Apple Clarifies Tencent's Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China

[FaustsHausUK]

So... I have to risk getting a digital STD because I don't want share my IP with Google and Tencent in relation to which web sites I visit! You can't tell me they haven't developed some algorithm to figure out or narrow down which sites I visit based on the information that Apple gives them. Sure one visit may not be enough but after multiple visits could it be?

How at risk you are depends on what kinds of web sites you typically visit, and what kinds of ads/tracking pixels those web sites serve. Content blockers will help with the latter.

For more information on how this lookup functionality works, though, this post is brilliant: https://forums.macrumors.com/thread...mited-to-mainland-china.2205745/post-27874908

 

[iGeneo]

So, Rene Richie summed it up well. This is REALLY straightforward, no "fanboy" talk. Hopefully this should shutdown the silly rhetoric. Of course, I realize it won't... unfortunately some people are here to argue regardless of facts.

• Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
• Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
• At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
• Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
• Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
• If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.

 

[KnighsTalker]

Why can't Apple use a pseudo-IP like they do with email addresses for sign in with Apple? Just on the safe side take my IP out of the mix please!

 

[iGeneo]

Why can't Apple use a pseudo-IP like they do with email addresses for sign in with Apple? Just on the safe side take my IP out of the mix please!

Certainly an opportunity for an enhancement here. It's not "broken" today, but this shows that there may be a better way to handle it

 

[mejsric]

do Edge, Firefox, Opera doing this with Tencent?

 

[Count Blah]

I think you are missing the part where it doesn't advance the goal of user privacy when people freak out needlessly over every single misleading headline they encounter. Every time there's an uproar over some misleading claim it makes it more difficult for the community to raise legitimate complaints in the future if a real security concern comes to light.

This is a total non-issue and overreacting to it hurts the community.

We got clarification from Apple. Do you think that happened without a measurable number of people turning off the setting?

we didn’t used to get it in the past.

 

[hans1972]

Then Apple, please explain why you need to send my IP address when you do send data?

They don't send your IP address per se. It is provided in the network packets the phone sends to the server when it connects to the service.

It is how the Internet works.

 

[iGeneo]

They don't send your IP address per se. It is provided in the network packets the phone sends to the server when it connects to the service.

It is how the Internet works.

Indeed... and TBH, a VPN is never a bad idea

 

[hans1972]

I do not know what is really worse, me being uncomfortable with Apple doing everything China tells them to do, or people like you blindly defending Apple on everything.

iPhones in China can't use the Google service since it is blocked by the government. Before they used Tecent for Chinese users these users did not have access to this service.

It is a valuable service, which is why AFAIK every major browser implements it.

 

[Nugget]

We got clarification from Apple. Do you think that happened without a measurable number of people turning off the setting?

we didn’t used to get it in the past.

Nothing in Apple's "clarification" was new information. The safe browsing APIs were already well-understood by anyone who cared. Now all we have is a cacophony of people who are livid because they continue to believe that Apple are compromising their privacy despite the fact that it isn't even remotely true.

There was no whistle blower here. Nothing was being swept under the rug or downplayed. This is just a bunch of people going off half-cocked with a flawed understanding of the issue and a fervent belief that their privacy has been violated somehow.

A few months from now this will enter the collective consciousness as "back when Apple was sending everyone's private browsing history to the Chinese government until the people rose up and made them stop." Millions of people will actually believe that's what happened. It's a damn shame.

 

[hans1972]

If you are still concerned about this feature, you can stop buying apple products.

AFAIK every major browser implements this service, for years.

 

[hans1972]

Think about it. If the checks are done locally, why does a second check have to be done on chinese/Google servers? Was the first check some how not done correctly?

The list is too big to be stored locally and to be downloaded. I would not be surprised if the list could be upwards of 100Gb if implemented that way.

Instead the service and the clients use some smart tricks to store a much smaller list on the device. When that list is not enough, it will fetch more data from the service and the second control is done locally also.

 

[cfurlin]

Indeed... and TBH, a VPN is never a bad idea

Only if you implicitly trust your VPN service.

 

[hans1972]

The usr notes specifically state they send your data to Google and Tencent, as well as your IP. It is only Apple's subsequent press release which states anything different.

You may be happy with that but it surely opens up more questions - why does the terms state something explicit and the press release states another process actually occurs. Whatever way you slice it, it doesn't look good for Apple (unless of course you hold Apple stock or think pro-Apple posts on social media will somehow get you a financial reward).

The release notes did not that that Apple sends your IP address. It says that the service may record your IP address.

Every time your device connects to another device on the Internet, your IP address is being sent in the network packets. Your phone and Mac has sent your IP address milion of times to servers and machines on the Internet.

 

[Williesleg]

Sure they are. Thanks Tim Cooked.

 

[robjulo]

lol....regardless of the merits of whatever he said....Rene Richie is a shill and has zero credibility.

So, Rene Richie summed it up well. This is REALLY straightforward, no "fanboy" talk. Hopefully this should shutdown the silly rhetoric. Of course, I realize it won't... unfortunately some people are here to argue regardless of facts.

• Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
• Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
• At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
• Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
• Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
• If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.

 

[hans1972]

Now this, this is another in a row of supporting China's oppression towards Chinese people. Tencent's "fraudulent website list" can be anything that Chinese doesn't see fit. Anything. If Chinese government is uncomfortable with it, than it is gonna be on "fraudulent sites list".

China is not using this functionality to censor sites. I mean you can just turn the functionality off. China already has much better technology for this.
[automerge]1571094495[/automerge]

If Tencent is safe and trustworthy then why only use it for Chinese users?

Sort your story out Tim.

Apple wants to use a Google service for all countries. But the service is not available in China. Therefore they have to use another service to provide this important functionality for their Chinese users.

 

[mi7chy]

If you aren't in china, the data is sent to Google servers, the same google apple says doesn't respect privacy. The same google apple says we should be afraid of.

But the Google that Apple has deemed safe enough to send your Apple device searches to in exchange for money.

 

[mi7chy]

Why can't Apple use a pseudo-IP like they do with email addresses for sign in with Apple? Just on the safe side take my IP out of the mix please!

Because it's too difficult for Apple to know what a proxy server is.

 

[hans1972]

Why are you ignoring the Google aspect of the story? Apple has taught us we shouldn't trust google.

This very forum that you read is connecting to ajax.googleapis.com. Which means by reading this forum your IP address is being sent to Google!

 

[iGeneo]

lol....regardless of the merits of whatever he said....Rene Richie is a shill and has zero credibility.

That was quick

FFS... read the article and dispute what is incorrect.

 

[hans1972]

So... I have to risk getting a digital STD because I don't want share my IP with Google and Tencent in relation to which web sites I visit! You can't tell me they haven't developed some algorithm to figure out or narrow down which sites I visit based on the information that Apple gives them. Sure one visit may not be enough but after multiple visits could it be?

Your IP address is public. It is meant to be public. Trying to hide it is very difficult and will cause more problems than it will solve. Also your IP address changes frequently esp. on mobile networks and work networks.

This very site uses code which loads in your browser and connects to Google services.

There is no way they can get your complete browsing history. What they are able to record is that this IP address wanted to browse one of these 100 000 URLs. Or 1 in 10 000. Or 1 in 1 million. And only for the few times it connects to this service.

Which is not very useful.

 

[hans1972]

Why can't Apple use a pseudo-IP like they do with email addresses for sign in with Apple? Just on the safe side take my IP out of the mix please!

They could but it would increase complexity and certainly cause other problems.

To connect to the Internet you need a PUBLIC IP address. It is supposed to be public. That is how the Internet works at it basic level. Apple should not try to work around how the Internet works.

Trying to hide it can create all sorts of problem.

If you need to hide your public IP address, you should use a VPN.

 

[citysnaps]

lol....regardless of the merits of whatever he said....Rene Richie is a shill and has zero credibility.

What? Regardless of the merits?

Attacking his character because you're not able to understand "whatever he said," is a cheap shot.

 

[Nugget]

What they are able to record is that this IP address wanted to browse one of these 100 000 URLs. Or 1 in 10 000. Or 1 in 1 million. And only for the few times it connects to this service.

They don't even get that much. They just know when the browser is browsing an URL where the hash prefix matches. That means that they know your IP address may be trying to load one of the suspicious URLs. Or maybe not -- it might be a completely unrelated URL that just shares the same hash prefix as a suspicious URL.

And for the vast, vast majority of URLs they don't see anything at all.