Apple has found itself embroiled in yet another China-related controversy, as it appears to be sending user browsing data to Tencent, a Chinese company. That data includes the website visited and the IP address of the iOS user.
Apple has the best of intentions here – the data sharing is done to help protect users from fraudulent websites – but the fact that the company now uses a Chinese conglomerate to do so is raising eyebrows …
Apple has for a long time used Google’s Safe Browsing tech to protect users from phishing sites. If you attempt to visit an URL which Google has flagged as fraudulent or as a source of malware, a warning will be displayed in Safari advising you not to proceed to the website.
However, in iOS 13, the small-print advising users of this fact has been changed to say that data may be sent to both Google and Tencent.
Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.
Johns Hopkins University professor and cryptographer Matthew Green says this is problematic because it may reveal both the webpage you are trying to visit, and your IP address. It may also drop a cookie on your device. This data could potentially be used to build up a profile of your browsing behavior.
There is some evidence to suggest that Apple sends browsing data to Tencent only when their iOS region is set to China. However, this is unclear. As Green notes, the warning appears on US-registered iPhones as well as Chinese ones.
Green explains that there are some protections in use, at least by Google.
Google quickly came up with a safer approach to, um, “safe browsing”. The new approach was called the “Update API”, and it works like this:
- Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.
- Google sends the database of truncated hashes down to your browser.
- Each time you visit a URL, your browser hashes it and checks if its 32-bit prefix is contained in your local database.
- If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching URLs, so your browser can check for an exact match.
So Google doesn’t know the exact webpage you are attempting to visit in any particular case, but we are putting a lot of trust in Google not to mine the data.
The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many “bites at the apple” (no pun intended) in order to de-anonymize that user. A user who browses many related websites — say, these websites — will gradually leak details about their browsing history to the provider, assuming the provider is malicious and can link the requests. (Updated to add: There has been some academic research on such threats.)
And now Apple is sending browsing data to Tencent, we are extending that trust to a Chinese company too, and not being consulted about it as the protection is on by default. That, argues Green, is difficult for Apple to justify.
In the Safe Browsing change we have another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement. We have learn about this stuff from the fine print. This approach to privacy issues does users around the world a disservice.
It increasingly feels like Apple is two different companies: one that puts the freedom of its users first, and another that treats its users very differently. Maybe Apple feels it can navigate this split personality disorder and still maintain its integrity. I very much doubt it will work.
Apple came under fire last week for banning then allowing then again banning an app which shows protest trouble-spots in Hong Kong.