PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Some Apple Users' Safari Data Sent to China's Tencent, Researcher Says

Apple's Safari browser is relying on Chinese internet giant Tencent to help protect Chinese iOS users from malicious websites, which security researcher Matthew Green claims is shady due to lack of transparency. Apple is pushing back.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A subtle change to Apple's Safari browser on iOS is raising privacy alarms over whether it can expose users' website lookups to the Chinese tech giant Tencent.

The issue deals with a Safari feature meant to protect you from fraudulent websites (for instance a fake login page). The browser can warn you by accessing Google's Safe Browsing service, which functions as a giant blacklist of malicious websites on the internet.

However, in the event you visit a suspected fraudulent webpage, the browser will send your device's IP address and a scrambled version of the website's address to Google. The data scrambling is designed to prevent Google from learning the full website address as a way to protect your privacy. But theoretically, with enough website lookups, the company could piece together what websites your device's IP address has been seeking to visit, according to past research.

Privacy concerns with Google's Safe Browsing service is nothing new, but Apple's Safari browser has been using another blacklist of malicious websites to protect users in China—and it's powered by Tencent, a company that's legally obligated to share data with the Chinese government.

Safari Tencent Fineprint

The Tencent disclosure is contained in the Safari settings for iOS 12 and 13 devices. "Before visiting a website, Safari may send information calculated from website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent," the fine print reads.

When Apple introduced the change isn't clear, (although evidence suggests it may have started months ago.) But on Saturday, security researcher Matthew Green published a blog post calling attention to the Tencent disclosure.

"But Tencent isn't Google," Green wrote. "While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them."

Tencent is one of China's largest internet and gaming companies, but it also has a notorious reputation for helping the country's government censor the internet and even jail users for making controversial comments on its WeChat social messaging app. In addition, the Chinese company owns League of Legends maker Riot Games, and has a 40 percent stake in Fortnite developer Epic Games, both of which have made headlines recently for their responses esports players voicing support for Hong Kong protestors during live streams.

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

Apple is pushing back. In a statement to ZDNet, Cupertino claims the Safari browser never exposes a user's website lookup data when it comes to detecting fraudulent web pages.

"To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off," the company said.

Indeed, based on the computer code, Safari only taps Tencent for the fraudulent website detection for users based in China. This may also explain why Apple is relying on a Chinese company's blacklist of malicious websites. In China, Google services are blocked due to the country's widespread online censorship. As a result, Apple probably settled on Tencent as an alternative to protect iOS users in a major market.

That said, Apple's statement doesn't address the theoretical privacy fear of Tencent trying to de-scramble the URL data the Safari browser may be sending to the Chinese company. But it's important to note that the Chinese government already possesses numerous ways it can directly monitor users within the country. For example, the country can legally force companies operating in China to hand over data on their users without recourse. The government also owns the biggest telecommunication providers in the country and has deployed surveillance cameras across the country.

Nevertheless, Apple's partnership with Tencent isn't sitting well with privacy experts. "Lately there's been a troubling silence out of Cupertino, mostly related to the company's interactions with China," Green wrote in his blog post. As an example, he points to Apple's decision last year to move the company's iCloud server infrastructure to China for local users in the country. Although Cupertino defended the move as necessary to comply with Chinese law, human rights experts have been concerned Apple will comply with China's broad legal power to hand over personal data on users in the country.

"In the Safe Browsing change we have another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement," Green added. "We have learn about this stuff from the fine print. This approach to privacy issues does users around the world a disservice."

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio