A security control within Safari in iOS 13 called “Fraudulent Website Warning” has been revealed to send data to the Chinese tech firm Tencent.

The controversy emerged last Thursday 10 October, when it was discovered that the Safari privacy policy in iOS 13 included the following:

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”

In particular, concern has been raised over the close relationship between Tencent and the ruling Chinese Communist Party.

This also comes in the wake of continued acquiescence from Apple to the demands of the Chinese government, including most recently banning the HKmap.live app, which was being used by anti-government protesters.

The Fraudulent Website Warning, which is turned on by default, compares URLs against a blacklist to prevent iOS users from accessing potentially harmful websites.

As part of this process Safari sends both the user’s IP address and the link to the relevant security service. By putting these pieces of information together, the security service in question has the technical capability of de-anonymising the user.

Speaking to The Verge, Apple denied that Tencent or Google are getting access to users’ browsing histories: “When [Fraudulent Website Warning] is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent like phishing… the actual URL of a website you visit is never shared with a safe browsing provider.”

But this is not the full story. Matthew Green, a professor of cryptography at Johns Hopkins University, has described the process in full detail. To protect the privacy of users, Google (or Tencent) sends a database of truncated hashes of URLs to each user’s browser – basically a very condensed list.

Each time a URL is visited, Google hashes it and checks if it matches any of the shortened URL hashes in your browser’s database.

If there is a match, Google retrieves a list of full length hashes to check for an exact match. In the process it communicates your IP.

While a single retrieval alone is not enough to undermine privacy, piecemeal, many requests could be used to give the security provider a more detailed profile of its users.

Apple has told ZDNet that Tencent Safe Browsing is only used “for devices with their region code set to mainland China,” as all Google services are banned within the country. But this does nothing to prevent the feature from being misused by Google in the rest of the world.

Users are left facing a trade-off: leave their trust in large tech companies not to misuse this access and undermine their privacy, or weaken their security and risk exposure to malicious websites.

By default the feature is turned on, but for those who would rather turn it off, the process is thankfully very easy. Simply Navigate to Settings > Safari, then underneath the Privacy & Security heading toggle Fraudulent Website Warning off.

An alternative method to safeguard your anonymity is to use a VPN to generate a new IP address. This would mean that – even if a company like Google or Tencent were to build a profile from your data – it would not be identifiable to you.