existing Google Safe Browsing checks as early as February of 2019. As part of that service, when checking if a website is fraudulent or not, Apple may send the IP address of the user to Tencent. Given the recent press cycle concerning Chinese influence over U.S. tech companies in general and apple in particular, this has raised some concerns.
According to the report:
When you access the Fraudulent Website Warning feature inside settings and click the "About Safari & Privacy..." link, users are met with the following disclaimer.
Reclaim The Net notes that the security feature is toggled on by default, so unless you have intentionally accessed these setting to disable the feature, there's a chance that at some point your IP address may have been logged by Tencent or Google whilst you've been browsing in Safari. According to one Twitter user, the addition of Tencent to this policy may have begun as early as February of this year with the iOS 12.2 beta. Apple has of course used Google Safe Browsing for some time.
In iOS 12.2 beta 2 Safari now uses Tencent Safe Browsing in addition to Google Safe Browsing. pic.twitter.com/92pZKBmwWsIn iOS 12.2 beta 2 Safari now uses Tencent Safe Browsing in addition to Google Safe Browsing. pic.twitter.com/92pZKBmwWs— Stijn de Vries (@StijnDV) February 4, 2019February 4, 2019
Apple doesn't maintain its own list of fraudulent websites and so relies on Google for most of the world's websites, and Tencent for websites in China.
It seems that this went unnoticed at the time, and has likely come to light in wake of reports surrounding Apple's dealing in and with China over recent days. Of course, users can avoid having their IP address logged by disabling the feature, however this leaves users vulnerable to accessing fraudulent websites, which of course is the whole point of this security feature.
You could install a third-party browser, however if you view a web page inside of an app, you'll be accessing it through Safari View Controller, and by default links within apps also open Safari. Essentially, it's very hard to avoid using Safari on iOS.
Tencent of course owns WeChat, and works closely with the Chinese Communist Party to facilitate government censorship, preventing the spread of negative information about the government. WeChat's censorship is so severe that it sometimes (unintentionally) censors neutral information published by approved state media outlets.
With regards to the logging of IP addresses, Reclaim The Net notes that an IP address can reveal a uers location, and can be used to profile users across devices:
This article was updated to explain how and why the fraudulent website warnings work.
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9
Wow, this is a massive and negligent leak of user browsing activity!
Just when I was beginning my move away from Google and toward Apple because of its supposed stance regarding user privacy, all of this occurs to bring myself and others back to reality. Apparently user privacy is a great thing unless or until it affects the bottom line. Apple needs to decide what kind of company it wants to be; a strictly profit driven and morally corrupt behemoth loyal only to it's shareholders, or a socially responsible company that adheres to democratic values and principles. As Apple's CEO and company spokesman, Tim Cook is saying the things people want to hear and getting lots of kudos in the process, but the terms and conditions of his products are telling a different story. I hope he quickly remedies these issues. If he won't do it himself, then I'm all for Congress "helping" him see the error of his ways.
Apple has had this in place for a long while, this is only an issue now because of the things going on in China. But Apple tells you it's doing this AND allows you to turn it off, so I don't see the issue
This is a new low even for you. You really don't see the issue? smh
I guess the issue is that they shouldn't be doing it in the first place, but that applies to a lot of data collection/sharing that a lot of companies do including big ones like Microsoft, Google and Samsung. But the fact is that Apple is transparent here and you can turn it off
I've long respected Apple and valued their respect for customer privacy and human rights and, like you, Danny, often defended them against knee-jerk opportunistic criticism that was overblown. However, these revelations about the Hong Kong app and now this IP address disclosure to Tencent has me angry. I don't think they've been transparent on this, no, and I agree with the critics. It is incumbent on Apple and Tim Cook to come forward with a thorough explanation and remedy to get back in good graces with us. As far as I can tell, they owe us an apology and action to fix the problems. Of course, I hope I'm wrong and there's some major issues they can bring to light that these reports are missing, but I'm not holding my breath... I think Rene needs to weigh in with a major piece of analysis in the next few weeks as this unfolds.
Where is the lack of transparency? You can see the message Apple provides in iOS in this article (Settings > Safari > About Privacy & Security). Admittedly it could be a bit easier to find and could do with being shown the first time you open Safari
Have you ever read Hitch Hiker's Guide to the Galaxy? This isn't quite like plans being on display in a disused lavatory with a sign on the door saying "beware of the leopard", but you have to tap more info first. Second, it should ask which service you want to use, not just be "Apple" and pick for you. Apple's biggest flaw is they're toggle-phobic. "Batterygate" is because they chose for people instead of giving a toggle. This is the same, as is their nonsense revoking an app from use in Hong Kong, and removing the Taiwan flag as well.
I agree choice is a good thing, and I wish Apple were less toggle-phobic, although a default option is nice for the users who don't understand all the different services and just want to get in and use their phone
No Apple does not, its hidden deep inside settings. Huge issue here. This is how tech companies hide horrible terms and conditions. We need a privacy bill of rights now.
I agree it could be easier to find, it'd be best to have all this information listed in one place that's easy to find
I’m not sure if I understand this correctly. The IP addresses of iPhone users outside of China are being sent to Tencent? I get that they are using Google’s services for this feature but why would they need to get Tencent involved for non-Chinese users? Perhaps the Tencent system is reserved for users in China where Google’s service is unavailable?
Poorly done, Apple. It's really the opposite of safe browsing, isn't it? :(
There is a different between security and privacy, it will offer you security at the expense of privacy, but it shouldn't need to invade your privacy either
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.