William Gallagher
Following a report alleging that Safari was sending URLs to China, Apple has clarified that this is not the case and has detailed how the Safe Browsing feature works.
Reports on Monday claimed Apple has been sending browsing data to Chinese technology firm Tencent as part of its anti-phishing systems, and may be expanding how much it uses the firm. From iOS 11 in 2017, Apple has stated on devices bought in China that it uses Tencent, but at some point that same privacy notice has appeared on US iPhones and iPads too.
The information is contained with a privacy notice that is reached via Settings, Safari, About Safari Search & Privacy. It's not clear when this detail was added, but users on Twitter claim to have seen it from iOS 12.2. It is now on all iOS 13 devices.
Apple uses the service as part of its anti-phishing features, and specifically the iOS Fraudulent Website Warning. This is the service that detects when a site may be masquerading as another one, or may contain malware.
Apple has now responded to the claims with a statement to AppleInsider and other venues.
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature.When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Apple's privacy notice does describe the overall process for both firms.
"Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent," it says.
Significantly, it also cautions that the website address may not be the only data that these companies receive.
"These safe browsing providers may also log your IP address," it adds.
The presence of Tencent in the privacy information does not mean that data is being sent to the firm, only that Apple may use it for this feature when needed. The possible logging of IP addresses by either Google or Tencent may be necessary for their phishing prevention systems.
However, Apple did not announce the use of this second company in what is a significant area of its privacy work. And the Fraudulent Website Warning feature is turned on by default.
To turn it off, go to Settings, Safari and toggle Fraudulent Website Warning. Note, however, that you will then lose the protection against malicious sites.
Updated: 12:40 ET: Updated with response from Apple.
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
51 Comments
Yeah, I was waiting on this story to hit AI. What started out a a drip of China/Apple issues is turning into a faucet.
Curiously while other parts of Apple's Chinese ToS appears only on Chinese handsets (ie iCloud), this disclosure of Tencent receiving browsing data also appears on US handsets.
Before the expected sideshow of "Can't be worse than Google" begins Google uses a number of methods to ensure they can't know the exact webpage you are attempting to visit in any particular instance, maintaining user privacy in Fraudulent Website checks. There is no such assurance from Tencent and it's automatically allowed unless you disable it. But that also requires Fraud warnings from Google be turned off as well which makes it not such a good idea to disable for many. The two services should have separate toggles., not an all or nothing.
Et tu AI? You were the guys who fought against the apple-bashing on engadget and the verge and lately you've been jumping on the bandwagon. I expect this kind of click-bait crap from macrumors now, but not you. If you think Apple is flagrantly opening their user's privacy to nefarious Chinese officials just because then I don't know what to say.