Safari in iOS sends some Safe Browsing data to Tencent (updated)

You might not have to worry outside of China, but it's still a concern.

Apple's Safari browser has long sent data to Google Safe Browsing to help protect against phishing scams using its Fraudulent Website Warning feature, but it now appears Chinese tech giant Tencent gets some information as well. Users have discovered that iOS 13 (and possibly versions starting from iOS 12.2) sends some data to Tencent Safe Browsing in addition to Google's system. It's not clear at this stage whether Tencent collects any information outside of China -- you'll see mention of the collection in the US disclaimer, but that doesn't mean it's scooping up info from American web surfers.

The concern, as you might imagine, revolves over what Tencent might do with that data. Both Google and Tencent may log IP addresses in order for their anti-phishing systems to work, but Tencent's frequent cooperation with the Chinese government raises concerns that its data could be used for surveillance or other nefarious ends. Johns Hopkins University professor Matthew Green noted that a malicious provider could theoretically use Google's Safe Browsing approach to de-anonymize someone by linking site requests. So long as Tencent's method is similar, it could have a way to identify users if the Chinese government pressures it to reveal dissidents.

We've asked Apple for comment.

You can turn Fraudulent Website Warning off (in Settings > Safari) as long as you're willing to accept less vigilance against sketchy pages. The issue is really that Apple activates the feature by default without alerting users, and that it doesn't specify just where Tencent operates. It doesn't help that users are worried about China's influence on tech, either. Between Apple's decision to remove a Hong Kong protest app and Blizzard's ban on a pro-Hong Kong Hearthstone player, it may be hard for Apple and Tencent to escape scrutiny regardless of their behavior.

Update 10/14/19 2:37AM ET: We should clarify that Apple integrated Tencent Safe Browsing into Safari for China users after the WWDC 2017 announcement, and now, it appears that this is being rolled out to non-China devices as well.

Update 10/14/19 4:15PM ET: Apple has issued a statement stressing that Safe Browsing doesn't share the actual URLs of websites you visit, and clarifying that Tencent only receives data from Safari users "with their region code set to mainland China." You can read the full statement below.

"Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off."