During the last week, the reality that US companies often bend the knee to China has been thrown into the spotlight. Apple, one of the biggest US tech companies, has appeased China by hiding the Taiwan flag emoji and ignoring US lawmakers when choosing to ban a Hong Kong protest safety app. Now it’s been discovered that Apple, which often positions itself as a champion of privacy and human rights, is sending some IP addresses from users of its Safari browser on iOS to Chinese conglomerate Tencent – a company with close ties to the Chinese Communist Party.
Apple admits that it sends some user IP addresses to Tencent in the “About Safari & Privacy” section of its Safari settings which can be accessed on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.”
I’m sure the genocidal totalitarian surveillance state that is China won’t be abuse this information at all. They pinky-promised to Tim Cook, who was busy telling his company not to make any TV shows critical of China – in line with the rest of Hollywood.
Reading the technical details about Google’s Update API (used for their SafeBrowsing feature), if Tencent’s API is similar (and that is a very reasonable assumption to think it is), then this is a non-issue.
In Google’s case, the most information they get about your web request is the first 32-bits of a SHA-256 hash, which they send you a chunk of URL hashes for your browser to compare to locally.
If somebody wants to dig in and find the actual API, that’d be useful, but until then I’m going to say that this is a non-issue, even in the context of Apple bending over backwards to accommodate China’s questionable civil rights practices.
Questionable? China is a Communist millitary dictatorship. What do you expect?
Drumhellar,
Like you, I have no idea about what the IOS/safari implementation is doing. if it were being used for censorship, it could become problematic. Does apple allow users to override the blacklisted pages? I looked up google’s implementation…
https://developers.google.com/safe-browsing/v4
The 32bit “hash prefix” seems rather ambiguous assuming an eavesdropper has no other context information. However an eavesdropper with other contextual data would have a significantly smaller search space such that the 32bit (one in 4billion) hash could uniquely identify a page.
For example, lets assume the user is using HTTPS, but someone is monitoring the WAN traffic and there is no additional protection (ie no VPN). The user requests page P from host H. https://H/P.
The OS will perform a DNS lookup, which reveals H. The browser will open a connection to the IP for H and then send H unencrypted in the HTTPS header (“SNI” needs this to tell the server which https certificate to use):
https://security.stackexchange.com/questions/86723/why-do-https-requests-include-the-host-name-in-clear-text
So assuming the eavesdropper has H, the 32bit hash doesn’t need to be unique across the web anymore, the eavesdropper can limit the search to hostnames visited by the user to uniquely identify P with high confidence. So now a browser that leaks 32bit hashes to an eavesdropper can conceivably create a significant new privacy risk for the user.
Once again, I don’t know the details of safari’s implementation. However in theory, even if it worked like google safebrowsing, it might still leak enough information for a state to incriminate users on. Every page navigation on a website would leave more fingerprints increasing the statistical confidence of a match.
I see no reason this couldn’t be done. For me, the big question isn’t so much feasibility, but whether china is actually logging DNS requests along with these hashes needed to perform mass surveillance? Do we know? The thing is, it’s easy to publicly see what china blocks, but difficult to know what china logs…
Thom, this is getting out of hand.
Not that much, when it comes to Net Neutrality in the US, Thom was there also. It’s not because the news are currently hot on the Chinese front that Thom cannot handle news from somewhere else when it’s time to.
I couldn’t believe, because Apply is company which takes care about their clients
Louis Rossmann tend to diverge from your opinion on that subject…
I think Tom needs to take chill pill. What Tencent offers is a list of “safe sites”, just like Google. If your iPhone region is set to China ,then the phone checks against the Tencent’s safe list as there isn’t a Google safe list in China.
I can understand the attraction of bad mouthing the big American corporation for kick..and hopefully Clicks, but this is just crying wolf.
What about chinese phones, like the OnePlus 6 I own? I guess they do exactly that, whether you buy them in China or not?