During the last week, the reality that US companies often bend the knee to China has been thrown into the spotlight. Apple, one of the biggest US tech companies, has appeased China by hiding the Taiwan flag emoji and ignoring US lawmakers when choosing to ban a Hong Kong protest safety app. Now it’s been discovered that Apple, which often positions itself as a champion of privacy and human rights, may be sending some IP addresses from users of its Safari browser on iOS to Chinese conglomerate Tencent – a company with close ties to the Chinese Communist Party.
Apple says that it may send some user IP addresses to Tencent in the “About Safari & Privacy” section of its Safari settings which can be accessed on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.” Under the title “Fraudulent Website Warning,” Apple says:
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
The “Fraudulent Website Warning” setting is toggled on by default which means that unless iPhone or iPad users dive two levels deep into their settings and toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. However, doing this makes browsing sessions less secure and leaves users vulnerable to accessing fraudulent websites.
It’s unclear when Apple started allowing Tencent and Google to log some user IP addresses but one Twitter user reported seeing this change to Safari as early as the iOS 12.2 beta in February 2019.
In iOS 12.2 beta 2 Safari now uses Tencent Safe Browsing in addition to Google Safe Browsing. pic.twitter.com/92pZKBmwWs
— Stijn de Vries (@StijnDV) February 4, 2019
Safari is the default browser on iOS devices and according to recent statistics, it’s the most popular mobile internet browser in the US with a market share of over 50%.
Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party browser. Tapping links inside apps also opens them in Safari rather than a third-party browser. These behaviors that force people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.
Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat. The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.
Given the recent examples of the US tech companies Blizzard and Apple taking punitive actions against apps and video game players, seemingly in an effort to appease China, the revelation that Apple may send user IP addresses to Chinese conglomerate Tencent is worrying.
When you add in the rising tensions in Hong Kong, where China is being blamed for the increasingly violent police tactics that are being used against Hong Kong’s pro-democracy protestors, this revelation is even more concerning.
IP addresses can reveal user locations and be used to profile users across devices. If Tencent logs the IP address of an iPhone or iPad user through its Safe Browsing service, this information could potentially be used to identify the owner of the device by searching for instances of the IP address across Tencent’s other services.
Apple claims at the top of its privacy page, “At Apple, we believe privacy is a fundamental human right.”
Last month, Apple ignored China’s involvement and human rights violations when responding to one of the largest reported iPhone hacks to date. And earlier this year, it censored Chinese language podcasts in China and removed a Chinese artist’s song from Apple Music at the request of the Chinese government.
Update/October 14, 2019/Statement from Apple about website URLs:
“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of website you visit is never shared with a safe browsing provider and the feature can be turned off.”