Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
China Safari Apple

Apple Responds To Reports That It is Sharing Data With Tencent 124

Over the weekend, reports emerged that claimed that Apple was sending users' browsing details to Tencent to run it against Chinese company's safe browsing feature. In a statement on Monday, an Apple spokesperson has offered a clarification: Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of website you visit is never shared with a safe browsing provider and the feature can be turned off.
This discussion has been archived. No new comments can be posted.

Apple Responds To Reports That It is Sharing Data With Tencent

Comments Filter:
  • Trust (Score:4, Informative)

    by mschaffer ( 97223 ) on Monday October 14, 2019 @11:28AM (#59305898)

    Why are they sending the user's IP address? That's a whole different kettle o' fish.

    • Re:Trust (Score:4, Informative)

      by dex22 ( 239643 ) <plasticuserNO@SPAMgmail.com> on Monday October 14, 2019 @11:35AM (#59305918) Homepage

      They - Apple - aren't sending anything. YOU are requesting a current blacklist, and Tencent needs your IP to deliver your data to you. It doesn't go through Apple.

      You could spoof your IP, but the quality of the response might decline below usefulness ;)

      • Why isn't Apple acting as the middleman / GateKeeper

        • Why should they? Your IP address is handed to every Internet site you communicate with. It's not private. Any evil authoritarian regime seeking to do you harm already knows your IP address, 'cause they control the telecom that gave you that IP address.

          • Why isn't Apple acting as the middleman

            Why should they?

            Because APPLE decided to connect to this service NOT YOU.

            • You're right! Apple totally should have told you about this feature!! ....Oh wait, they did.
              Well, Apple should have totally given you a way to disable this feature!! ....Oh wait, they did.

              • You're right! Apple totally should have told you about this feature!! ....Oh wait, they did.

                What steps did Apple explicitly notify each user, including guest users of a device, that the device would be performing fraud blocklist lookups? Whether these steps constitute adequate notification depends on the exact nature of these steps. Otherwise, it's like posting a public notice "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard,'" as the late SF author Douglas Adams put it.

                • What steps did Apple explicitly notify each user, including guest users of a device, that the device would be performing fraud blocklist lookups?

                  It's listed in the new features of the iOS update that introduced it.

                  You do actually read what you're running, and don't just blindly trust Apple, right?

                  • by tepples ( 727027 )

                    Thank you for clarifying. But in the case of a device used by multiple people, users other than the owner are even less likely to have read the release notes.

          • by AHuxley ( 892839 )
            Re "Your IP address is handed to every Internet site you communicate with."
            That a users requests and has some control over.
            Apple products, Apple setting, Apple can offer the lists and keep the users IP safe for that service.
            Re "Any evil authoritarian regime seeking to do you harm already knows your IP address"
            Why keep feeding and supporting an evil authoritarian regime? By giving it user ip's...
      • They - Apple - aren't sending anything. YOU are requesting a current blacklist, ...

        NO NO NO. YOU are not, Apple made that decision, not YOU. The fact that it is your device does not change this. Apple made this decision, Apple should have acted as the middleman.

      • They - Apple - aren't sending anything. YOU are requesting a current blacklist, and Tencent needs your IP to deliver your data to you.

        No. The request is coming from Apple. You confuse "your device" with "you". Apple made the decision to send your IP to that service. They introduced a new step into the processes of visiting a website, they decided to enable that step by default, they did not properly inform users of this change. Yeah, sure, the info is buried somewhere in a long agreement no one reads, paired with a mandatory "I AGREE" button that is the only way you may use your device.

    • i will just say it out loud, "Free Hong Kong"
    • ....you might want to brush up on the basics of TCP/IP networking.

      • ....you might want to brush up on the basics of TCP/IP networking.

        You might want to brush up on why this TCP/IP connection was made. APPLE decided to connect to this service, the USER did not.

        • Actually, the USER did when they used this service. Don't want it? Turn it off.

          This is a little like claiming APPLE should proxy every Internet request an iOS device makes.

          • It's like saying Apple should proxy every ancillary request that a web browser makes. Ancillary requests are requests other than to the web servers responsible for serving a particular HTML document and the resources that it transcludes.

            • Ancillary requests are requests other than to the web servers responsible for serving a particular HTML document and the resources that it transcludes.

              So, every iOS request.

              (Or you've spent very, very little time looking at a modern web page)

              • by tepples ( 727027 )

                All the CDNs and adtech scripts in a modern web page are technically part of "the resources that [a document] transcludes." The fraud lookup is not.

                • So sending the user's IP to Google when the client does a fraud lookup is bad. Sending the user's IP to Google to retrieve an ad is good.

            • It's like saying Apple should proxy every ancillary request that a web browser makes. Ancillary requests are requests other than to the web servers responsible for serving a particular HTML document and the resources that it transcludes.

              No, it is not. This request was not "part" of the web page the user requested nor part of standard protocols for looking up a web page. It is an Apple specific service added to the process. Their creation, their responsibility.

              • by tepples ( 727027 )

                I sense violent agreement here.

                This request was not "part" of the web page the user requested nor part of standard protocols for looking up a web page. It is an Apple specific service added to the process.

                That's sort of what I was trying to get at by defining "ancillary" request.

        • A) It's an optional feature
          B) It has an obvious toggle in Settings > Safari
          C) Immediately under that group of toggle buttons is an "About Safari & Privacy" link to a plain-English explanation of the feature, which I've reproduced below in its entirety

          Fraudulent Website Warning

          When Fraudulent Website Warning is enabled, Safari will display a warning if the website you are visiting is a suspected phishing website. Phishing is a fraudulent attempt to steal your personal information, such as user names, passwords, and other account information. A fraudulent website masquerades as a legitimate one, such as a bank financial institution, or email service provider. before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent.

          Given all of that, I don't think it's so clear-cut as you make it out to be. The feature is enabled by default (i.e. it's opt-out), so there's an argument to be made that, as you said, Apple made the choice for users who never see the toggle. On the othe

          • by drnb ( 2434720 )
            You confuse the feature's existence with the implementation details. Until now most users probably assumed, reasonably, that Apple was the source of the malware related info. At least for the specific transaction. That Apple was reporting every website visit to Tencent was most like a surprise to most users in China.
            • That Apple was reporting every website visit to Tencent was most like a surprise to most users in China.

              As well it should be, since that’s not what’s happening. Apple doesn’t report any website to Tencent, let alone every website.

              They only report a hash prefix of the URL, and they only do even that if that hash prefix happens to be listed in the baked-in blacklist that’s already on the device. I.e. For the vast majority of clicks, they hear nothing from you, but when they do hear from you, all they get is a gibberish string that corresponds to any one of a multitude of URLs, any one of

  • Apple is basically saying they use the update API variant of Safebrowsing. It works by checking hashes on the client:
    https://developers.google.com/... [google.com]

    One concern might be if Apple provides any metrics back to Tencent as a provider regarding Safebrowsing hits, but there is no link in TFA so it's hard to know what was actually said.

    • Spoke too soon. If there is a hit:

      To check if a URL is on a Safe Browsing list, the client must first compute the hash and hash prefix of the URL (see URLs and Hashing). The client then queries the local database to determine if there is a match. If the hash prefix is not present in the local database, then the URL is considered safe (not on the Safe Browsing lists).

      If the hash prefix is present in the local database (a hash prefix collision), the client must send the hash prefix to the Safe Browsing servers for verification. The servers will return all full-length SHA 256 hashes that contain the given hash prefix.

      https://developers.google.com/... [google.com]

      So unless there are a lot of collisions (unlikely), the provider could reasonably know which site you were trying to visit, if this final step is performed on a hit.

      • China (or google) could "force collisions". They just include the hash of sites they want to monitor in the list. If you hit the site, it forces the collision lookup (which they could then say is safe so you don't notice) That said, I was pretty sure they already monitor their whole internet, and who's seeing what. This seems like an obscure way to monitor people, but plausible.
  • by Rick Zeman ( 15628 ) on Monday October 14, 2019 @11:35AM (#59305922)

    ...since Google is banned in mainland China. Apple either has to use a local-to-them resource, or have a broken feature.

    #FreeHongKong

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...