Apple Agrees To Store Chinese iCloud Data In China, Making It Much Easier For The Chinese Gov't To Access It

from the joining-the-Big-Brothers-program dept

In a time when law enforcement officials are calling Apple "evil" and demanding access to encrypted communications, it doesn't make much sense for the company to be doing this.

When Apple Inc begins hosting Chinese users’ iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.

That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

This will allow the Chinese government to quell dissent and hunt down wrong-thinkers much more efficiently. It also shows the company is willing to drastically change the way it does business in order to maintain a large foreign customer base. This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications. Thanks to its acquiescence to the Chinese government, these questions won't be so easy to answer.

This change in policy won't budge the needle much in terms of US lawful access. US authorities will now have to route requests for Chinese data through the Chinese government, but it's unlikely there's much of that going on now. Requests for domestic data and communications stored in Apple's iCloud will be handled the way they always have been. Apple's always held keys domestically for iCloud accounts, which makes the cries of "going dark" a bit melodramatic.

But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?

Apple's defense of this move is interesting. It claims denying the Chinese government access would have meant shutting down the service in China. According to Apple's statements, this would make Chinese users less safe than the company decrypting iCloud data on demand.

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

Presumably, data would have migrated to smaller cloud services offering even less protection to Chinese citizens. But that's hard to square with the fact that Apple's Chinese iCloud infrastructure is reliant on state-owned cloud firm Guizhou -- a company with close ties to the Chinese government.

Apple says the government won't have access to keys. It will still hold the keys, but the data's location means there won't be any prolonged battles over jurisdiction. Its "contractual arrangement" with Guizhou possibly makes Apple's decision to hold the keys inconsequential. The government may be able to approach Apple's partner and obtain direct access, bypassing the very minimal legal requirements Chinese law enforcement needs to meet before demanding user data.

Apple used to resist the Chinese government's demand for cloud data. Now it's pretty much engaged in a partnership with a state-owned business. If it's willing to do this, its resistance to US government overtures seems hypocritical at best. I don't want Apple to lower its defenses against US government intrusion, but I'd rather it took a consistent stance on these issues. Right now, it appears to be willing to submit to authoritarian governments rather than sacrifice part of its user base. It punches holes in its defenses of its actions on the domestic side and makes it easier for US law enforcement officials to sell encryption-damaging legislation to Congress and the White House.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dan (profile), 27 Feb 2018 @ 3:53am

    Apple has chosen to comply with the apparent Chinese legal requirement that they maintain the data, and the ability to decrypt it, in China. Their option was to not serve the Chinese market at all. This surprises you?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 9:22am

      Re:

      Not only that: if I was Chinese, where would I want my data stored? In China where the people governing me can look at it in accordance with my own local laws, or in some other country like the US which is known to ignore foreign sovereignty when it comes to privacy?

      There's really nowhere better for the data to be stored than in your own country, unless you're doing something that's considered illegal in your own country.

      So yes, there are certain activities that Chinese people probably shouldn't store on iCloud, but they already know that.

      I say all this as a person who does not live in the US, but whose iCloud data all gets stored in the US where I have no control over it. The result is that I keep most iCloud services disabled because it's not worth the privacy risk and me having to check and make sure everything I store there not only is within the laws of my own country, but is also not going to set off some alarm in the US.

      As someone not in the US, why should the FBI, NSA or CIA have access to the contents of my phone?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 4:24am

    This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications.

    Correct me if I'm wrong, but I thought Apple complied with all lawful requests for access to "locked devices and encrypted communications".

    And that in the most famous example of where they "refus[ed] to work with the US government", the San Bernardino case, they were unable to comply with the government's request because they were physically unable to bypass the encryption.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 7:10am

      Re:

      I think people are getting things mixed up. There's iCloud Data, which Apple does have the keys for. They allow the police or FBI access to this data already. So long as it's a lawful request.

      Really, most cloud services are like this. They hold the keys. Sometimes it's YOU that hold the keys, but if anything happens and you lose them, they can't do anything for you to get your access back at that point.

      So there's CLOUD storage. Then there is your HARDWARE, the iPhone, which is also encrypted, with its own security, using Apple Secure Enclave which is part of Apple's A* processor. Apple doesn't have the keys to your phone!!!! So Apple can't just break into your phone. For the San Bernardino case, they wanted Apple to rewrite the OS in such a way that the phone would install that, and then be able to get around the phone's security. Apple refused to do that. Once something like that exists, everyone would want to use it to get around the phone's security, including China.

      So there's CLOUD Data which Apple has the Keys and then there's Hardware Encryption of the device it's self. So your phone, in general, is secure, but anything going out to Apple's iCloud service, Apple has the keys. Google and Microsoft also have access to all your cloud Data.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2018 @ 9:30am

        Re: Re:

        This is kind of correct and kind of not. iCloud is more complex than the other cloud solutions.

        Apple has the keys to your iCloud volume, but most of the stuff stored on there is encrypted against your phone, not against Apple's iCloud key.

        Added to that, the main data is actually farmed out to S3 and Google Cloud, with the encryption keys for that being stored on iCloud.

        So when US authorities gain legal access to your iCloud account, they gain access to your Apple ID and the metadata stored in your iCloud account. They then have to get a further warrant to get the encrypted data stored elsewhere. After that, they may still end up with encrypted data that Apple can't decrypt.

        So mostly what they get is dates, times, and file names.

        reply to this | link to this | view in chronology ]

  • icon
    Ben (profile), 27 Feb 2018 @ 4:38am

    Leaky bucket

    So now Apple are happy to put the keys in a potentially leaky bucket. Perhaps they want to provide the perfect example of how 'smart encryption with back doors for warranted, legitimate, legal access by police & government' actually means: as secure as a wooden shed in hurricane.

    reply to this | link to this | view in chronology ]

  • identicon
    Nick, 27 Feb 2018 @ 5:04am

    Confusing 2 things: device and cloud encryption

    Let's not confuse device encryption and cloud encryption.

    The ability to decrypt cloud backup is available to law enforcement without real backdoor. The FBI has relied on this extensively.

    China is not getting access to device encryption so it finds itself in the same situation as the fbi.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 5:18am

    Fools

    This shows that it's damn foolish to put stuff on the cloud for-which you don't have control of the encryption/decryption keys. iCloud = ibeafool.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 7:12am

      Re: Fools

      Same goes for anything Google and Microsoft along with most cloud services.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 8:39am

      Re: Fools

      This, so much this. Anytime you let someone else be responsible for the security and privacy of your data you at at the mercy of their stupidity and/or complicity with govt.

      reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 27 Feb 2018 @ 5:53am

    We should all...

    ... immediately load copies of the Constitution and Bill of Rights to all our cloud storage.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 27 Feb 2018 @ 7:32am

      Re: We should all...

      It seems this will be valid to Chinese people only and I believe there are technical resources to do so. And even if you had part of your data stored there nobody would be seeing it except for (hypothetically) the Chinese government. The ones that need to be exposed to such speech are the people, not the Govt.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Feb 2018 @ 8:35am

        Re: Re: We should all...

        I don't know... there are many currently in the US government who need more exposure to the US Constitution and Bill of Rights.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 6:00am

    question about apple

    Does apple allow third party cloud backup systems?

    I expect the answer is no, but thought I'd ask.

    Also I'd point out- there's no reason apple HAS to have the keys for their own cloud- they could be individually backed up by the end user, via simple means like a small usb drive- then apple could avoid having anything to do with turning over data. One should wonder why they don't do it this way...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 6:19am

      Re: question about apple

      Does apple allow third party cloud backup systems?

      You can backup locally to your computer (either by direct connection or over the local network automatically). To store that backup in a cloud drive, you'd need to either manually copy the backup file to the cloud, or replace the default Apple backup folder with a symbolic link to a cloud drive.

      So yes, they do, but it takes a bit more user effort to set up than using Apple's system.

      reply to this | link to this | view in chronology ]

    • identicon
      Shawn, 13 Mar 2018 @ 1:15am

      Re: question about apple

      Yes. DropBox is available at the App Store- along with many other APPs.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 7:37am

    Why would anyone willingly choose to store critical data on devices not within their control?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2018 @ 8:26am

      Re:

      It's recommended to store a backup of critical data outside of your house in case a fire/flood/whatever causes you to lose the house entirely. Most people cannot afford a second house to put it in, and keeping it in your car is a really stupid idea. That leaves only putting it on a device outside of their control (cloud, bank deposit box, family/friend's house, etc).

      As for cloud services specifically, most people are more concerned about ease of making backups then about access by the government. Cloud storage makes backups extremely easy (compared to having to go somewhere, retrieve the device, perform the backup, return the device) and if better protection is desired they can easily encrypt it locally before sending it to the service.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2018 @ 11:36am

        Re: Re:

        A safe deposit box in not within your control?
        Certainly more than the cloud is.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Feb 2018 @ 1:58pm

          Re: Re: Re:

          There might be banks in the world that cannot access their own safe deposit boxes. You are not a patron of one of those banks. I am not a patron of one of those banks. The number of patrons of any of those banks is likely to be at least a couple orders of magnitude smaller than the errors in our census data (if they exist at all).

          So no, a safe deposit box is not under your control. Whether it is more under your control than the cloud depends a lot on what types of control you value.

          1) Both can block your access or throw out/give away your stuff at a whim.
          2) Safe deposit boxes have limited access, cloud storage does not.
          3) Cloud providers can search your storage faster than deposit box providers, though both can search it within a day so the difference is minimal

          etc. etc.

          Your seem most interested in (3), others maybe interested in different types of control.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Feb 2018 @ 8:41am

        Re: Re:

        My current strategy is:
        Phone backs up to computer when I plug it in at night. Backup is ALL data and is encrypted by a long passphrase.

        Computer backs up to two NAS volumes at different locations in my house on an hourly basis.

        Computer also backs up to a connected external drive that gets swapped out with the one in a safe deposit box across town on a bi-monthly basis. All backups are encrypted.

        For some long-term data, I've written it to an encrypted volume that is stored with a relative out of state.

        I also keep a minimal set of encrypted data on iCloud, but that has PII minimized as much as possible.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 9:43am

    This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications.

    But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?

    Am I missing something? Do not think that Apple has ever said it is not willing to work with US law-enforcement. Or, are we to now understand that a company or individual making use of the legal process bad?

    Also, is there any evidence that Apple is willing to do something for Chinese law-enforcement that it is not doing for US law-enforcement? Do not think that there exists any.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2018 @ 10:52am

    we keep making China rich

    watch out; I see a [place name of electronic 'infotainment' device here] with my name on it! And it's on sale too!!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.