Apple quietly extended the usage of Chinese giant Tencent’s website blacklist to Hong Kong consumers, and no one will comment.
When Safari users in Hong Kong tried to load the popular code-sharing website GitLab, they received an unusual warning: Apple’s browser was blocking the site for its own protection. Apple’s use of a Chinese corporate website blacklist resulted in the harmless site being labeled as a provider of misinformation, which briefly cut off access. Tencent, the big Chinese business behind the online filter, and Apple both refuse to reveal how or why the site was restricted.
The outage was announced immediately before the new year. Chu Ka-Cheong, a Hong Kong-based software engineer and former Apple employee, tweeted on December 30, 2022, that his web browser had restricted access to GitLab, a prominent repository for open-source work. Safari’s “safe browsing” feature welcomed him with a full-page “deceptive website warning,” indicating that because GitLab carried harmful “unverified information,” it was unavailable. After the matter was brought to the company’s attention, access to GitLab was restored several days later.
Tencent, the massive Chinese internet firm behind WeChat and League of Legends, created the warning screen. The business manages Apple’s safe browsing filter for Safari users in China—and now, the Chinese government imposes further control over the territory, in Hong Kong as well.
Apple representative Nadine Haija refused to answer questions regarding the GitLab incident, directing them to Tencent, who likewise declined to respond.
The episode raises difficult concerns regarding private censorship in the name of “security,” questions that neither business appears to be interested in answering: Tencent decides what is blocked. Is Apple involved in any way? Is Apple okay with Tencent’s blacklisting practices?
“They should be responsible to their customers in Hong Kong and need to describe how they will respond to demands from the Chinese authorities to limit access to information,” wrote Charlie Smith, the pseudonymous founder of GreatFire, a Chinese web censorship advocacy, and watchdog group. “Presumably people purchase Apple devices because they believe the company when they say that ‘privacy is a fundamental human right’. What they fail to add is *except if you are Chinese.”
Ka-Cheong tweeted that other Hong Kong residents had reported GitLab similarly blocked on their devices thanks to Tencent. “We will look into it,” Apple engineer Maciej Stachowiak tweeted in response. “Thanks for the heads-up.” But Ka-Cheong, who also serves as vice president of Internet Society Hong Kong Chapter, an online rights group, said he received no further information from Apple.
The block surprised Ka-Cheong and other Hong Kong residents because Apple had previously stated that the Tencent blocklist would only be utilized for Safari users within mainland China. However, according to an Internet Archive assessment, sometime after November 24, 2022, Apple secretly updated its Safari privacy policy to specify that the Tencent blacklist will also be applied to devices in Hong Kong. (When asked when or why Apple expanded its usage of Tencent’s filter to Hong Kong, Apple representative Haija did not comment.)
Though mainland China has extensively regulated internet access for decades, Hong Kong has traditionally had unrestricted access to the internet, a privilege that has only recently been challenged by the passage of a comprehensive, draconian national security law in 2020.
Silently broadening the breadth of the Tencent list not only keeps Apple in the good graces of China, whose industrial capacity is still crucial to the California-based corporation but also gives plausible deniability regarding how or why such site blockages occur.
“While many tech companies proactively apply political and religious censorship to their mainland Chinese users, Apple may be unique among North American tech companies in proactively applying such speech restrictions to users in Hong Kong,” said Jeffrey Knockel, a researcher at the University of Toronto’s Citizen Lab, a digital security watchdog group.
While a firm like Tencent should be expected to follow Chinese law as a matter of course, Apple has gone out of its way to do so.
“The aspect which we should be surprised by and concerned about is Apple’s decision to work with Tencent in the first place to filter URLs for Apple’s Hong Kong users,” he said, “when other North American tech companies have resisted Hong Kong’s demands to subject Hong Kong users to China-based filtering.”
THE BLOCK IN PLACE GitLab is not the first time Tencent has labeled a foreign website “dangerous” for ostensibly ideological reasons. In 2020, Tencent web browsers disabled access to the official website of Notepad++, a text editing program whose French developer had earlier published a declaration of solidarity with Hong Kong dissidents.
The GitLab ban would also not be the first time Apple, which claims to be deeply committed to human rights, has twisted its products to line with Chinese political pressure. In 2019, Apple was caught delisting an app used by Hong Kong political dissidents to organize; in November, users discovered that the company had pushed a software update to Chinese iPhone users that significantly weakened the AirDrop feature, which protesters across the country had been using to spread messages on the ground.
“All companies have a responsibility to respect human rights, including freedom of expression, no matter where in the world they operate,” Michael Kleinman, head of Amnesty International’s Silicon Valley Initiative, wrote to The Intercept. “Any steps by Apple to limit freedom of expression for internet users in Hong Kong would contravene Apple’s responsibility to respect human rights under the UN Guiding Principles.”
In 2019, Apple openly revealed that it has begun using Tencent’s “safe surfing” database to censor the web behavior of its Chinese customers, rather than Google’s similar list. Safe surfing filters purport to protect users from harmful pages carrying malware or spear-phishing attacks by comparing the website they’re attempting to load to a master list of blacklisted domains.
To make such a list operate, however, some personal information must be provided to the entity running the filter, whether it be Google or Tencent. When the news of Apple’s usage of the Tencent safe browsing list initially leaked, Matthew Green, a Johns Hopkins University professor of cryptography, described it as “another example of Apple making significant changes to its privacy infrastructure, mostly without fanfare or notification.”
While crucial issues concerning what information Safari users in Hong Kong and China ultimately communicate to Tencent and beyond remain unanswered, the GitLab incident highlights another problematic element of secure browsing: It empowers a single firm to control the internet unilaterally under the guise of public safety.
“Our concern was that outsourcing this stuff to Chinese firms seemed problematic for Apple,” Green explained in an interview with The Intercept, “and I suppose the nature of having a ‘misinformation’ category is that China is going to have its own views on what that means.”
In fact, it’s unclear how GitLab could have been seen as a source of potentially dangerous “unverified information.” Software developers, including business clients like T-Mobile and Goldman Sachs, can safely store and change code on the site, which is essentially an empty container. Recently, several open-source code websites like GitLab, where engineers from around the world can freely interact, cooperate, and exchange knowledge, have come under fire from the Chinese government. (GitLab declined to comment when contacted.)
However, there is no evidence that this action is what caused GitLab to be added to the Tencent list. GitLab is notable for using Tor, a censorship-evasion and anonymity web browser, to chronicle instances of Chinese official internet censorship.
Although Tencent makes part of its website blocking criteria public, its decision-making process is utterly opaque, and the censorship standards it publishes are incredibly nebulous, including transgressions like “undermining national unity” and “endangering national security.”
For its ties to the Chinese government, which routinely uses state power to more directly influence or completely control ostensibly private companies, Tencent has long been the subject of scrutiny.