Apple is an unusually privacy-focused company in the Big Tech world, so its potential violations of user privacy tend to gather a lot of attention.
This proved to be the case with a report last week from the privacy site Reclaim the Net, which noted that Apple’s Safari browser sometimes sends information about the sites users are visiting off to Google and China’s Tencent, to check whether or not those webpages are fraudulent. The report particularly focused on Tencent’s alleged ties to the Chinese Communist Party.
Apple responded yesterday by explaining how the mechanism in question—the Safari Fraudulent Website Warning—is designed to protect privacy.
However, experts say this may break a key privacy law in the European Union because users do not give their explicit consent to their data being shared in this way.
Here’s how Apple’s Fraudulent Website Warning system works: The Safari browser alerts users when they visit websites that are known to be fraudulent—for example, websites trying to fool people into thinking they are other sites, so as to con them into divulging passwords. This information is regularly updated, with the underlying data coming from Google and—for users located on the Chinese mainland—Tencent.
As Johns Hopkins cryptography professor Matthew Green explained in a Sunday blogpost about the situation, Google’s current approach to flagging up fraudulent sites does not involve sending the company every web address (or URL) that a user visits‐the privacy implications of that would obviously be horrendous.
What happens instead is that Google creates a “hash” of each unsafe URL in its database. In other words, its algorithm translates the address into a mathematical representation, in a way that allows a visited URL to be checked against that entry (since the algorithm would always turn it into the same string of characters) but that does not allow reverse-translation back to a recognizable web address. Google then abbreviates these hashes and sends the short versions off to browsers such as Safari.
The browser creates a hash of each web address its user is trying to visit, and checks it against its list of Google- or Tencent-provided abbreviated hashes. If there’s a match, Safari then asks the provider for the full-length hash, to make sure if the site is fraudulent or not.
In theory, that means Google (or Tencent) does not get to monitor Safari users’ surfing habits. However, as Green noted: “The weakness in this approach is that it only provides some privacy. The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many ‘bites at the apple’ (no pun intended) in order to de-anonymize that user.”
Apple stressed in its statement that Tencent only received data from users with their region set to China, adding: “The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.”
The system may be designed to protect users from phishing attacks that fool them into handing over bank passwords and the like, but—because people have to opt out of this system, rather than opting in—it could also fall foul of EU online privacy rules.
The rule in question is not the much-feared General Data Protection Regulation (GDPR) that came into effect last year, threatening fines of up to 4% of global revenues for severe violations. While many know the GDPR as a law that requires users’ consent for handling their personal data, it is in fact more flexible than that—another legal basis for data processing is acting in the “legitimate interests” of the data subject, and fraud protection probably falls into this category.
Instead, the law Apple might be breaking is the ePrivacy Directive of 2002, which specifically deals with electronic communications—this law is best known as the one that forces sites to display “cookie” notices, though it is more wide-ranging than that.
According to Michael Veale, a lecturer in digital rights and regulation at University College London in the U.K., there are “certainly questions” about whether Apple should be asking for explicit consent before sending Google user data, even if it’s just abbreviated hashes.
That’s because the ePrivacy Directive becomes an issue when a company accesses data from a user’s “terminal device” (such as a phone) for a purpose that is not essential to the service being provided (in this case, the browser.) In such circumstances, Veale said, “GDPR-quality consent” is required.
“Arguments would exist both ways, but there’s definitely a possibility that consent would be required,” Veale said. “It’s strange Apple did not ask for one-off opt-in consent, but they may well be wary of asking individuals if the company they perceive as privacy-friendly can send even redacted browsing data to Google.”
Even if Apple has broken the EU ePrivacy Directive here, it is unlikely that it would suffer a serious punishment.
The directive is now ancient in tech-world terms, and it gives individual EU countries discretion over the fines they can levy for transgressions. So, while GDPR violations can theoretically lead to fines in the billions of dollars, the U.K. for example has a $630,000 cap on ePrivacy fines.
The ePrivacy Directive was supposed to have been replaced by a tougher ePrivacy Regulation at the same time as the GDPR came into effect in May 2018, with maximum fines at the same high level as those under the GDPR. But, likely thanks to extremely heavy lobbying, the ePrivacy Regulation has been stuck in legislative limbo for the last two years. While the European Commission and Parliament have passed a draft version, the EU’s member states still haven’t been able to agree on a final version.
Apple did not respond to a question about the legality of its safe browsing mechanism under EU privacy law, instead providing a more general statement about how the system works. Google did not respond to a request for comment.