Chinese users may want to be careful about searching the web through Apple’s Safari browser.
That’s because Apple has turned to Chinese tech giant Tencent to provide a blacklist of dangerous websites. Superficially, this is intended to protect users from malware and phishing attacks. The partnership, which began with iOS 11 in 2017, has raised eyebrows among privacy advocates who worry about Tencent’s close ties to the Chinese government (paywall).
It’s possible that Tencent could flag or censor websites at the behest of the Chinese Communist Party. When a user visits a website that triggers a fraud warning (legitimate or not), their IP address is shared with their safe browsing provider. Typically, Safari relies on Google for a list of shady sites, but the Google domain is blocked in China.
In a statement, Apple explained how Safari authenticates websites:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
The fraudulent website warning feature is turned on by default on Apple devices. On a MacBook, it can be switched off by navigating to Safari’s Preferences > Security > Warn when visiting a fraudulent website. On an iPhone, the feature can be toggled under Settings > Safari > Fraudulent Website Warning.
Although Apple conceals URLs, privacy researchers are still worried because Google and Tencent could analyze the shared data to identify users based on their search histories. The anonymizing technique used by Google and Tencent—crunching URLs into hashes and comparing their prefixes to blacklists locally—is imperfect. Matthew Green, a cryptographer and professor at Johns Hopkins University, explains the method’s shortcomings in a blog post:
The weakness in this approach is that it only provides some privacy. The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many ‘bites at the apple’ (no pun intended) in order to de-anonymize that user. A user who browses many related websites … will gradually leak details about their browsing history to the provider, assuming the provider is malicious and can link the requests.
Green says the privacy-focused community has generally accepted Google’s trade-off between ensuring online safety and sacrificing anonymity.
“But,” he adds, “Tencent isn’t Google. While they may be just as trustworthy, we deserve to be informed about this kind of change (Apple using Tencent’s blacklist in China) and to make choices about it. At [the] very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”
Because of Tencent’s involvement, China’s political dissidents should be extra cautious about using Safari. The very system that’s meant to protect them online could also threaten their safety.
Apple clarified to Quartz that Hong Kong users still rely on Google’s blacklist. Earlier this month, Apple seemingly submitted to pressure from China when it pulled a Hong Kong protest map app from the App Store, as well as the Quartz app from the China App Store. The company also removed the Taiwan flag emoji from its keyboard for users in Hong Kong and Macau, China’s two Special Administrative Regions.