Safari sends every URL you visit to Google for 'safe browsing' checks. In China, it sends them to Tencent instead — a company legally required to share data with Chinese intelligence. Apple didn't tell users about the Tencent part. Your Safari browsing history is synced to iCloud where Apple can read it. They confirmed in their law enforcement guide that they'll hand it over with a warrant. The encryption that would actually protect you is opt-in and almost nobody turns it on.
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGUREHigh-risk areas that can be partially mitigated with settings changes.
5Contradictions
1Critical
3High
1Medium
5Sources
Findings by concern
Spying2/4 MODERATE1 finding
⚡ highfirmware analysis vs regulatory findings
Safari blocks trackers for free. But actual privacy — hiding your IP address, hiding your email — costs $0.99-$12.99/month via iCloud+. Apple turned privacy into a subscription service.
What they claim: Safari's Intelligent Tracking Prevention blocks cross-site tracking better than any mainstream browser
What we found: ITP is genuinely excellent — but Safari's best privacy features (Private Relay, Hide My Email) are locked behind the iCloud+ paywall ($0.99-$12.99/month). Free Safari users get tracking prevention. Paying users get actual privacy. Apple monetises the gap between 'good enough' and 'actually private.'
Data Sharing3/4 HIGH2 findings
⚠️ criticalpolicy claims vs firmware analysis
Safari sends every URL you visit to Google for 'safe browsing' checks. In China, it sends them to Tencent instead — a company legally required to share data with Chinese intelligence. Apple didn't tell users about the Tencent part.
What they claim: Apple markets Safari as 'the best browser for privacy' with Intelligent Tracking Prevention
What we found: Safari sends URLs to Google Safe Browsing for phishing checks — and in China, to Tencent Safe Browsing. Apple didn't clearly disclose the Tencent data sharing until researchers discovered it in 2019. Your 'private' browser is sending your browsing data to Google and, if you're in China, to a company subject to China's National Intelligence Law.
⚫ mediumpolicy claims vs regulatory findings
France ruled that Apple's privacy features are a weapon against competitors, not a genuine commitment. Apple blocks others from tracking you while running its own $5B ad business. The Siri settlement proved they recorded you in private.
What they claim: Apple positions itself as the privacy-first alternative in the browser market
What we found: France fined Apple EUR 150M for using App Tracking Transparency as an anticompetitive weapon — blocking competitors' tracking while Apple's own $5B+ advertising business was exempt. The Siri $95M settlement proved Apple was recording private conversations. Privacy is Apple's marketing — not consistently their practice.
Security2/4 MODERATE2 findings
⚡ highpolicy claims vs firmware analysis
Your Safari browsing history is synced to iCloud where Apple can read it. They confirmed in their law enforcement guide that they'll hand it over with a warrant. The encryption that would actually protect you is opt-in and almost nobody turns it on.
What they claim: Apple claims 'what happens on your iPhone stays on your iPhone'
What we found: Safari history synced via iCloud is NOT end-to-end encrypted under Standard Data Protection (the default). Apple can access and decrypt your browsing history. Apple's law enforcement guidelines confirm Safari history is available with a valid warrant. Advanced Data Protection (E2EE) is opt-in with deliberate friction — estimated single-digit adoption.
⚡ highfirmware analysis vs regulatory findings
Every browser on your iPhone is actually Safari underneath — Apple forces this. When Safari has a security hole, every browser on your phone has the same hole. 9 zero-days exploited in the wild in 2025. Your browser choice on iOS is an illusion.
What they claim: Safari uses the WebKit engine exclusively on iOS — all iOS browsers are Safari underneath
What we found: Apple requires all iOS browsers to use WebKit — Chrome, Firefox, Brave on iPhone are all Safari skins. When WebKit has a vulnerability, EVERY browser on iOS is vulnerable. 9 WebKit zero-days were exploited in the wild in 2025 alone. Apple's engine monopoly means a single vulnerability compromises every iOS user regardless of browser choice.
What happened to real people
Documented incidents involving Apple products and user data.
PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction. [source]
Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.' [source]
Government requests for push notification metadata rose from 158 (H1 2023) to 277 (H1 2024). Push tokens can identify devices and link to accounts. [source]
What your data is worth to governments
Apple complied with 12,043 government data requests in H1 2024. That's +621% over 10 years. Apple has been a confirmed PRISM participant since 2012. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction.
Documented: Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.'