Safari caught sending some Safe Browsing data to Chinese internet giant Tencent [Update: Apple responds]

Safari has long sent data to Google Safe Browsing to help protect against phishing scams using its Fraudulent Website Warning feature, but now the iOS edition of the browser has been found to send user data to the Chinese internet giant Tencent as well, according to Reclaim The Net.

Update: Mark Gurman (@MarkGurman) has an official statement from Apple. Here it is:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

The original article continues below.

Tencent became one of Apple’s Safe Browsing providers for Safari following the WWDC 2017 announcement. The main concern here evidently revolves around what Tencent might do with that data. Tencent is known to work closely with the Chinese Communist Party, raising concerns that its data could be used for surveillance or other nefarious ends.

According to Engadget, it appears that Tencent integration is now being rolled out to non-China iOS devices as well. The fact that Apple buried this information in the “About Safari & Privacy” screen available through Settings → Safari without alerting users isn’t helping either.

According to Apple’s explainer, before you visit a website Safari might send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing in order to check if the website is fraudulent. “These safe browsing providers may also log your IP address,” notes Apple, which doesn’t specify just where Tencent operates.

“At this point, it’s difficult to know for sure whether Apple users residing outside of China are having their data sent to Tencent, but it appears to be mentioned on iPhones and iPads registered in the US and the UK, and possibly in other countries, too,” MacRumors noted.

Johns Hopkins University professor Matthew Green warned that a malicious provider could theoretically use Google’s Safe Browsing approach to de-anonymize a user by linking their site requests. Due to Apple’s existing issues in China, Green says that customers “deserve to be informed about this kind of change and to make choices about it.”

At very least, he added, customers should “learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”

The Fraudulent Website Warning feature is enabled by default.

To turn it off, go to Settings → Safari on your iPhone or iPad and slide the toggle next to Fraudulent Website Warning underneath the Privacy & Security heading to the OFF position.

When Fraudulent Website Warning is disabled, Safari will no longer display a warning if the website you are visiting is a suspected phishing website. Do not disable this handy feature if you’d like to get alerted before visiting a fraudulent website that masquerades as a legitimate one, such as a bank, financial institution or your email service provider.

Are you worried that Safari for iOS is sending some browser data to Tencent?

Let us know by leaving a comment down below.