Apple’s Tencent privacy controversy is more complicated than it looks

Late last week, privacy advocates warned that Apple was sending iOS user data to Chinese company Tencent, an alarming development for anyone who had taken the company’s privacy promises at face value. A note in iOS 13 mentioned that its Safari browser uses Tencent’s Safe Browsing system to help fight malicious webpages — but Tencent may log IP addresses in the process. While this has been true for months or even years, the news casts a harsh light on Apple’s recent struggles with surveillance and censorship in China — and the larger problems with privacy on the web.

Apple’s problems are based on a mostly uncontroversial iOS feature: Safari’s “Fraudulent Website Warning” option. The Fraudulent Website Warning, as its name may suggest, warns users when they’re about to visit a known phishing or malware site. Safari identifies these sites by cross-checking users’ web traffic against an external blacklist. In the past, that’s typically been Google’s Safe Browsing program. According to an iOS notice, though, Apple is now using a blacklist from Tencent Safe Browsing as well.

These blacklists are great for warning users off bad sites. But they can hypothetically be used for tracking users, too. In a worst-case scenario, a browser could directly submit every link you click to be checked against a blacklist — which would create a comprehensive log of your internet activity, linked to your IP address.

The worst-case scenario for “Safe Browsing” is pretty bad — but probably hypothetical

As far as we know, Safari isn’t doing anything like that. But Apple’s partnership with Tencent has still sparked fears that the massive tech and media company could be abusing the system. Tencent runs a variety of apps in China, including the WeChat messaging service and the QQ Browser. And like several other Chinese companies, it censors its apps and has allegedly passed user information to the Chinese government.

Apple has vehemently argued against this theory. In a statement to The Verge, it said that Tencent and Google aren’t getting lists of users’ web browsing history:

“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.”

Apple offered ZDNet a further description of how the system works. It says Google and Tencent are “sending a copy of the database to a user’s browser and letting the browser check the URL against this local database,” so traffic never actually reaches those companies. It also says that Tencent’s blacklist is only used inside mainland China where Google domains are banned.

Johns Hopkins cryptographer Matthew Green painted a more complex portrait of the Safe Browsing system, however. He notes that Google, for instance, relies on a complex interplay between the blacklist and Safari. Basically, Google hashes each unsafe URL into a code that doesn’t explicitly identify it, then sends Safari the first sections of these hashes, known as “prefixes.” When a user visits a webpage, Safari hashes its URL and checks the prefix against its list. If there’s a match, Safari asks Google for all the hashes that include that prefix. Google delivers, and Safari checks that smaller list for a complete match — then flags the page if it finds one.

Privacy is all about weighing different kinds of threats

This means that Google never sees a complete URL hash, and in many cases, it won’t get any information at all. But when Safari finds a matching prefix and asks Google for more hashes, it reveals the user’s IP address, as well as a partial hash for whatever page they’re visiting.

If a blacklist provider like Google is operating in good faith, this offers reasonably good privacy — especially weighed against the very real dangers of malicious sites. But Green argued that these little pieces of information can still erode users’ anonymity as they browse the web day after day. If a safe browsing provider is actively trying to track people, that could be a problem. He didn’t conclude that Tencent is doing this, but it could be doing it. As a result, Green believes Apple should have been more transparent about the fact that it’s working with the company.

Normally, this might be considered a minor misstep from Apple. After all, lots of American companies work with Tencent. (The company led a $150 million funding round for Reddit earlier this year, and it’s previously invested in Fortnite creator Epic, among many other gaming companies worldwide.) And although China’s government is more draconian and authoritarian than America’s, tech companies have a long and troubling history of complying with US state surveillance requests. Google and Apple were both implicated in PRISM, the National Security Agency’s sweeping web spying program.

The Tencent story blew up because it fit a larger Apple narrative

But the news is coming as Apple faces harsh criticism for its very real concessions to the Chinese government. The company began storing some iCloud encryption keys in China last year, despite fears that this might make them vulnerable to government seizure. More recently, it removed a mapping app that helped Hong Kong residents avoid police checkpoints amid a crackdown on pro-democracy protests. It also hid the Taiwanese flag emoji for iOS users in Hong Kong or Macau, and allegedly banned the Quartz news app from its Chinese App Store over the outlet’s Hong Kong protest coverage.

Moreover, Apple often uses privacy and security to distinguish itself from other tech companies. So its willingness to compromise in China has been a notable weak point, readily exploited by competitors like Facebook.

The bigger story here isn’t about any individual company. It’s about the difficulty of getting meaningful privacy online, especially when a few huge companies control much of the internet. It’s easy to condemn tracking when it’s used for targeted advertising or similar money-making schemes, but these centralized security systems are incredibly useful for anybody browsing the web. But users often don’t understand the trade-offs they’re making — even when those trade-offs are justified to prevent serious threats like phishing and malware.