Safari’s Fraudulent Website Warning Feature Only Uses Tencent in Mainland China

Apple, in a statement to iMore:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

After quoting Apple’s statement, Rene Ritchie has more details on how the feature works, including the fact that the URLs you visit aren’t sent to Google (or Tencent) — hashed prefixes of the URLs are sent. This became a story over the weekend when a story by Tom Parker at Reclaim the Net ran under the alarming headline “Apple Safari Browser Sends Some User IP Addresses to Chinese Conglomerate Tencent by Default”.

My assumption was that Apple was only using Tencent in mainland China, where Google services are banned. Apple’s statement today makes it clear that that is true. But Apple brought this mini-controversy upon itself, because Apple’s own description of the feature doesn’t specify when the Fraudulent Website Warning feature uses Google and when it uses Tencent. Apple’s description simply says:

Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.

Monday, 14 October 2019