Apple refutes accusations that it sends information from every iPhone’s and Mac’s Safari browser to China’s Tencent. These are apparently based on a vaguely-worded explanation in Settings which Apple just clarified.
Safari does use a list of fraudulent websites compiled by this Chinese company to protect users, but only if these users are themselves located in China.
Apple isn’t sending your browser history to Tencent
There were news reports about Safari sharing browser information with Tencent. These were based on a poorly-worded note in the “About Safari Search & Privacy” terms:
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
In the wake of backlash about this practice, Apple released a statement that clarifies who it uses for its Fraudulent Website Warning, Tencent or Google.
Here’s the statement:
“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
“To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.”
Safari Fraudulent Website Warning explained
The process used by Safari’s Fraudulent Website Warning is complex, lending itself to confusion.
The Safari browser stores a list of hashed (encoded) URL prefixes, each for a range of websites that might be phishing or spreading malware. If a user tries to go to a site that matches one of these prefixes, Safari then checks with the full, current list of specific websites maintained by Google or Tencent to see if the address the user wants to go to is on it. If it is, Safari pops up the Fraudulent Website Warning.
This means that the address of every website visited isn’t sent to Google or Tencent. And even when one is, those companies aren’t told the specific address the user is trying to visit. However, because Safari is communicating with their servers, they do get the user’s IP address.
Only in China is Safari’s Fraudulent Website Warning routed through Tencent. It’s handled by Google in the rest of the world.
Anyone who’s uncomfortable with this process can go to Settings > Safari > Fraudulent Website Warning and flip the toggle to Off.