Apple has found itself embroiled in yet another China-related controversy, as it appears to be sending user browsing data to Tencent, a Chinese company. That data includes the website visited and the IP address of the iOS user.

Apple has the best of intentions here – the data sharing is done to help protect users from fraudulent websites – but the fact that the company now uses a Chinese conglomerate to do so is raising eyebrows…

Update: Apple has shared an official response stating that actual URLs aren’t shared with third-parties and only users with their devices set the mainland China region will use Tencent for the safe browsing service.

Apple has for a long time used Google’s Safe Browsing tech to protect users from phishing sites. If you attempt to visit a URL that Google has flagged as fraudulent or as a source of malware, a warning will be displayed in Safari advising you not to proceed to the website.

However, in iOS 13, the small-print advising users of this fact has been changed to say that data may be sent to both Google and Tencent.

Johns Hopkins University professor and cryptographer Matthew Green says this is problematic because it may reveal both the webpage you are trying to visit and your IP address. It may also drop a cookie on your device. This data could potentially be used to build up a profile of your browsing behavior.

There is some evidence to suggest that Apple sends browsing data to Tencent only when its iOS region is set to China. However, this is unclear. As Green notes, the warning appears on US-registered iPhones as well as Chinese ones.

Green explains that there are some protections in use, at least by Google.

So Google doesn’t know the exact webpage you are attempting to visit in any particular case, but we are putting a lot of trust in Google not to mine the data.

  • Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.
  • Google sends the database of truncated hashes down to your browser.
  • Each time you visit a URL, your browser hashes it and checks if its 32-bit prefix is contained in your local database.
  • If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching  URLs, so your browser can check for an exact match.

And now Apple is sending browsing data to Tencent, we are extending that trust to a Chinese company too, and not being consulted about it as the protection is on by default. That, argues Green, is difficult for Apple to justify.

Apple came under fire last week for banning then allowing then again banning an app which shows protest trouble-spots in Hong Kong.

It increasingly feels like Apple is two different companies: one that puts the freedom of its users first, and another that treats its users very differently. Maybe Apple feels it can navigate this split personality disorder and still maintain its integrity. I very much doubt it will work.

Photo: Shutterstock