Apple's Safari Browser Is Sending Some Users' IP Addresses To China's Tencent

"Apple, which often positions itself as a champion of privacy and human rights, is sending some IP addresses from users of its Safari browser on iOS to Chinese conglomerate Tencent -- a company with close ties to the Chinese Communist Party," reports the Reclaim the Net blog: Apple admits that it sends some user IP addresses to Tencent in the "About Safari & Privacy" section of its Safari settings.... The "Fraudulent Website Warning" setting is toggled on by default which means that unless iPhone or iPad users dive two levels deep into their settings and toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. However, doing this makes browsing sessions less secure and leaves users vulnerable to accessing fraudulent websites...

Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party browser. Tapping links inside apps also opens them in Safari rather than a third-party browser. These behaviors that force people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.
Engadget adds that it's "not clear" whether or not Tencent is actually collecting IP addresses from users outside of China. ("You'll see mention of the collection in the U.S. disclaimer, but that doesn't mean it's scooping up info from American web surfers.")

But Reclaim the Net points out that the possibility is troubling, in part because Safari is the #1 most popular mobile internet browser in America, with a market share of over 50%.

Wow

[war4peace]

"Tapping links inside apps also opens them in Safari rather than a third-party browser."

Isn't this something that would warrant antitrust charges?

Re:

[arbiter1]

Should but Apple is immune from being charged in anything antitrust.

Re:Wow

[arbiter1]

Apple in iOS prevents all browsers from becoming default, no problem. MS includes IE in windows, its an antitrust lawsuit. Figure out how that works out where IE being in windows even though you can change default one to what ever you want is a lawsuit and Apple pretty much prevents letting any other browser be default and its 0 problem.

Re: Wow

[xushi]

This is actually a good point. I wonder though why the laws & repercussions arenâ(TM)t applying to Apple now as they did to MS back then? Maybe they make the IRS too much money?

Re:

[ArsenneLupin]

Probably different market share in their target market. Back then, Microsoft had 90%+ market share in the desktop computer market, whereas Apple, while still dominant, have far less percentage of the mobile market than that, thanks to Android.

Re:

[LenKagetsu]

At the same time, Microsoft did literally nothing to impede other browsers from being installed. If I decided to install Firefox or Chrome on an Apple device, I would 100% expect it to put up a fight.

Re:

[ArsenneLupin]

The thing is, the law about abuse of monopoly power cares more about whether you actually have a monopoly than about how hard you try to abuse it...

Re:

[stealth_finger]

Including a default browser was hardly abuse of monopoly.

Re:

[LenKagetsu]

Especially since several aspects of Windows relied on IE for rendering HTML.

Re:

[the_B0fh]

You are ignorant. During the times of the browser wars, Netscape was sold for $50/copy though most people were able to download it for free. And also said the future would be web apps. This is in the 1990s.

Bill Gates famously said - hey, how come nothing on the web needs Windows? And then TCP/IP became part of Windows 95. He included IE, as part of the embrace and extend strategy to monopolize everything.

And he made Windows rely on IE for some of that shit.

You know, there's only a massive antitrust law

Re: Wow

[peragrin]

Microsoft repeatedly blocked and made it difficult to use other browsers by forcing acticeX (expolitOS)

Chrome and Firefox on macos work just fine. We are only talking about iOS. Now it is still troubling but iOS has been losing market share for a while.

Re:

[tsa]

I've been using Firefox on iOS for almost a year now. It works fine and it syncs my bookmarks perfectly. It's just very annoying that any link you open from whatever other app opens in Safari.

Re:

[MassacrE]

Microsoft effectively forbid vendors from including other browsers in their default machine installs.

Re:

[LynnwoodRooster]

iOS was never dominant [statcounter.com], it never even was a plurality, let alone a majority.

Re:

[fustakrakich]

Yeah well, Apple still can't prevent me from buying something else entirely. Is there really a problem?

Re: Wow

[ACForever]

And that the best solution if you truly care about security.

Re:

[tsa]

Really? Why?

Re:

[the_B0fh]

Because he's ignorant and just goes along with Apple haters.

Re:

[Mr_Silver]

Apple in iOS prevents all browsers from becoming default, no problem. MS includes IE in windows, its an antitrust lawsuit.

That's because Microsoft Windows is considered a monopoly and (as number of Android users on here will more happily tell you) iOS is not.

If iOS ever becomes a monopoly then it too would be subject to similar constraints.

Re:

[Carewolf]

Should but Apple is immune from being charged in anything antitrust.

Yes, by having too small a marketshare to be covered by antitrust laws. Espcially in Europe.

Re:Wow

[Freischutz]

Should but Apple is immune from being charged in anything antitrust.

No, but Safari sending IP numbers to China's Tencent but it's "not clear" whether or not Tencent is actually collecting IP addresses from users outside of China is kind of underwhelming when Google Android is reporting every move you make and shipping all your personal data to Google. Quite frankly, I'd be more worried about Google knowing more about my private life than the NSA, CIA, FBI, Chinese and Russian Intelligence combined than some company in China 'possibly' getting my IP address.

Re:

[Arkham]

Apple is not a monopoly. They have a minority marketshare in all markets that they compete in except maybe smart watches. For iOS it's about 30%. You cannot initiate antitrust against a company with a 30% marketshare.

Yes, Apple has a monopoly on iPhones and iOS app store, but consumers know this when they buy it. For many people the walled garden is a large reason they choose iOS. It's a safer place to be, with a tradeoff many are happy with.

As to this Tencent thing, it's exactly the same as Google saf

Re:

[Powercntrl]

Apple literally still bans apps which violate their developer guidelines. This would be fine if there was an option to enable apps from untrusted sources, but Apple doesn't trust you, either (there's an oddly prophetic video [youtube.com] which warned us about this exact scenario).

Apparently, the government doesn't see this as any sort of anti-competitive behavior, because there's still one major competitor in the mobile OS market (which happens to also be an ad company, oh joy). But Facebook needs to be broken up, ost

So what?

[Blaede]

Just follow the developer guidelines, and your app won't be banned. Is that so hard to understand?

Re:

[Anonymous Coward]

You mean make sure you get your app ICP licensed [wikipedia.org]? Sort of funny watching Apple bow and scrape to the Dragon right before a US silly season, likely making Apple the target of politicians on both sides.

Re:

[gtall]

No. It's wrong but it isn't an antitrust violation, which you knew but you thought you'd raise this red herring anyhow.

Re:

[war4peace]

You overestimate me. I don't "know" many things simply because they don't necessarily fall into my area of interest. Therefore, whenever I happen upon things I don't know but pique my interest (albeit momentarily), I ask questions.
Now I understand, the answer is "no", moving on :)

(I don't own any Apple product)

Chinese Communist Party = good FBI = bad?

[Joe_Dragon]

Chinese Communist Party = good FBI = bad?

WTF apple.

Re:

[the_B0fh]

If only facts matter. I tap links inside my gmail app, and it opens Chrome on my iPhone.

I tap links in other apps, and I get to choose Safari, Chrome, or FireFox.

Some apps also saves my choice as the default option.

Re: Wow

[Rishab Roy]

Can't believe Apple 'The so called Privacy Protector ' can do this shit. I am signing off from Safari. We should ask Apple to respond to this allegation.

Why do they need the user IP?

[drnb]

Why do they need the user IP to screen a website URL?

Oh, sorry, silly me. I forget all that build a profile on the user stuff.

Re:

[mschaffer]

You are comparing apples and oranges.
(pun not intended)

Re:

[Namarrgon]

How do you send them the website URL to check without also sending them your IP address to get a response?

The only alternative is for a third party (say, Apple) to proxy the request for you - which they could certainly do, if you didn't mind exposing all your browsing habits to them instead, and if they didn't mind all that extra traffic load.

A variant approach might be to distribute this among a network of Safari users, spreading proxy requests across a large number of peers to decentralise the traffic and

Re:

[drnb]

How do you send them the website URL to check without also sending them your IP address to get a response? The only alternative is for a third party (say, Apple) to proxy the request for you - which they could certainly do, ...

Exactly, which they should do.

... if you didn't mind exposing all your browsing habits to them instead

Better Apple than Tencent or even Google, Apple's business model is not profiling you. They even introduce tech to help anonymize you. They should be doing so here as well. I trust Apple not to log the IP and discard it after sending the response more than Google and especially more than Tencent.

Re:

[ArsenneLupin]

How do you send them the website URL to check without also sending them your IP address to get a response?

Instead of verifying each URL as it happens, have the browser periodically download a blacklist of dodgy URLs and domains. Maybe hashed, if you are concerned of distributing such lists in the clear. Having this list, the browser can check locally whether the URL is safe (by hashing the URL and domain, and checking whether either hash is in the list).

The blacklist server would still have the client's IP, but not continuously, and would not be able to tie it to a specific browse history.

Re:

[Rockoon]

Instead of verifying each URL as it happens, have the browser periodically download a blacklist of dodgy URLs and domains. Maybe hashed, if you are concerned of distributing such lists in the clear.

This is what bloom filters are for.

Re:Why do they need the user IP?

[AmiMoJo]

The obvious alternative that both Mozilla and Google use is to simply download a list of malicious web sites and keep it constantly updated. Firefox updates the list every 30 minutes, for example.

https://support.mozilla.org/en... [mozilla.org]

Offtopic

[XArtur0]

>const int one = 65536; (Silvermoon, Texture.cs)

WTF?

Is that some sort of arcane graphics constant?

(I agree about the black list stuff)

Re:

[GuB-42]

That's most likely fixed point arithmetic. Nothing unusual, really.
It was the most common way of doing graphics with subpixel accuracy when floating point arithmetic was too expensive. And it is still used today, for example in video compression. It is also used in embedded system to transmit data.
Besides performance, it is also more consistent and particularly well adapted when you expect data to be uniformly distributed over a known range.

A drawback is that fixed point arithmetic is rarely supported nativ

Re:

[tlhIngan]

The obvious alternative that both Mozilla and Google use is to simply download a list of malicious web sites and keep it constantly updated. Firefox updates the list every 30 minutes, for example.

So now propose a way to do this on a metered connection. Connection to WiFi or an unmetered link is spotty and erratic and not guaranteed to be timely. And you can't assume the user has a big data allowance - some people have a mere 100MB.

Re:

[AmiMoJo]

Download when non-metered connection is available. Windows provides an API for this, presumably other systems do too.

Re:

[Talchas]

Also you don't have to actually /download/ anything if it hasn't changed, and you could arrange things so that you only download a diff. You only have to check during the times you're actually accessing web pages as well.

Re:

[ToasterMonkey]

Why do they need the user IP to screen a website URL?

Oh, sorry, silly me. I forget all that build a profile on the user stuff.

https://safebrowsing.google.co... [google.com]
How else do you get your request to that service, or tencent's version if in China?

If you live in China and cannot trust any Chinese business because of connections to the government (isn't that ALL of them??), and that is a problem for you, well then christ, you better batten down the hatches and roll your own Linux box or something, because you have bigger problems than software usability.

Re:

[drnb]

Why do they need the user IP to screen a website URL?

Oh, sorry, silly me. I forget all that build a profile on the user stuff.

https://safebrowsing.google.co... [google.com]
How else do you get your request to that service, or tencent's version if in China?

I didn't go to that service, Apple did. Apple can receive the response and forward it to me too. Note that Apple is anonymizing users in other services, they should be doing it here too.

If you live in China and cannot trust any Chinese business because of connections to the government (isn't that ALL of them??), and that is a problem for you, well then christ, you better batten down the hatches and roll your own Linux box or something, because you have bigger problems than software usability.

Nope, this too is solved by Apple receiving the response and forwarding it to you.

Re:

[kbg]

https://safebrowsing.google.co... [google.com]

How else do you get your request to that service, or tencent's version if in China?

Well if China blocks safebrowsing then obviously you either disable safe browsing in China completely or just don't support China for your browser. Chinese censorship is not something you should support.

Re:

[ArsenneLupin]

Why do they need the user IP to screen a website URL?

Maybe server-based screening? I.e. rather than download a complete black/white list of dodgy URLs (or their hashes), the browser asks the server for each URL whether it is ok or not. And that way the server also has the client's IP (it's where the request came from, d'oh...). We have of course no way of knowing whether the server is doing anything with that IP or not.

Re: Why do they need the user IP?

[astrofurter]

"We of course know with near certainty the server is doing something perfidious with that IP."

FTFY

Re:

[drnb]

Apple chose to use the Google/Tencent service, Apple can be the middleman to hide your IP.

Re:

[AHuxley]

Ads, governments, police, profit?
A bit of PRISM? NSA? Lots of ads? Some governments like it like that?

Holy crap

[Junkrat_79]

This is way crazy for Apple. Bad move

Opera still doesnt do this.

[Rockoon]

I keep hearing that Opera is Chinese spyware now... meanwhile its Apple and co that get caught doing this shit.

Re: Opera still doesnt do this.

[xushi]

Isnâ(TM)t opera Open Source now? Or itâ(TM)s engine based loft of Chromeâ(TM)s?

Maybe the Chinese is invading everything

[Slonak Nana]

Combined with Chinese communist grown AI and your data; the end of days is arriving dinner than we thought

Should be pretty clear by now

[fustakrakich]

Apple serves China...

And Google? They don't?

Ideally Apple would operate a proxy

[Camembert]

Despite the typical anti-Apple knee-jerk reactions, there is no reason to think conspiracy.
It is the direct way for the user browser to get the reply from safe site scanning service.
Ideally Apple would operate an anonymising proxy service in the middle.
Yes, then Apple gets your IP addresses but I trust them more than I trust Google or Tencent to flush the info immediately.

Datagrams

[flyingfsck]

Just wait till the Reclaim The Net Bloggers discover TCP/IP and find out that each datagram contains their IP address.

Lost in the shuffle

[Anonymous Coward]

This behavior is not active for all users. Only for those with Chinese locale, and for good reasons, since Google (and Safe Browsing) are blocked in China, and Apple implemented a local alternative: https://twitter.com/campuscodi... [twitter.com]

What about Google?

[vampirbg]

It's interesting how everyone is scared of Chinese spying on them while they are not concerned about Google doing the same? Both companies have strong connections to their respective governments and both are spying on you. The difference is that Chinese are only concerned with Chinese citizens. They will not try to kidnap you and take you to a Chinese prison. US has no problems with that. So, at least for me, sending data to Google is a bigger deal than sending it to Tencent,

Nothing to worry about.

[ACForever]

If we have learned anything about apple this week its that when apple fucks you over for the stake of the shareholders it's all ok. That just the way apple operates. It's part of their DNA

Easily solved by local block list

[Anonymous Coward]

This can easily be solved by letting users download a block list daily and check against that locally. Then users are safe from malicious sites and also privacy is not at risk.

That solves both problems.

"doing this makes browsing sessions less secure"

[bill_mcgonigle]

> doing this makes browsing sessions less secure

If you implicitly trust Google, Tencent, and CCP.

Search "Uyghurs". Free Hong Kong!