In July 2018, when Guizhou-Cloud Big Data (GCBD) agreed to a deal with state-owned telco China Telecom to move users’ iCloud data belonging to Apple’s China-based users to the latter’s servers, the shift raised concerns that it could make user data vulnerable to state surveillance.
Now, according to a deep-dive report from The New York Times, Apple’s privacy and security concessions have “made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts and locations of millions of Chinese residents.”
The revelations stand in stark contrast to Apple’s commitment to privacy, while also highlighting a pattern of conceding to the demands of the Chinese government in order to continue its operations in the country.
Apple, in 2018, announced iCloud data of users in mainland China would move to a new data center in Guizhou province as part of a partnership with GCBD. The transition was necessitated to abide by a 2017 regulation that required all “personal information and important data” collected on Chinese users “be stored in the territory.”
“iCloud in China mainland is operated by GCBD (AIPO Cloud (Guizhou) Technology Co. Ltd). This allows us to continue to improve iCloud services in China mainland and comply with Chinese regulations,” the iPhone maker’s support document states.
Although iCloud data is end-to-end encrypted, Apple is said to have agreed to store the encryption keys in the data center, when before all iCloud encryption keys were stored on U.S. servers, and therefore subject to U.S. laws around requests for government access.
While U.S. law forbids American companies from turning over data to Chinese law enforcement, the New York Times report reveals that Apple and China entered into an “unusual arrangement” to sidestep U.S. legislation.
To that effect, the company ceded legal ownership of its customers’ data to GCBD, in addition to granting GCBD physical control over the servers and complete access to all information stored in iCloud, thereby allowing “Chinese authorities ask GCBD — not Apple — for Apple customers’ data.”
In the wake of the law’s passing, Apple has provided the contents of an unspecified number of iCloud accounts to the government in nine cases and challenged three government requests for data, the report added. However, there’s no evidence to suggest that the Chinese government gained access to users’ data with the help of digital keys.
What’s more, Apple reportedly eschewed hardware security modules (HSM) made by Thales by building its own in-house HSMs after China refused to certify the devices for use. HSMs house one or more secure crypto processors and are used to perform encryption and decryption functions and store cryptographic keys inside a tamper-resistant environment.
The company told The New York Times that it “never compromised” the security of users or user data in China “or anywhere we operate,” adding its Chinese data centers “feature our very latest and most sophisticated protections,” that are expected to be rolled out to other countries.
“Apple asked a lot of people to back them against the FBI in 2015,” security researcher and Johns Hopkins professor Matthew Green said in a series of tweets. “They used every tool in the legal arsenal to prevent the U.S. from gaining access to their phones. Do they think anyone is going to give them the benefit of the doubt now?”
“Apple is clearly being forced to give the Chinese government more control over customer data. The current compromise may even be ‘ok’, in the sense that some end-to-end encryption is allowed. But sooner or later the Chinese government is going to ask Apple for something that it doesn’t want to give up, and Apple is going to have to make a choice. Maybe they already have,” Hopkins added.