It’s been an uncomfortable weekend for Apple which the company has sought to deal with today through an official statement. It started with claims that Apple was sending all browsing data from Mac and iPhone to Chinese company Tencent. When the story surfaced it was followed by outrage and calls for the company to be investigated. The reality, as is often the case with these stories, is much more mundane.
The root of this story is a misunderstanding arguably caused by poor wording in Apple’s own documentation. Read the About Safari Search & Privacy terms and you will find the statement:
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
The Google Safe Browsing service has been around for over a decade. It constantly trawls the Internet to find sites that have been compromised by hackers. It then adds those URLs to its database so that users who try and visit those sites can be warned. Google also uses the data to warn website owners of problems with their sites and provides information on how to clean them up.
Is user data being sent to Google and Tencent?
It is easy to see how the statement about can be misinterpreted. At first reading it suggests that all URLs are being sent to both Google and Tencent to check if they are valid. That is not the case.
Apple’s response to this statement reads:
“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
“To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.”
What Apple isn’t saying is that an IP address could end up being shared with the service. That is because the checks are in two parts. The first part uses a hash of the URL from the users browser and compares that to a hashed list. This is done in the browser without connecting to the Safe Browsing servers.
Every entry on that list refers to a block of potential URLs that are suspect. If the URL hash matches an entry on the first list then it is sent to the server, still as a hash, for a secondary check. Only if it fails that check does the fraudulent website warning get displayed. It is this secondary check that sees an IP address being transmitted as part of the connection to the server.
Enterprise Times: What does this mean
Few people bother to read Terms and Conditions. They are generally written in such a way as to be as obscure. It is as if the author was trying to actively dissuade anyone from reading them. It should come as no surprise, therefore, that when poorly worded they get misinterpreted.
That is exactly what has happened here. Anyone with an understanding of how the Safe Browsing service works would have realised there was something not quite right. However, rather than look at how the service works, some publications jumped the gun and took the statements at face value.
At the end of the day, this is a perfect example of the problem we face with user security. A poor choice of words leading to a false positive response that has received far more attention than needed.