Apple is defending reports that it sends some users private search browser data to Google and the Chinese tech company Tencent.
The feature being debated is built into Apple's Safari web browser for Macs, iPhones and iPads. It is designed to warn people when they visit sites that hackers create to trick them into sharing login passwords for banks, email and social media.
Reclaim the Net reported late last week that in Apple’s “About Safari & Privacy” section, it states the company might send some user IP addresses to Google or Chinese company Tencent. The statement is accessible on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.”
Under the title “Fraudulent Website Warning,” Apple tells the user that “before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent.”
This sending of information between companies could be against the forthcoming CCPA and the European Union GDPR.
iMore goes into detail on how the data-sharing works. The media outlet writes that Safari’s fraudulent web site warning flags malicious websites by using Google's malicious web site list internationally and Tencent's list for devices set to mainland China. The hashed prefixes of URLs are not shared, though IP addresses are transmitted. The feature can be turned off.
Safari checks web pages that someone tries to access against the list of hashed prefixes. If they match, the page may be malicious. Safari then asks Google or Tencent for the full list of URLs that match the hashed prefix.
The three companies see the IP address of the device. And because they have the hashed prefix, they know the general pool to which the site belongs.
Users with concerns about the information being passed can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off, according to iMore. Turning off the feature could land users on a malicious website without warning.