As part of the built-in protection in Safari to keep iOS users safe from malicious websites, Apple sends to browsing data to Tencent, a technology firm in China. This is revealed in an updated privacy notice, in which Apple says Tencent "may also log your IP address" in addition to the web address.
Apple is not being nefarious here. Quite the opposite, at least in intent—when an iOS user visits a website, the URL and, in some cases, their IP address is sent off to be cross checked against known fraudulent websites. This step serves as an additional layer of protection against being caught up in a phishing scam.
Previously in the US, Apple relied on Google and it's Safe Browsing service for this purpose. Now, however, Tencent has seemingly been added to the mix, a move that is raising eyebrows among some.
In iOS, users can find the updated text by navigating to Settings > Safari and clicking on the About Safari Search & Privacy link underneath the Privacy & Security section, as shown above.
"Before visiting a website, Safari may send information calculated from the website address to Google's Safe Browsing and Tencent's Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address," the privacy notice states.
This is part of the Fraudulent Website Warning option that is turned on by default in iOS. Unfortunately, Apple does not specify under what conditions browsing data and a user's IP address might be sent to Tencent instead of Google.
It's also not clear when this change took place, though one user on Twitter claims it dates back to at least the iOS 12.2 beta in February.
While there is no obvious nefarious intent, Johns Hopkins University professor and cryptographer Matthew Green says the change is still concerning because of how stealthily it was implemented.
"In the Safe Browsing change we have another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement. We have [to] learn about this stuff from the fine print. This approach to privacy issues does users around the world a disservice," Green said.
"It increasingly feels like Apple is two different companies: one that puts the freedom of its users first, and another that treats its users very differently. Maybe Apple feels it can navigate this split personality disorder and still maintain its integrity. I very much doubt it will work," Green continued.
Whether or not Tencent collects this data outside China is unknown. However, we have confirmed the updated privacy text does appear in iOS 13 on devices in the US.