Apple under fire for sending web browsing data, including IP addresses, to China’s Tencent

Apple today is facing criticism for sending web browsing data, including IP addresses, to China’s Tencent Holdings Ltd.

Mark Gurman for Bloomberg:

For about two years, Apple has been sending data to Tencent as part of an iPhone and iPad security feature that warns users if a website is malicious or unsafe before they load it. The U.S. company checks addresses against an existing list of sites known to be problematic. That list is maintained by Tencent for users in mainland China and by Google for other regions, including in the U.S.

In newer versions of Apple’s iOS operating systems, the company says this feature “may also log your IP address,” potentially providing Tencent, a Chinese internet conglomerate with government ties, data such as a user’s location… “We deserve to be informed about this kind of change and to make choices about it,” Matthew Green, a cryptographer and professor at Johns Hopkins University, wrote in a blog post. “Users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”

Apple said in a statement that the feature protects user privacy and safeguards people’s data. The checks occur on the devices, and the actual web addresses are never shared with Tencent and Google, the safe browsing providers. The feature is on by default, but can be switched off, Apple also said.

MacDailyNews Take: While we’re happy to see Apple finally communicated to users what was happening, why did it take Apple two years to do so?

Apple’s statement (via Slashdot): Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of website you visit is never shared with a safe browsing provider and the feature can be turned off.

To turn off this “feature” on your iOS 13 or iPadOS 13 device: Settings > Safari > toggle off “Fraudulent Website Warning.”


    1. So why doesn’t Apple offer a seamless VPN? For a company that claims to protect privacy, it isn’t trying very hard to make it easy and cost effective for mere mortal computing customers. Your grandmother isn’t going to know she needs a VPN when Cookie tells her that Apple stuff is private. She mistakenly believed Tim.

    1. Exactly.. the same way that allowing drunks with guns into bars makes everyone safer. Life involves trade offs. If you are more worried about the Chinese secret police than about ordinary criminals, by all means turn off the checking. That might be a rational choice for Chinese dissidents using mainland websites, but less so for the rest of us.

  1. Realist,

    Except for government allowed VPNs which are heavily monitored (and this defeats the purpose) VPNs are illegal in China so if Apple included a VPN in the iOS system then this would probably cause problems for Apple’s sales. Remember, this an authoritarian state that we are talking about and it is most definitely not a liberal democracy.

  2. Here’s what I say. Again:

    Monday, October 14, 2019 at 2:00 pm
    My comment is not relevant at all, but please allow me this chance to say, Happy Columbus Day, boys. And, might as well call old panda faced Xi a kommie pinko panda faced jerk, on behalf of all Chinese who’d be severely persecuted if they even thought wrong. Oh, glad Apple is making a new Mac Pro. Now, just make make MacBook Pro we can easily change RAM and SSD on. Gracious, mi amigos.

    I’ve been to kommie China. One time.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.