Apple says Tencent isn’t snooping on your browsing habits

Apple was quick to allay user concerns this weekend after someone spotted that it was working with Chinese company Tencent to check its users’ website requests for malicious URLs.

The company had to clarify how a feature in the iOS version of Safari called “Fraudulent Website Warning” worked after the Tencent link was revealed.

If you go into the settings app in iOS, select Safari, and then About Safari & Privacy, there’s a section called Fraudulent Website Warning, which reads:

Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.

The Fraudulent Website Warning feature checks websites against a list of known malicious URLs so that iOS 13 can flag any harmful sites that users try to visit.

These lists are provided courtesy of companies known as safe browsing providers. Source code in the GitHub repository for WebKit, which is Apple’s underlying browser engine for Safari, suggest that Tencent has been a safe browsing provider since at least November 2018.

Tencent is a giant Chinese tech company involved in a wide range of activities. With 2018 revenues of Rmb312.7bn (£35.2bn), it’s one of Asia’s biggest businesses. It operates the hugely successful WeChat social messaging and payments app in China, and owns bits of companies including Activision Blizzard, Riot Games, Ubisoft, and Discord, not to mention Snap and Tesla.

Apple sent us the following statement:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.

To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

As Matthew Green, cryptographer and professor at Johns Hopkins University explains, safe browsing providers send a list of hashed prefixes for malicious sites to users’ phones. If Safari matches the prefix of a site that the user tries to visit against that list, it goes back and asks the provider for a full list of the sites with that prefix, enabling it to check for the malicious site without divulging its address to the provider.

Apple’s statement suggests that only devices registered to China get the Tencent list (the rest of us get Google’s), and that the web addresses you visit are never sent to either company. However, as Apple’s message in iOS settings clearly states, the company may still be able to log your own IP address.

Green explains that this could represent a privacy issue if the provider chose to aggregate all the requests that your phone sent it to “extract a signal from the noisy Safe Browsing results”. The worry here is that if a single company sees your IP address enough times, along with a list of site prefixes that you’re worried about, it might be able to start making deductions about your surfing habits.

If you’re worried about Google or Tencent making inferences about your browsing habits, you can turn off the Fraudulent Website Warning option using the button just above that About Safari & Privacy section. Although it’s worth weighing this possible risk against the danger of visiting a site that compromises your iOS device.