It’s hard to know what you’re missing when you browse the internet. The rules of the road are often set before you begin your search. For Apple users in China, this is particularly worrisome due to the involvement of Tencent, the Chinese internet giant behind WeChat.
Typically, because of Google’s internet expertise, Apple counts on the company’s safe browsing service for the “Fraudulent Website Warning” feature on Apple devices. If you’ve ever visited a dangerous website on a MacBook or iPhone, you’ve likely received one of Google’s warnings, which say “Deceptive site ahead.” Each time you navigate to a website, Google cross-references the URL with a blacklist of sites that contain malware or phishing content. Although the company provides these warnings, it’s still possible for users to continue to supposedly dangerous sites. (In recent years, Google has enhanced user privacy by performing these checks on a user’s device rather than on its own servers.)
This security feature, which is turned on by default, protects Apple’s Safari users across the globe. On a Mac computer, it can be toggled by navigating to Safari’s Preferences > Security > Warn when visiting a fraudulent website. On an iPhone or iPad, the feature can be switched on or off under Settings > Safari > Fraudulent Website Warning.
For most of the world, Google ensures that using the internet remains safe and secure. However, in China—where Google is blocked—Apple relies on Tencent as its safe browsing provider.
The Apple-Tencent partnership began in 2017 with iOS 11 (link in Chinese), but it attracted scrutiny earlier this month after Apple updated its description of the fraudulent website warning feature. Apple said the security feature could log IP addresses, raising concerns that Tencent—which has ties to the Chinese government—would be able to locate individual users.
In a statement, Apple explained that it never expressly shares URLs with Tencent, but as Quartz previously reported, Apple’s data sharing could endanger Chinese dissidents since it’s possible to link metadata from queries and IP addresses to deanonymize users. We also raised concerns that Tencent could trigger warnings for websites that aren’t fraudulent but raise the ire of the Chinese government, effectively blocking them from users. It turns out those fears were well-founded.
At the heart of the issue is what kind of sites Tencent deems malicious. There are eight blacklisted categories according to documentation (link in Chinese) published by Tencent’s URL Security Center, part of the company’s Anti-Fraud Lab.
On the surface, most categories seem reasonable. Tencent censors websites that pose legitimate threats such as phishing, information fraud, fake advertising, malicious software, and spam. Here are a few examples:
Tencent also blocks gambling and pornography websites. (Although heavy-handed, China isn’t the only country that’s tried bans like this.) However, the eighth category (link in Chinese) on Tencent’s blacklist—”illegal content”—contains a dozen items so broad that the company could censor virtually anything it or Beijing finds questionable. Much of the prohibited content parallels charges that have been used to jail Chinese activists.
Here is what Tencent blocks, per Quartz’s translation:
1: Content that undermines the principles of the Chinese constitution;
2: Content that undermines the national security, leaks national secrets, overturns the regime, and hurts the unity of the nation;
3: Content that undermines the reputation and interests of the nation;
4: Content that advocates for ethnic discrimination and hatred, and undermines ethnic unity;
5: Content that undermines the ethnic policies of China, and advocates for cult or superstition;
6: Content that spreads rumours, disturbs social order, and undermines the stability of the society;
7: Content that spreads obscenity, pornography, gambling, violence, terror, or abetment;
8: Content that insults or slanders people, as well as infringes the lawful rights and interests of people;
9. Content that incites illegal assemblies, associations, demonstrations, or gathering of people to disturb the social order;
10. Content by illegal civil organizations;
11. Content prohibited by laws and other administrative regulations in China;
12. Content contains infringement and pirated content.
In addition to Apple, China’s second-largest search engine Sogou, the QQ mail service, and the ubiquitous messaging app WeChat—all owned by Tencent—also abide by this blacklist. Quartz asked Tencent a number of questions about how it uses its blacklist for Safari users. A Tencent representative sent a link to the page for phishing, the first criteria, on Tencent’s URL Security Center and said “you may refer to this website for more details.” The URL Security Center did not respond to questions.
James Griffiths, author of The Great Firewall of China, said Tencent’s blacklist is pretty much the norm in China. “All major internet companies in China, including Tencent, are signatories to the supposedly voluntary ‘Public Pledge on Self-Discipline for the Chinese Internet Industry’ propagated by the Internet Society of China, which has strong ties to the Chinese government,” he told Quartz via email. The pledge was created in 2002.
“While some of the provisions are fairly standard, others are in line with laws that have been used to go after political and religious dissidents, and to suppress anti-government content,” Griffiths noted. Although Tencent has denied passing information to the government, he said, “under a Chinese cybersecurity law passed in 2017, all internet companies operating in the country are required to store logs and relevant data for at least six months, and provide them to law enforcement when requested. Chinese police and corruption investigators have also referenced using private or deleted WeChat messages and logs to go after suspects, suggesting they have access to them through Tencent.”
This behavior isn’t specific to Tencent, Yaqiu Wang, a China researcher at Human Rights Watch, told Quartz. She pointed out that other Chinese internet companies like search giant Baidu use similarly vague criteria (link in Chinese) to filter sites.
Quartz asked Griffiths whether Apple ought to remain in China while conforming to the Communist Party’s standards.
“Western companies have struggled for years to thread the China needle, and this is only becoming more and more difficult,” he wrote. “While there is some merit to the argument that abandoning the Chinese market would be a disservice to ordinary consumers there, what is concerning is that compromises made in China do not stay in China. Other countries are fully aware of whether companies such as Apple or Google submit to Chinese censorship—Google even said when they pulled out in 2011 that increasing pressure in other markets for a China-style service was a reason. The Chinese censors under President Xi Jinping are also less tolerant of critical content beyond their borders, and are not shy about using the leverage they have over companies operating in China to go after it.”
As the Chinese government expands its influence online, Tencent’s blacklist indicates how companies are bowing to government pressure both domestically and internationally. It also shows just how far Apple is willing to bend to Beijing’s wishes. The company previously hid the Taiwan flag emoji from Apple devices in Hong Kong and Macau, an act of subservience to the Communist Party to keep access to China’s massive market. Apple also removed a Hong Kong protest map from the App Store earlier this month.