Late last week, privacy advocates warned that Apple was sending iOS user data to Chinese company Tencent, an alarming development for anyone who had taken the company’s privacy promises at face value. A note in iOS 13 mentioned that its Safari browser uses Tencent’s Safe Browsing system to help fight malicious webpages — but Tencent may log IP addresses in the process. While this has been true for months or even years, the news casts a harsh light on Apple’s recent struggles with surveillance and censorship in China — and the larger problems with privacy on the web.
Apple’s problems are based on a mostly uncontroversial iOS feature: Safari’s “Fraudulent Website Warning” option. The Fraudulent Website Warning, as its name may suggest, warns users when they’re about to visit a known phishing or malware site. Safari identifies these sites by cross-checking users’ web traffic against an external blacklist. In the past, that’s typically been Google’s Safe Browsing program. According to an iOS notice, though, Apple is now using a blacklist from Tencent Safe Browsing as well.
These blacklists are great for warning users off bad sites. But they can hypothetically be used for tracking users, too. In a worst-case scenario, a browser could directly submit every link you click to be checked against a blacklist — which would create a comprehensive log of your internet activity, linked to your IP address.
As far as we know, Safari isn’t doing anything like that. But