Following a report alleging that Safari was sending URLs to China, Apple has clarified that this is not the case and has detailed how the Safe Browsing feature works.
Reports on Monday claimed Apple has been sending browsing data to Chinese technology firm Tencent as part of its anti-phishing systems, and may be expanding how much it uses the firm. From iOS 11 in 2017, Apple has stated on devices bought in China that it uses Tencent, but at some point that same privacy notice has appeared on US iPhones and iPads too.
The information is contained with a privacy notice that is reached via Settings, Safari, About Safari Search & Privacy. It's not clear when this detail was added, but users on Twitter claim to have seen it from iOS 12.2. It is now on all iOS 13 devices.
Apple uses the service as part of its anti-phishing features, and specifically the iOS Fraudulent Website Warning. This is the service that detects when a site may be masquerading as another one, or may contain malware.
Apple has now responded to the claims with a statement to AppleInsider and other venues.
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature.When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Apple's privacy notice does describe the overall process for both firms.
"Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent," it says.
Significantly, it also cautions that the website address may not be the only data that these companies receive.
"These safe browsing providers may also log your IP address," it adds.
The presence of Tencent in the privacy information does not mean that data is being sent to the firm, only that Apple may use it for this feature when needed. The possible logging of IP addresses by either Google or Tencent may be necessary for their phishing prevention systems.
However, Apple did not announce the use of this second company in what is a significant area of its privacy work. And the Fraudulent Website Warning feature is turned on by default.
To turn it off, go to Settings, Safari and toggle Fraudulent Website Warning. Note, however, that you will then lose the protection against malicious sites.
Updated: 12:40 ET: Updated with response from Apple.