Apple is sending some browsing history of iOS 13 Safari users to Tencent Holdings Limited, a Chinese multinational conglomerate. The data shared is tied to the Safari Safe Browsing technology. Revelations of the relationship have drawn criticism from security and privacy experts.
Apple’s Safari Browser on iOS has a “Fraudulent Website Warning” feature set as a default that has used Google Safe Browsing technology as a back-end. But Safari users noticed recently information provided by Apple about this feature on iOS that acknowledges the company sends “information calculated from a website address” not only to Google Safe Browsing, but also to “safe browsing” technology from Tencent.
Moreover, Apple—”as is standard for this sort of news”—has divulged very little about the privacy implications of shifting Safe Browsing to use Tencent’s servers, which is troubling at best, and could be a privacy disaster, at worst, said Matthew Green, a cryptographer and professor at Johns Hopkins University, an analysis posted on Sunday.
“The changes probably affect only Chinese-localized users … although it’s difficult to know for certain,” he wrote. “However, it’s notable that Apple’s warning appears on U.S.-registered iPhones.”
There are a slew of problems with this scenario, not the least of which is that Tencent has close ties to the Chinese government, observed Tom Parker from Reclaim the Net in a blog post.
“Tencent works closely with the Chinese Communist Party,” he wrote. “It facilitates government censorship in China through its multi-functional utility app WeChat. The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping.”
Researchers said it’s not certain when Apple started allowing Tencent and Google to log some user IP addresses. However, one Twitter user reported seeing the change in Safari on iOS 12.2 beta in February, he said.
Google’s safe browsing technology stems from a security measure Google decided to take several years ago when they noticed that web users “tended to blunder into malicious sites as they browsed the web,” Green wrote.
The earliest version of the technology was an API that allowed a browser to ask Google about the safety of a URL someone visited, which was a “privacy nightmare,” since Google’s servers “received the full URL, as well as your IP address (and possibly a tracking cookie to prevent denial of service),” Green wrote.
Although this API still exists as “Lookup API,” Google eventually updated its “safe browsing” technology to allow for more privacy to users. The latest version only allows Google to learn the 32-bit hashes of some browsing requests that won’t precisely reveal the identity of the URL someone has accessed, an approach that provides “some privacy,” Green wrote.
“The problem is that Safe Browsing ‘update API’ has never been exactly ‘safe’. Its purpose was never to provide total privacy to users, but rather to degrade the quality of browsing data that providers collect. Within the threat model of Google, we (as a privacy-focused community) largely concluded that protecting users from malicious sites was worth the risk,” Green wrote.
“But Tencent isn’t Google,” Green continued. “While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”
Predictably, users and experts alike took to social media to criticize Apple, feeling betrayed because they view the company as one that has historically committed to putting user privacy and security first.
“@tim_cook please don’t do that,” Tweeted user Himanshu Yadav. “I consider @Apple epitome of user privacy. Don’t put $$$ above the values.”
“Apple is bending over for China in ways I didn’t know you could,” commented Twitter user called Fraud Guarantee.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.