Update: the code for Tencent Safe Browsing seems to be very similar to that which talks to Google, down to it being under a "Google" namespace, the API endpoints being named the same, and performing hashing which seems to match the "Update API" here: https://developers.google.com/safe-browsing/v4/update-api. I think this is just "whatever Google could see before, Tencent can see now, if you're in China". I'm no expert, so I have no idea if that's k-anonymous or whatever if Tencent/Google decide they want to track you, but in either case it's just shifting who's getting your hashes.
This is really a "damned if you do, damned if you don't" kind of situation.
They can either use Tencent's Safe Browsing API as a drop-in replacement for Google's API, relying on k-anonymity to leak as little information as possible. That leaves them open to accusations that they allow Tencent (or, for that matter, Google) to track the browsing history of Safari users.
Or they can essentially turn off Safe Browsing in China. (Google's API is collateral damage of the Great Firewall.) That leaves their users unprotected against all kinds of malware and scams.
I think they made the right call here by protecting users against the most common threat (most people are not dissidents), while giving advanced users with a different threat model the opportunity to opt out.
"Or they can essentially turn off Safe Browsing in China."
The OP as well as the associated blog post[1] as well as the Apple-provided fine-print language do not make it clear to me that this "feature" is exclusively enabled for Chinese users (or, perhaps Chinese IPs).
Could someone point to a source that confirms a US person, in the US, with a US-purchased iphone, would not have their browsing history transformed and sent away for analysis to tencent ?
Alternatively, they could purchase the data from Tencent or another company, and operate their own version of the service. That may even be what they’re doing —- but we don’t know, since they launched the service with no details or publicity.
> This is really a "damned if you do, damned if you don't" kind of situation.
Why? Simply, when setting up the device/browser, let the user choose what safe browsing API the browser shall use (both, one of them, or none).
Letting the user make a conscious choice is the best way to handle "damned if you do, damned if you don't" kind of situation. To make the choice as conscious as possible for the user, provide additional material that explains the advantages and disadvantages of each option for the user so that the user is well-informed before he/she makes his/her choice.
I believe an argument could have been made that it was the right call if they had publicized it. Seeing as how it was implemented in the background, I am less inclined to give them the benefit of the doubt.
I'm curious if, as @thefalken brought up [0], this is illegal under the GDPR, given that it's a hidden opt out and should apply to EU citizenry with browser language set to Chinese.
Very doubtful, even with the "hidden opt out" that seems to be sufficiently poorly "hidden" that lots of people here have indeed opted out.
Safe Browsing uses very little data (pretty much the least they could get away with to make it work) and you'd have to establish either that Tencent is lying about how it uses that data AND that Apple knew or reasonably should have known that it was misused.
URLs never leave your browser, so "Apple is sending URLs" is wrong. The Update API is used, so the URLs stay on your browser but under some circumstances hash prefixes of some URLs are sent to Google/ TenCent.
If you choose to assume that Google / TenCent are bad actors then they can probably manipulate this data to target a few URLs and discover who (IP addresses) browsed those URLs. In less well designed browsers like Safari they might be able to tie that to a Google Account independent of the IP address because those browsers don't isolate Safe Browsing API calls from normal web browsing activity (this won't work in e.g. Firefox). If a bad actor did this, it would make performance worse for all users, and the accuracy of the trick would be sabotage unless the set of target URLs tracked is fairly small, if you were looking for a single PDF filename on a single web site it's definitely possible, if you want to track six thousand different articles about Xi's resemblance to Pooh Bear across tens of thousands of sites that's going to cause a lot of false positives you have to weed out somehow.
The code appears to be used for fraud related purposes, meaning, to my understanding, Apple would likely argue it has a legitimate interest.
There’s a lot of legal language around this exception, but fraud is directly called out as a legitimate interest and means that the group controlling the data would not need to obtain user consent.
If it's illegal under the GDPR to send the data of EU citizens with browser language set to Chinese to Tencent, it's also illegal to send the data of EU citizens with browser language set to anything else to Google. Chrome, Firefox, Safari and probably all Chromium-based browsers (unless they disable Safe Browsing by default) use Google's API and would be in violation, too.
we should be linting code to say whether it phones home or not, and what it uploads when it does. plain language privacy policies and ever-changing browser settings are leaving huge gaps.
when the US government bought chinese drones they hired a consultant to prove that the drones never call home.
> we should be linting code to say whether it phones home or not
Is that possible? How do you diffentiate it from expected API calls?
(Not convinced black/white-listing strings is any different from code review in this case - it'll just be changed on demand if if prevents adding what was tried to be added.)
This is where they need to sacrifice some computer security for physical security. By turning this off, a few people who don't follow good security practices might get malware. But no one will be sent to prison or "disappeared".
Apple has done a lot for privacy in its products and its public statements. But I believe that if it has to have a better impact and be trusted, it needs someone dedicated to privacy who will (ensure that it will) publish details of its products, apps and activities in an honest form in an accessible place (and updated more often than a once-a-year OS upgrade cycle). This kind of commitment to more transparency will help the company be trusted and also held up to questions. Said trust is already eroding with recent events. Apple shouldn’t be complacent and stick to its old ways.
Sadly, Apple also has a history of brushing things away or ignoring uncomfortable questions.
Are those Google/Tencent API requests done only when browsing with Safari, or are they done for any SFSafariViewController?
That would imply it’s also inside Brave/Firefox/Chrome...
Again I feel like I'm reaching out to be educated here.. but if Safari is attempting to validate URLs for safe browsing using the Google API (which it states it will do, quite openly), and Google products is quite clearly blocked in China so it resorts to Tencents API (which it states it will do, quite openly).. why does this seem to provoke anger?
I mean this in the most equitable way possible, I'm more trying to understand where Apple has done anything wrong here?
I think the audience in HN are crazy now. Why would you prefer Google than Tencent for same purpose of API? Should all Chinese scare that iPhone would send back all logs to California? Should they scare Tesla sent back all their driving data to US?
If you don't trust anything from China, would you destroy any electronics Made In China, including your smartphones, laptop, TV etc, or even some food?
It should be noted that Apple could very well proxy those requests to Google and Tencent to protect their customers' ip address, or even implement safe browsing on their own all together.
The fact that they don't means that either they trust Google and Tencent, or that they don't care about privacy.
Probably this is the page of Tencent safe browsing: https://urlsec.qq.com/ I don’t understand why you trust Google so much. It’s as untrustworthy as Tencent for me.
Based on the twitter conversation, it's NOT China only. It's Chinese localization only. Big difference. That means anyone anywhere in the world who set their computer to Chinese has their data sent. Including Europe which is likely a GDPR violation.
[+] [-] amanzi|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply
[+] [-] eastendguy|6 years ago|reply
So even for US and EU based users the data is send to Tencent just because they enabled Chinese language support? Who programmed that?
[+] [-] rocqua|6 years ago|reply
In any case, I'd love to know how you generated this. Would be very cool to get something similar out of an executable.
[+] [-] carol0987|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] elwell|6 years ago|reply
I'm glad I don't use Objective-C... That's some Java level function naming there.
Edit: may have spoke too soon, appears to be possible reverse engineered / decompiled?
[+] [-] yorwba|6 years ago|reply
They can either use Tencent's Safe Browsing API as a drop-in replacement for Google's API, relying on k-anonymity to leak as little information as possible. That leaves them open to accusations that they allow Tencent (or, for that matter, Google) to track the browsing history of Safari users.
Or they can essentially turn off Safe Browsing in China. (Google's API is collateral damage of the Great Firewall.) That leaves their users unprotected against all kinds of malware and scams.
I think they made the right call here by protecting users against the most common threat (most people are not dissidents), while giving advanced users with a different threat model the opportunity to opt out.
[+] [-] rsync|6 years ago|reply
The OP as well as the associated blog post[1] as well as the Apple-provided fine-print language do not make it clear to me that this "feature" is exclusively enabled for Chinese users (or, perhaps Chinese IPs).
Could someone point to a source that confirms a US person, in the US, with a US-purchased iphone, would not have their browsing history transformed and sent away for analysis to tencent ?
[1] https://blog.cryptographyengineering.com/2019/10/13/dear-app...
[+] [-] matthewdgreen|6 years ago|reply
[+] [-] wolfgke|6 years ago|reply
Why? Simply, when setting up the device/browser, let the user choose what safe browsing API the browser shall use (both, one of them, or none).
Letting the user make a conscious choice is the best way to handle "damned if you do, damned if you don't" kind of situation. To make the choice as conscious as possible for the user, provide additional material that explains the advantages and disadvantages of each option for the user so that the user is well-informed before he/she makes his/her choice.
[+] [-] austinkhale|6 years ago|reply
[+] [-] ddtaylor|6 years ago|reply
[+] [-] larkeith|6 years ago|reply
[0] https://mobile.twitter.com/thefalken/status/1183445477645312...
[+] [-] tialaramex|6 years ago|reply
Safe Browsing uses very little data (pretty much the least they could get away with to make it work) and you'd have to establish either that Tencent is lying about how it uses that data AND that Apple knew or reasonably should have known that it was misused.
URLs never leave your browser, so "Apple is sending URLs" is wrong. The Update API is used, so the URLs stay on your browser but under some circumstances hash prefixes of some URLs are sent to Google/ TenCent.
If you choose to assume that Google / TenCent are bad actors then they can probably manipulate this data to target a few URLs and discover who (IP addresses) browsed those URLs. In less well designed browsers like Safari they might be able to tie that to a Google Account independent of the IP address because those browsers don't isolate Safe Browsing API calls from normal web browsing activity (this won't work in e.g. Firefox). If a bad actor did this, it would make performance worse for all users, and the accuracy of the trick would be sabotage unless the set of target URLs tracked is fairly small, if you were looking for a single PDF filename on a single web site it's definitely possible, if you want to track six thousand different articles about Xi's resemblance to Pooh Bear across tens of thousands of sites that's going to cause a lot of false positives you have to weed out somehow.
[+] [-] Muromec|6 years ago|reply
[+] [-] 33degrees|6 years ago|reply
[+] [-] alextheparrot|6 years ago|reply
There’s a lot of legal language around this exception, but fraud is directly called out as a legitimate interest and means that the group controlling the data would not need to obtain user consent.
For additional reading, I’d recommend the following post: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...
[+] [-] yorwba|6 years ago|reply
[+] [-] leoh|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply
[+] [-] dhdhebsb|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply
[+] [-] awinter-py|6 years ago|reply
we should be linting code to say whether it phones home or not, and what it uploads when it does. plain language privacy policies and ever-changing browser settings are leaving huge gaps.
when the US government bought chinese drones they hired a consultant to prove that the drones never call home.
[+] [-] OJFord|6 years ago|reply
Is that possible? How do you diffentiate it from expected API calls?
(Not convinced black/white-listing strings is any different from code review in this case - it'll just be changed on demand if if prevents adding what was tried to be added.)
[+] [-] aussieguy1234|6 years ago|reply
[+] [-] wtmt|6 years ago|reply
Sadly, Apple also has a history of brushing things away or ignoring uncomfortable questions.
[+] [-] sgz|6 years ago|reply
[+] [-] sekasi|6 years ago|reply
I mean this in the most equitable way possible, I'm more trying to understand where Apple has done anything wrong here?
[+] [-] brians|6 years ago|reply
[+] [-] taobility|6 years ago|reply
[+] [-] Jyaif|6 years ago|reply
[+] [-] mulle_nat|6 years ago|reply
[+] [-] chenzhekl|6 years ago|reply
[+] [-] zaphirplane|6 years ago|reply
[+] [-] thawaway1837|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] ycombonator|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] ripley12|6 years ago|reply
[+] [-] marcinzm|6 years ago|reply
Based on the twitter conversation, it's NOT China only. It's Chinese localization only. Big difference. That means anyone anywhere in the world who set their computer to Chinese has their data sent. Including Europe which is likely a GDPR violation.
[+] [-] BenTheElder|6 years ago|reply
[+] [-] kop316|6 years ago|reply
[+] [-] valleyer|6 years ago|reply
https://developers.google.com/safe-browsing/v4/update-api#ch...
[+] [-] iamspoilt|6 years ago|reply