Apple Clarifies Tencent's Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China

[iGeneo]

Just a sensational headline, Apple clarified what it is doing. I see nothing wrong with that. They could NOT use Tencent for Chinese locales. Then again, IF you are a Chinese user you can simply uncheck that option in Safari settings. If you still have the tinfoil hat on, use a solid VPN

 

[coolfactor]

Looks like it's slowly the time to depart from Safari.

If they continue hugging this much with China, looks like it will soon be the time to depart from Apple as well.

I mean, seriously, what the heck, Apple???

Did you even read the above clarification? Tencent is only used for people INSIDE China. That seems perfectly reasonable.

And the validation happens ON DEVICE. They pull the list of URLs from the provider, and compare against your website visits locally on your device. There is no privacy concern with this approach.

 

[macfacts]

Just a sensational headline, Apple clarified what it is doing. I see nothing wrong with that. They could NOT use Tencent for Chinese locales. Then again, IF you are a Chinese user you can simply uncheck that option in Safari settings. If you still have the tinfoil hat on, use a solid VPN

Did you even read the above clarification? Tencent is only used for people INSIDE China. That seems perfectly reasonable.

And the validation happens ON DEVICE. They pull the list of URLs from the provider, and compare against your website visits locally on your device. There is no privacy concern with this approach.

Why are you ignoring the Google aspect of the story? Apple has taught us we shouldn't trust google.

 

[Nugget]

I think you are missing the part where companies USED to sweep this stuff under the rug / downplay things

I think you are missing the part where it doesn't advance the goal of user privacy when people freak out needlessly over every single misleading headline they encounter. Every time there's an uproar over some misleading claim it makes it more difficult for the community to raise legitimate complaints in the future if a real security concern comes to light.

This is a total non-issue and overreacting to it hurts the community.

 

[B4U]

What about Hong Kong?

 

[iGeneo]

Why are you ignoring the Google aspect of the story? Apple has taught us we shouldn't trust google.

Turn off the setting in Safari. Problem solved

it was in the T&C’s

 

[Nuno Lopes]

If the data is anonymised, don't see much of a problem.

Don't know how sending the senders IP address could be avoided. That is the basic premisse of de Internet. If that is a breach of privacy, well don't use the Internet.

Can the data be correlated by IP and eventually the individual? Well, yes.

Does being a Chinese Company make it more likely than being American or British Company ... if we look at what has been going on under the umbrella of the so called new age Marketing tactics, not really.

I undertstand that American's are not used to non American companies being part of the Internet. If was American I would most likely feel "safer" if in the other side of the line was an American Company. But you guys need to understand that is not the case of the rest of the world. We are used to have in the other side of line non national companies, especially American.

 

[thisisnotmyname]

Think about it. If the checks are done locally, why does a second check have to be done on chinese/Google servers? Was the first check some how not done correctly?

first check is just a high level based upon domain name, second pass determines whether the specific full URL is flagged or not.

 

[69Mustang]

Just a sensational headline, Apple clarified what it is doing. I see nothing wrong with that. They could NOT use Tencent for Chinese locales. Then again, IF you are a Chinese user you can simply uncheck that option in Safari settings. If you still have the tinfoil hat on, use a solid VPN

For the most part, I agree this is a fairly benign non-issue. The problem is, this issue can't be viewed in a vacuum. Viewed from the perspective of the last week's activity surrounding companies bowing to Chinese pressure... I can understand some trepidation regarding Apple's relationship with Tencent. Especially when Tencent is used as a proxy of the Chinese gov't to punish anyone remotely supporting HK Protesters.
Tencent as a proxy for punishment: https://deadspin.com/adrian-wojnarowski-upset-former-espn-reporter-who-helpe-1838922338 Woj simply liked the original tweet from Rockets exec. Yup, Tencent cancelled whole show.

 

[thisisnotmyname]

The usr notes specifically state they send your data to Google and Tencent, as well as your IP. It is only Apple's subsequent press release which states anything different.

You may be happy with that but it surely opens up more questions - why does the terms state something explicit and the press release states another process actually occurs. Whatever way you slice it, it doesn't look good for Apple (unless of course you hold Apple stock or think pro-Apple posts on social media will somehow get you a financial reward).

I just think people should take a breath to learn more before jumping to outrage. That's all.

 

[macfacts]

Turn off the setting in Safari. Problem solved

it was in the T&C’s

Or stop buying apple products, problem solved.

 

[Nuno Lopes]

Viewed from the perspective of the last week's activity surrounding companies bowing to Chinese pressure..

Don't know if that is correlated at all. Let's not start a witch hunt shall we?

I'm very critical of Apple regarding the reasons it presented to take down HKmap.

Or stop buying apple products, problem solved.

Buy Microsoft products than?

I think what its at stake in this discussion seams to be beyond Privacy. Because Privacy is a concern regardless what or whom is in the other side of the line.

 

[gleepskip]

I just think people should take a breath to learn more before jumping to outrage. That's all.

If that ever happened, this topic wouldn't need to be in PRSI.

 

[Seoras]

Much ado about nothing.

 

[macfacts]

The days of blindly trusting apple are over. Way over.

 

[cfurlin]

...everyone to knee-jerk respond to everything immediately without pausing a beat to understand whether it's really an issue or not.

Well, it IS the national pastime these days.

 

[gleepskip]

The days of blindly trusting apple are over. Way over.

Their PR machine can't keep up with their recent stumbles. They used to have the best reputation in the biz.

I'm disappointed because it was fun to be enthusiastic about the Apple brand. Now Apple is one of several brands I consider.

 

[69Mustang]

Don't know if that is correlated at all.
Let's not start a witch hunt shall we? I'm very critical of Apple regarding the reasons it presented to take down HKmap.

Please don't parse my quote. Especially if you're going to try to misrepresent the intent of what I wrote. By removing this:

I can understand some trepidation regarding Apple's relationship with Tencent.

You change the entire context of what I wrote. Intentional or not, that's bad form.

 

[Naraxus]

Funny how that’s conveniently ignored.

Surprise surprise. A post from you defending Apple even when they're in the wrong.

 

[Nugget]

Surprise surprise. A post from you defending Apple even when they're in the wrong.

How is Apple in the wrong here? Be specific.

 

[macfacts]

How is Apple in the wrong here? Be specific.

Remember this:

Now apple shares your browsing history with Google. Apple's recent response to this issue is they don't share the actual url, weasel words. Apple shares a hashed value of the url. So apple is technically correct in saying they don't share the actual url.

 

[Nugget]

Now apple shares your browsing history with Google. Apple's recent response to this issue is they don't share the actual url, weasel words. Apple shares a hashed value of the url. So apple is technically correct in saying they don't share the actual url.

Sending the hashed values of suspicious URLs to Google is in no way "sharing your browsing history" with the company. Do you understand that there's no way for Google to take that hash and derive the URL from it? It's a one-way transformation. But there's no reason to even worry about that because Apple does not send the hashed value of the URL to Google.

You are significantly misrepresenting how this works technically. Is it that you don't understand, or are you lying, or do you just not care if you are correct or not?

Edit to clarify:

Here's how it works:

• Your device periodically downloads a list of unsafe URL hash prefixes from Google (or Tencent if you are in China). At this step, Google can see your IP address and can infer that there is a web browser at that IP address. Google can't tell if that web browser is being used, though. Just that it's running.
• Your device is ready to load an URL
• Your device calculates the SHA256 hash of the URL it wants to load.
• Your device trims that hash to just the hash prefix
• Your device checks that hash prefix against the local database of hash prefixes
• If there is no match, the URL is loaded and we're done.
• If there is a match with the database of suspicious hash prefixes, your device requests a list of all the full SHA256 hashes of suspicious URLs which match that prefix. Google can see your IP at this step and knows that you have attempted to load some URL which has the same hash prefix as a known suspicious URL. There's no way for Google to know what URL you are loading or even if that URL is one of their published suspicious URLs
• Your device looks to see if the full hash of the URL it wants to load is one of the full hashes it just received.
• If the full hash is not on the detailed list, the URL is loaded and we're done.
• If the full hash is on the detailed list, the browser throws a warning and declines to load the URL unless you (the user) override it.

You'll notice that at no point has the full hash of the URL you are loading been sent to Google. Even if it had been sent Google would have no way to know what URL you were trying to load (unless it was a match with one of their suspicious URLs), but since the full hash is never sent to Google they can't even do that.

The only weasel words I see are you claiming that Apple "shares your browsing history with Google." That's a flat-out false accusation. No interpretation of the safe browsing API can be summarized in this way.

This is all documented here, btw. It's not a secret how all this works.

 

[citysnaps]

Why are you ignoring the Google aspect of the story? Apple has taught us we shouldn't trust google.

Why are you trying to fan the flames? How often do you use any of google's services?

The days of blindly trusting apple are over. Way over.

Whatever floats your boat.

 

[KnighsTalker]

If you are still concerned by this feature, you can disable it in Settings > Safari > Privacy & Security.

So... I have to risk getting a digital STD because I don't want share my IP with Google and Tencent in relation to which web sites I visit! You can't tell me they haven't developed some algorithm to figure out or narrow down which sites I visit based on the information that Apple gives them. Sure one visit may not be enough but after multiple visits could it be?

 

[Nugget]

You can't tell me they haven't developed some algorithm to figure out or narrow down which sites I visit based on the information that Apple gives them.

Why can't someone explain that to you? Do you just not want to understand how it works?