Apple has issued a statement today following a slew of misleading and poorly-researched media reports that were published over the weekend, claiming that the Safari web browser was secretly sending user traffic to Chinese company Tencent.
All the reports were anchored in a recent discovery that Apple had implemented a second “safe browsing” system within Safari.
Safe browsing mechanisms were named so after Google’s Safe Browsing service. They work by taking a URL a user is trying to access and checking it against a database of known bad sites.
For years, Apple has used Google’s Safe Browsing API inside Safari to check for bad links. Starting earlier this year, Apple also added Tencent’s safe browsing system to Apple as well.
But this update has been misinterpreted by several news outlets over the weekend under scary headlines of “Apple sends users’ web browsing history to China,” amid a recent rise in Chinese anti-sentiment and fearmongering triggered by the recent Hong Kong protests and the US-Sino trade war.
However, the reality is that this is not how modern safe browsing mechanisms work.
It’s true that early versions of safe browsing mechanisms did rely on sending a URL over the internet to a “safe browsing provider” where the link was checked against a remote database of malicious sites.
But, nowadays, most safe browsing mechanisms, such as those managed by Google and Tencent, work by sending a copy of the database to a user’s browser and letting the browser check the URL against this local database.
According to Apple, this is also how Apple developers have implemented Safari’s safe browsing mechanism — to never send the user’s internet browsing traffic to safe browsing providers.
Tencent’s safe browsing used only for devices with Chinese locale
Furthermore, as several developers have also pointed out over the weekend, Tencent is not the default safe browsing provider. Tencent is only used on devices where the Chinese locale is enabled [1, 2, 3].
The reasoning behind supporting Tencent is quite simple — the Chinese government bans Google domains inside China; hence, Safari users in China wouldn’t be able to receive Google’s database of malicious links and subsequent updates.
Apple added support for Tencent as an alternative safe browsing provider specifically for Chinese users. It did so in order to keep its Chinese userbase safe, similar to everyone else, and show alerts whenever one of them might end up wandering off and landing on a bad site.
Below is Apple’s full statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.