Apple Inc. came under fire on Monday for sending web browsing data, including IP addresses, to China’s Tencent Holdings Ltd., the latest criticism of how the company operates in the world’s most populous nation.
For about two years, Apple has been sending data to Tencent as part of an iPhone and iPad security feature that warns users if a website is malicious or unsafe before they load it. The U.S. company checks addresses against an existing list of sites known to be problematic. That list is maintained by Tencent for users in mainland China and by Google for other regions, including in the U.S.
In newer versions of Apple’s iOS operating systems, the company says this feature “may also log your IP address,” potentially providing Tencent, a Chinese internet conglomerate with government ties, data such as a user’s location. The safe browsing feature with Google was first added to iOS in 2008, but it was expanded to include Tencent with iOS 11 in 2017. Apple updated its description of the feature in more recent versions of iOS.
“We deserve to be informed about this kind of change and to make choices about it,” Matthew Green, a cryptographer and professor at Johns Hopkins University, wrote in a blog post. “Users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”
This isn’t the first time Apple has been criticized for working with a Chinese company to handle local data. In 2018, Apple partnered with Guizhou-Cloud Big Data to store iCloud data locally for users in mainland China.
More recently, Apple has been scrutinized for what some see as appeasing China. BuzzFeed recently reported that Apple told creators of shows for its TV+ streaming service to avoid portraying China in a poor light. The company recently removed the Taiwanese flag from the emoji keyboard on devices running in Hong Kong and Macau, after earlier pulling it from mainland China. It also came under fire for removing a maps app in Hong Kong that the developer said was designed to help users avoid areas of protest. Apple said it was following local laws in both instances.
Apple said in a statement that the feature protects user privacy and safeguards people’s data. The checks occur on the devices, and the actual web addresses are never shared with Tencent and Google, the safe browsing providers. The feature is on by default, but can be switched off, Apple also said. The IP address of a user’s device is shared when a website is found to be suspicious and a warning is sent.
Some users were concerned that data would be sent to Tencent globally because the firm is mentioned even on iPhones outside China. Apple will probably clarify this in a future version of iOS.
The feature can be disabled under the Privacy & Security section in the Settings app by tapping the “Fraudulent Website Warning” toggle. If a user does that, IP addresses won’t be shared, but Apple also won’t be able to check websites against Tencent’s or Google’s lists.