The revelation on Monday that Apple’s Fraudulent Website Warning was sending some Safari user data to Chinse firm Tencent caused something of an outcry. There were a lot of unanswered questions.
Apple Response
Apple, a company not known for always being forthcoming with the media, actually put out a statement. It told the Register:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Tencent Only Gets Data For Users in China
Furthermore, HackerNews user saagarjha dug into the code. They found that it sent data to Tencent when a users’ region code was set to mainland China:
In an update, they noted:
The code for Tencent Safe Browsing seems to be very similar to that which talks to Google, down to it being under a “Google” namespace, the API endpoints being named the same, and performing hashing which seems to match the “Update API” here: https://developers.google.com/safe-browsing/v4/update-api. I think this is just “whatever Google could see before, Tencent can see now, if you’re in China”. I’m no expert, so I have no idea if that’s k-anonymous or whatever if Tencent/Google decide they want to track you, but in either case it’s just shifting who’s getting your hashes.
We wondered if this might be the case on Monday’s Daily Observations podcast.