It's a change that Apple made quietly and was certainly well-intentioned - but an announcement would have been better.
As many people know, Safari includes the "fraud warning" feature. If the function is activated, it warns users about phishing sites. In order to identify such websites, data is exchanged with "Google Safe Browsing". The data of the website accessed and the IP address of the iPhone user are sent. But now another company is said to have been brought in. The Chinese company Tencent is talking about. The quiet innovation in iOS is certainly well-intentioned and is intended to protect iPhone users - but Apple should have communicated this openly. Apple has been using Google's Safe Browsing technology for many years to protect iPhone users from fraudulent websites, and with success. If Google's system detects a problem, the user is shown a warning in Safari - the user is advised not to visit the site - they can then turn around or continue.
“Google Safe Browsing” & “Tencent Safe Browsing”
However, as has now become known, the function has been expanded under iOS 13 - to Apple's disadvantage. Accordingly, the "fraud warning" feature now uses "Google Safe Browsing" and "Tencent Safe Browsing". This means that iPhone users' data could also be sent to China. Apple writes in the updated privacy policy:
"Before opening a website, Safari may send information about that site to Google Safe Browsing and Tencent Safe Browsing to make sure the site is legitimate. Providers that enable private browsing may also log your IP address."
“Google has appropriate protective measures in place”
The professor and cryptographer Matthew Green According to the company, the function can be problematic because it sends the IP address in addition to the website data and sets a cookie. This enables a profile to be created about the general surfing behavior of the respective user. Data protection advocates find the change questionable because China can now also obtain such information. However, there are indications that such data is only sent to Tencent if iPhone users have set their region to China - but there is no concrete evidence of this so far. Google, however, is less skeptical in this regard because the company has appropriate protective measures in place. Green explains these as follows:
“Google quickly came up with a more secure approach to ‘safe browsing’. The new approach is called ‘Update API’ and works like this:
- Google first calculates the SHA256 hash of each unsafe URL in its database and truncates each hash to a 32-bit prefix to save space.
- Google sends the database with the shortened hashes to your browser.
- Every time you visit a URL, your browser hashes it and checks whether its 32-bit prefix is contained in your local database.
- If the prefix is found in the browser's local copy, your browser now sends the prefix to Google's servers, which return a list of all the full 256-bit hashes of the matching URLs so your browser can look for an exact match."
According to this, Google should not really know which website is actually being visited in each individual case. Green continues:
"The typical user does not just visit a single URL, but browses thousands of URLs over time. This means that a malicious provider will have many 'bites at the apple' (no pun intended) to de-anonymize that user. A user who visits many related sites - for example, these sites - will gradually reveal details about their browsing history to the provider, assuming the provider is malicious and can link the requests."
But Tencent is not Google - and users now have to extend the trust they have placed in Google to a Chinese company. The big problem is that Apple has not informed its customers about this. According to Green, it will be difficult for Apple to explain this step, as it has been done in silence - which has made many observers sit up and take notice. Cupertino has not yet commented on the issue - various US media have already asked the company about this.
It remains to be seen whether and when an official statement will be made. If you do not want to use the “fraud warning” feature until then, you can turn off the function yourself, which is activated by default. And this is how it works: Open the iOS settings and navigate to the menu item “Safari”. Then you will find the “Fraud Warning” function in the “Privacy & Security” section. (Photo by World Image / Bigstockphoto)
