Apple: Safari Does Not Send User Browsing History to China’s Tencent

Safari does use Tencent to ensure that users in China do not navigate to malicious websites, but it never sends the actual URL of a visited site to the Chinese company, Apple says.

The explanation was given following a series of reports that Safari is sending user data to the Chinese conglomerate, thus spurring multiple privacy concerns among users.

The tech giant, however, says it only sends bits of browsing data to Tencent, and that the URL the user attempts to access is never shared with the company. However, the user’s IP address might be.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple’s About Safari & Privacy page reads.

The sharing of bits of user data with a safe browsing provider isn’t new. In fact, in the first version of Google Safe Browsing, the entire visited URL was sent to Google and checked against a list of fraudulent sites. The user IP address was also sent to the Internet giant.

To address privacy concerns, Google changed the mechanism to a safer one, where a SHA256 hash of each unsafe URL in the database is computed and truncated down to a 32-bit prefix, and then the entire database of truncated hashes is sent to the browser.

Thus, when visiting a URL, the browser can check if the site is safe by hashing it and checking if the 32-bit prefix is contained in the local database. If it does, the browser sends the prefix to Google, which delivers the list of all full 256-bit hashes of matching URLs, for the browser to find an exact match.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explains that, during these exchanges, Google can see the user’s IP address and other identifying information.

The issue, however, isn’t the fact that such information is exchanged with Google, but that Tencent too can tap into the user data, which raises privacy concerns.

According to Apple, however, this is actually a non-issue, as the information is shared with Tencent only in the case of Chinese users.

“Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off,” Apple says.

Basically, the company claims that the user data is only shared with a safe browsing provider if Safari Fraudulent Website Warning is enabled, which is the basic premise of the feature. However, users can disable the feature, if they feel it invades their privacy.

What isn’t clear, however, is why Apple was rather silent on using Tencent for the safe browsing feature in China. Moreover, some researchers suggest it’s not clear if there is code to supposedly choose which provider is selected.

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Related: Apple Apologizes for Listening to Siri Talk, Sets New Rules