When Safari users in Hong Kong recently tried to load the popular code-sharing website GitLab, they received a strange warning instead: Apple’s browser was blocking the site for their own safety. The access was temporarily cut off thanks to Apple’s use of a Chinese corporate website blacklist, which resulted in the innocuous site being flagged as a purveyor of misinformation. Neither Tencent, the massive Chinese firm behind the web filter, nor Apple will say how or why the site was censored.
The outage was publicized just ahead of the new year. On December 30, 2022, Hong Kong-based software engineer and former Apple employee Chu Ka-cheong tweeted that his web browser had blocked access to GitLab, a popular repository for open-source code. Safari’s “safe browsing” feature greeted him with a full-page “deceptive website warning,” advising that because GitLab contained dangerous “unverified information,” it was inaccessible. Access to GitLab was restored several days later, after the situation was brought to the company’s attention.
The warning screen itself came courtesy of Tencent, the mammoth Chinese internet conglomerate behind WeChat and League of Legends. The company operates the safe browsing filter for Safari users in China on Apple’s behalf — and now, as the Chinese government increasingly asserts control of the territory, in Hong Kong as well.
Apple spokesperson Nadine Haija would not answer questions about the GitLab incident, suggesting they be directed at Tencent, which also declined to offer responses.
The episode raises thorny questions about privatized censorship done in the name of “safety” — questions that neither company seems interested in answering: How does Tencent decide what’s blocked? Does Apple have any role? Does Apple condone Tencent’s blacklist practices?
“They should be responsible to their customers in Hong Kong and need to describe how they will respond to demands from the Chinese authorities to limit access to information,” wrote Charlie Smith, the pseudonymous founder of GreatFire, a Chinese web censorship advocacy and watchdog group. “Presumably people purchase Apple devices because they believe the company when they say that ‘privacy is a fundamental human right’. What they fail to add is *except if you are Chinese.”
Chu tweeted that other Hong Kong residents had reported GitLab similarly blocked on their devices thanks to Tencent. “We will look into it,” Apple engineer Maciej Stachowiak tweeted in response. “Thanks for the heads-up.” But Chu, who also serves as vice president of Internet Society Hong Kong Chapter, an online rights group, said he received no further information from Apple.
“Presumably people purchase Apple devices because they believe the company when they say that ‘privacy is a fundamental human right’. What they fail to add is *except if you are Chinese.”
Though mainland China has heavily censored internet access for decades, Hong Kong typically enjoyed unfettered access to the web, a freedom only recently threatened by the passage of a sweeping, repressive national security law in 2020.
Silently expanding the scope of the Tencent list not only allows Apple to remain in the good graces of China — whose industrial capacity remains existentially vital to the California-based company — but also provides plausible deniability about how or why such site blocks happen.
“While unfortunately many tech companies proactively apply political and religious censorship to their mainland Chinese users, Apple may be unique among North American tech companies in proactively applying such speech restrictions to users in Hong Kong,” said Jeffrey Knockel, a researcher with Citizen Lab, a digital security watchdog group at the University of Toronto.
Knockel pointed out that while a company like Tencent should expected to comply with Chinese law as a matter of course, Apple has gone out of its way to do so.
“The aspect which we should be surprised by and concerned about is Apple’s decision to work with Tencent in the first place to filter URLs for Apple’s Hong Kong users,” he said, “when other North American tech companies have resisted Hong Kong’s demands to subject Hong Kong users to China-based filtering.”
The block on GitLab would not be the first time Tencent deemed a foreign website “dangerous” for apparently ideological reasons. In 2020, attempts to visit the official website of Notepad++, a text editor app whose French developer had previously issued a statement of solidarity with Hong Kong dissidents, were blocked for users of Tencent web browsers, again citing safety.
The GitLab block also wouldn’t be the first time Apple, which purports to hold deep commitments to human rights, has bent the company’s products to align with Chinese national pressure. In 2019, Apple was caught delisting an app Hong Kong political dissidents were using to organize; in November, users noticed the company had pushed a software update to Chinese iPhone users that significantly weakened the AirDrop feature, which protesters throughout the country had been using to spread messages on the ground.
“All companies have a responsibility to respect human rights, including freedom of expression, no matter where in the world they operate,” Michael Kleinman, head of Amnesty International’s Silicon Valley Initiative, wrote to The Intercept. “Any steps by Apple to limit freedom of expression for internet users in Hong Kong would contravene Apple’s responsibility to respect human rights under the UN Guiding Principles.”
In 2019, Apple publicly acknowledged that it had begun using a “safe browsing” database maintained by Tencent to filter the web activity of its users in China, instead of an equivalent list operated by Google. Safe browsing filters ostensibly protect users from malicious pages containing malware or spear-phishing attacks by checking the website they’re trying to load against a master list of blacklisted domains.
In order to make such a list work, however, at least some personal information needs to be transmitted to the company operating the filter, be it Google or Tencent. When news of Apple’s use of the Tencent safe browsing list first broke, Matthew Green, a professor of cryptography at Johns Hopkins University, described it as “another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement.”
“I suppose the nature of having a ‘misinformation’ category is that China is going to have its own views on what that means.”
While important questions remain about exactly what information from Safari users in Hong Kong and China is ultimately transmitted to Tencent and beyond, the GitLab incident shows another troubling aspect of safe browsing: It gives a single company the ability to unilaterally censor the web under the aegis of public safety.
“Our concern was that outsourcing this stuff to Chinese firms seemed problematic for Apple,” Green explained in an interview with The Intercept, “and I suppose the nature of having a ‘misinformation’ category is that China is going to have its own views on what that means.”
Indeed, it’s impossible to know in what sense GitLab could have possibly been considered a source of dangerous “unverified information.” The site is essentially an empty vessel where software developers, including corporate clients like T-Mobile and Goldman Sachs, can safely store and edit code. The Chinese government has recently cracked down on some open-source code sites similar to GitLab, where engineers from around the world are able to freely interact, collaborate, and share information. (GitLab did not respond to a request for comment.)
Notably, the censorship-evasion and anonymity web browser Tor has turned to GitLab to catalog instances of Chinese state internet censorship, though there’s no indication it was this activity that led to GitLab’s addition to the Tencent list.
While Tencent provides some public explanation of its criteria for blocking a website, its decision-making process is completely opaque, and the published censorship standards are extremely vague, including offenses like “endangering national security” and “undermining national unity.”
Tencent has long been scrutinized for its ties to the Chinese government, which frequently leverages state power to more closely influence or outright control nominally private firms.
Earlier this month, the Financial Times reported that the Chinese government was acquiring so-called golden shares of Tencent, a privileged form of equity that’s become “a common tool used by the state to exert influence over private news and content companies.” A 2021 New York Times report on Tencent noted the company’s eagerness to cooperate with Chinese government mandates, quoting the company’s president during an earnings call that year: “Now I think it’s important for us to understand even more about what the government is concerned about, what the society is concerned about, and be even more compliant.”
While Tencent’s compliance with the Chinese national security agenda ought not to come as a surprise, Knockel of Citizen Lab says Apple’s should.
“Ultimately I don’t think it really matters exactly how GitLab came to be blocked by Tencent’s Safe Browsing,” he said. “Tencent’s blocking of GitLab for Safari users underscores that Apple’s subjection of Hong Kong users to screening via a China-based company is problematic not only in principle but also in practice.”
Update: January 28, 2023
An earlier version of this story referred to Chu Ka-cheong by his given name instead of his surname. The references have been updated.