“I have not come to the conclusion that Tencent is tracking users, but Tencent may do so.”
This week, Bloomberg reported that Apple is sending iOS user data to Chinese company Tencent. As a company that maintains user privacy as a selling point for products, this seems to be a terrible scandal. In the early morning of the 15th, Apple responded to the media, saying that this statement is not true.
Several media, including Bloomberg, pointed out that Apple has been sending data to Tencent for about two years because the iPhone and iPad have a security feature that warns users that the site is malicious or not before the user loads the site. safe. Apple’s criteria for judging whether a website is secure is to check the address against a list of known known sites, which are provided by Tencent and Google, the former consisting of mainland Chinese users and the latter by users from other parts of the world.
A note in iOS 13 mentions that its Safari browser uses Tencent’s secure browsing system to help fight malicious web pages, but Tencent may record IP addresses during this process. In fact, starting with iOS 11 in 2017, Tencent has begun to provide secure browsing for Apple, and Google started earlier, starting in 2008. Apple just described the feature in a recent update to the iOS version.
In the early morning of the 15th, Apple wrote in a reply:
Apple protects user privacy and data with “Safari Fraudulent Website Alerts,” a security feature that marks known malicious websites. When this feature is enabled, Safari checks the URL of the website against a list of known websites and displays a warning when the URL the user visits is suspected of fraudulent activity such as phishing.
To accomplish this task, Safari will receive a list of known malicious sites from Google, and will receive a list from Tencent for devices with regional codes set to mainland China. The actual URL of the website you visit will never be shared with a secure browsing provider, or you can turn it off.
Apple provided a more detailed description of the US technology media ZDNet. The note states: Google and Tencent “send a copy of the database to the user’s browser and have the browser check the URL against the local database, so the user’s specific data has never actually reached the two companies. And, “Tencent’s Blacklists are only used inside mainland China where Google domains are not available.
However, cryptographer Matthew Green of Johns Hopkins University raised new questions. He pointed out that Google actually relies on “complex interactions between blacklists and Safari.Use “.
The entire tagging process described by Matthew Green is as follows: Google hashes each unsafe URL into illicitly identified code and then sends the first part of these hashes to Safari, called the “prefix.” When a user visits a web page, Safari hashes its URL and checks the list of prefixes. If it matches, Safari asks Google to include all the hashes for that prefix. Next, Google provides the content, and the Safari browser checks to see if the smaller list matches exactly. If the page is found, mark the page.
Matthew Green analyzes that this means that Google will never see the full URL hash, and in most cases, it won’t get any information at all. However, when Safari finds a matching prefix and asks Google to provide more hashes, it displays the user’s IP address and a partial hash of the page they are visiting. Such a lack of accumulation is still suspected of eroding user privacy.
Oddly, most of the media that reported this news didn’t talk too much about the possibility of Google stealing user privacy, but instead focused on Tencent, including Matthew Green himself. “I didn’t conclude that Tencent is tracking users, but Tencent is likely to do so,” Matthew Green said. “So Apple’s cooperation with Tencent should be more transparent.”
Title map/visualhunt