Apple has moved encryption keys for mainland Chinese iCloud users to China, potentially enabling much easier access to data for the nation’s heavy-handed authorities and worrying privacy advocates.
Per Reuters, Apple says the move is required by recent legislation mandating that cloud services available to Chinese citizens are run by Chinese companies operating locally. Previously, the encryption keys were stored stateside, meaning anyone who wished to access iCloud data without the assistance of the user would need to go through the US legal system. Now Chinese authorities will be able to run requests directly through their own legal system, and Apple has “established a data center for Chinese users in a joint venture with state-owned firm Guizhou-Cloud Big Data Industry Co Ltd.,” Reuters reported.
Apple says that it, not its Chinese partner, will be in possession of the encryption keys, and as Reuters noted, authorities and Apple itself remain unable to access data locked locally on an iPhone. (That feature has itself seen Apple locked in several feuds with US law enforcement agencies and legislators who want it to engineer backdoors to its cryptographic security.) But the Chinese legal system operates much differently than its US equivalent, with police enjoying both the power to compel users to give them access without anything resembling a warrant and broad exemptions to data privacy laws, Reuters wrote:
Apple said it will only respond to valid legal requests in China, but China’s domestic legal process is very different than that in the US, lacking anything quite like an American “warrant” reviewed by an independent court, Chinese legal experts said. Court approval isn’t required under Chinese law and police can issue and execute warrants.
“Even very early in a criminal investigation, police have broad powers to collect evidence,” said Jeremy Daum, an attorney and research fellow at Yale Law School’s Paul Tsai China Center in Beijing. “(They are) authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”
Users in Hong Kong and Macau are not affected, Reuters added.
As TechCrunch noted, while iMessage communications are encrypted on the sender’s phone and decrypted on the recipient’s, “Apple uploads a backup of your phone data to iCloud if you activate iCloud during the iPhone on-boarding process.” That means iMessages that haven’t been deleted are also stored on Apple’s iCloud servers in a form that could potentially be accessed by authorities.
According to Reuters, Apple said it had given no customer account information to Chinese authorities despite receiving 176 requests from 2013 to mid-2017, though that was all before the new cybersecurity laws took effect. Still, the company says it will not allow any data to be processed by its new Chinese partner until 99.9 percent of customers agree to new terms of service.
Last year, Apple CEO Tim Cook justified the company’s decision to yank all major VPN apps from its Apps Store by explaining that Apple is powerless to do anything else but comply with the whims of authorities—though that framing somewhat conveniently skips past the reality that what is actually motivating Apple’s willingness to comply is a desire to maintain market access. Competitor Google, which left China in 2010 after refusing to censor search results, has itself relaunched a Chinese version of Maps and appears to be laying the groundwork for a larger presence in coming years.