In an effort to protect users from the wild west of internet phishing scams and malware, Apple has long included a “safe browsing” feature in Safari that will alert you when you might be visiting a website that’s known to be fraudulent. However, many users are probably not aware that this feature — which is enabled by default — is potentially sending information to not only Google but also the Chinese internet conglomerate Tencent.
Apple’s Fradulent Website Warning feature has traditionally worked by cross-referencing the websites you visit against a blacklist that’s maintained by Google. While this has always meant that Google gets some data from you each time you visit a website using Safari, this is limited to your IP address and “information calculated from the website address.” In either case, it’s protected by Google’s privacy policies, and since many users are often starting from Google’s search engine anyway, they’re already supplying Google with considerably more information anyway.
However, it seems that Google isn’t the only player in this game any more. Reclaim the Net has discovered that the About Safari & Privacy section in iOS 13 now acknowledges that Apple now uses “Tencent Safe Browsing” as another one of its sources to check for fraudulent websites.
Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.
As 9to5Mac points out, however, there is some evidence that this may only be for users located in China, which seems likely as it would be necessary there since Google is mostly blocked in China. However, since Apple uses generic language for its About Safari & Privacy section that’s the the same regardless of which country you’re in or which region your device is set to, it’s unclear what’s actually going on here.
What’s Actually Being Shared?
Cryptographic expert and Johns Hopkins University professor Matthew Green provides a good explanation of how “Safe Browsing” actually works, and explains the responsible and privacy-focused way in which Google has implemented the technology.
While Google’s Safe Browsing originally required browsers to submit the URL of every site you visited in order to check them against a list of blacklisted malicious sites, it was “a privacy nightmare.” Google quickly addressed this by using a hashed database of unsafe website addresses that could be compared locally on a user’s device rather than requiring full URLs to be sent to Google every time. This is presumably what Apple is referring to when it says “information calculated from the website address.”
Regardless of the privacy of the URLs, however, Google still gets your IP address, and may even be able to see other identifying information such as the database state or drop a tracking cookie into your browser.
More importantly, though, we know what Google is doing, but “Tencent Safe Browsing” is considerably more opaque, which is especially worrisome for a company that works closely with the Chinese government and is known for patriotically toeing the party line.
The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many “bites at the apple” (no pun intended) in order to de-anonymize that user. A user who browses many related websites — say, these websites — will gradually leak details about their browsing history to the provider, assuming the provider is malicious and can link the requests.Matthew Green, cryptographer and professor at Johns Hopkins University
However, even if Tencent has implemented a Safe Browsing system that’s just as private as Google’s — and that’s by no means a sure thing — as Green notes, it’s still possible for a malicious provider to collect browsing history on users due to the sheer quantity of requests being made.
How to Opt Out
Apple’s Fraudulent Website Warning feature has always been enabled by default, as the company (probably correctly) assumes that for the majority of users, giving up a little bit of mostly obscured browsing data is worth the trade off of being protected from blatantly malicious sites.
Further, when Google was both the default search engine and the only provider of a safe browsing database, there was little need for users to worry about sending hashed URLs they visit to Google when most of the websites they visit are served up from Google search results anyway.
However, now that Tencent is part of the equation, privacy-conscious users may want to rethink this trade-off. Fortunately, opting out of this is a matter of flipping a single switch. Here’s how to find it:
- Open your iPhone (or iPad) Settings app.
- Scroll down and tap Safari from the fifth group of settings.
- Scroll down to the “Privacy & Security” section.
- Tap the switch beside Fraudulent Website Warning to switch it off.
The downside, however, is that once you’ve turned this setting off, you’ll no longer be notified if you happen to visit a website — or be misdirected to one — that’s a known phishing or malware site. If you normally practice very safe browsing habits and only visit known sites, this shouldn’t be a big problem, but you’ll have to be even more on your guard when it comes to visiting links from things like emails and text messages.
Of course, you can always turn the setting back on at any time to resume protection against fraudulent websites, but you’ll be giving up some small amount of privacy in exchange for being warned about the bad places you may potentially be going.