First off:
- Fire up your iPhone, head to Settings > Safari
- Now tap the link that says “About Safari & Privacy…” (it’s the second of these links, just under the Check for Apple Pay switch)
- Scroll down to the section labeled “Fraudulent Website Warning”
At the bottom of that paragraph:
Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.
Those words have raised a lot of eyebrows. The headline linked article digs into some history and lays out the concerns. Start off by reading the section “What is “Safe Browsing”, and is it actually safe?” That’ll set the table for why Google’s Safe Browsing is imperfect where privacy is concerned.
Which leads to:
The problem is that Safe Browsing “update API” has never been exactly “safe”. Its purpose was never to provide total privacy to users, but rather to degrade the quality of browsing data that providers collect. Within the threat model of Google, we (as a privacy-focused community) largely concluded that protecting users from malicious sites was worth the risk. That’s because, while Google certainly has the brainpower to extract a signal from the noisy Safe Browsing results, it seemed unlikely that they would bother. (Or at least, we hoped that someone would blow the whistle if they tried.)
But Tencent isn’t Google. While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.
OK, now you’re caught up. Is this a tempest in a teapot or a genuine privacy concern? Looking forward to an official response from Apple.
UPDATE: And here’s Apple’s official statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.