In a report from professor and cryptographer, Matthew Green today, concerns were raised about Apple sharing users’ browsing data to the Chinese company, Tencent. Now Apple has offered an official response, reassuring users that actual URLs aren’t shared with third-parties.
Apple has used Google to provide Safe Browsing services but with iOS 13 and macOS Catalina, it started using Tencent to comply with Chinese regulations.
Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.
As we reported this morning, professor and cryptographer Matthew Green raised some concerns about third-parties seeing users’ IP addresses as well as what webpages they are viewing.
Johns Hopkins University professor and cryptographer Matthew Green says this is problematic because it may reveal both the webpage you are trying to visit and your IP address. It may also drop a cookie on your device. This data could potentially be used to build up a profile of your browsing behavior.
Bloomberg has now gotten an official response from Apple on the matter and the company says actual website URLs aren’t shared with Tencent or Google and explains more about fraudulent website warnings including that users can turn the feature off.
The statement also clears up concerns that US users could have data mixed up with China-owned Tencent. Apple clarifies that it is only using Tencent as a safe browsing provider for users with their devices set with a mainland China region code. Apple’s statement to Bloomberg:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Update: We’ve learned more specifics about how Safari’s fraudulent website warnings work and why actual URLs aren’t shared with third-parties.
The process to check whether a website matches a list of known malicious sites happens before Safari loads a URL and the matching process starts by checking just hashed prefixes.
If Safari does see a match of the hashed prefix, it will send the hash to the safe browsing provider, Google or Tencent, to request the full list of URLs that have matched the prefix.
Since Safari talks directly with Google or Tencent for the request, they do receive the device’s IP address. After Safari gets the full list of malicious URLs matching the prefix, it checks if there is a full match on-device so the actual URL is never shared with the safe browsing provider.
If you still want to turn off these warnings, head to Settings → Safari → Fraudulent Website Warning.
On Mac you can find the option in Safari → Preferences → Security → Warn when visiting a fraudulent website.
FTC: We use income earning auto affiliate links. More.