Apple Agrees To Store Chinese iCloud Data In China, Making It Much Easier For The Chinese Gov't To Access It
from the joining-the-Big-Brothers-program dept
In a time when law enforcement officials are calling Apple "evil" and demanding access to encrypted communications, it doesn't make much sense for the company to be doing this.
When Apple Inc begins hosting Chinese users’ iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.
That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.
Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
This will allow the Chinese government to quell dissent and hunt down wrong-thinkers much more efficiently. It also shows the company is willing to drastically change the way it does business in order to maintain a large foreign customer base. This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications. Thanks to its acquiescence to the Chinese government, these questions won't be so easy to answer.
This change in policy won't budge the needle much in terms of US lawful access. US authorities will now have to route requests for Chinese data through the Chinese government, but it's unlikely there's much of that going on now. Requests for domestic data and communications stored in Apple's iCloud will be handled the way they always have been. Apple's always held keys domestically for iCloud accounts, which makes the cries of "going dark" a bit melodramatic.
But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?
Apple's defense of this move is interesting. It claims denying the Chinese government access would have meant shutting down the service in China. According to Apple's statements, this would make Chinese users less safe than the company decrypting iCloud data on demand.
“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.
Presumably, data would have migrated to smaller cloud services offering even less protection to Chinese citizens. But that's hard to square with the fact that Apple's Chinese iCloud infrastructure is reliant on state-owned cloud firm Guizhou -- a company with close ties to the Chinese government.
Apple says the government won't have access to keys. It will still hold the keys, but the data's location means there won't be any prolonged battles over jurisdiction. Its "contractual arrangement" with Guizhou possibly makes Apple's decision to hold the keys inconsequential. The government may be able to approach Apple's partner and obtain direct access, bypassing the very minimal legal requirements Chinese law enforcement needs to meet before demanding user data.
Apple used to resist the Chinese government's demand for cloud data. Now it's pretty much engaged in a partnership with a state-owned business. If it's willing to do this, its resistance to US government overtures seems hypocritical at best. I don't want Apple to lower its defenses against US government intrusion, but I'd rather it took a consistent stance on these issues. Right now, it appears to be willing to submit to authoritarian governments rather than sacrifice part of its user base. It punches holes in its defenses of its actions on the domestic side and makes it easier for US law enforcement officials to sell encryption-damaging legislation to Congress and the White House.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, human rights, icloud, privacy, security, surveillance
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Correct me if I'm wrong, but I thought Apple complied with all lawful requests for access to "locked devices and encrypted communications".
And that in the most famous example of where they "refus[ed] to work with the US government", the San Bernardino case, they were unable to comply with the government's request because they were physically unable to bypass the encryption.
[ link to this | view in thread ]
Leaky bucket
[ link to this | view in thread ]
Confusing 2 things: device and cloud encryption
The ability to decrypt cloud backup is available to law enforcement without real backdoor. The FBI has relied on this extensively.
China is not getting access to device encryption so it finds itself in the same situation as the fbi.
[ link to this | view in thread ]
Fools
[ link to this | view in thread ]
We should all...
[ link to this | view in thread ]
question about apple
I expect the answer is no, but thought I'd ask.
Also I'd point out- there's no reason apple HAS to have the keys for their own cloud- they could be individually backed up by the end user, via simple means like a small usb drive- then apple could avoid having anything to do with turning over data. One should wonder why they don't do it this way...
[ link to this | view in thread ]
Re: question about apple
Does apple allow third party cloud backup systems?
You can backup locally to your computer (either by direct connection or over the local network automatically). To store that backup in a cloud drive, you'd need to either manually copy the backup file to the cloud, or replace the default Apple backup folder with a symbolic link to a cloud drive.
So yes, they do, but it takes a bit more user effort to set up than using Apple's system.
[ link to this | view in thread ]
Re:
Really, most cloud services are like this. They hold the keys. Sometimes it's YOU that hold the keys, but if anything happens and you lose them, they can't do anything for you to get your access back at that point.
So there's CLOUD storage. Then there is your HARDWARE, the iPhone, which is also encrypted, with its own security, using Apple Secure Enclave which is part of Apple's A* processor. Apple doesn't have the keys to your phone!!!! So Apple can't just break into your phone. For the San Bernardino case, they wanted Apple to rewrite the OS in such a way that the phone would install that, and then be able to get around the phone's security. Apple refused to do that. Once something like that exists, everyone would want to use it to get around the phone's security, including China.
So there's CLOUD Data which Apple has the Keys and then there's Hardware Encryption of the device it's self. So your phone, in general, is secure, but anything going out to Apple's iCloud service, Apple has the keys. Google and Microsoft also have access to all your cloud Data.
[ link to this | view in thread ]
Re: Fools
[ link to this | view in thread ]
Re: We should all...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
As for cloud services specifically, most people are more concerned about ease of making backups then about access by the government. Cloud storage makes backups extremely easy (compared to having to go somewhere, retrieve the device, perform the backup, return the device) and if better protection is desired they can easily encrypt it locally before sending it to the service.
[ link to this | view in thread ]
Re: Fools
[ link to this | view in thread ]
Re:
There's really nowhere better for the data to be stored than in your own country, unless you're doing something that's considered illegal in your own country.
So yes, there are certain activities that Chinese people probably shouldn't store on iCloud, but they already know that.
I say all this as a person who does not live in the US, but whose iCloud data all gets stored in the US where I have no control over it. The result is that I keep most iCloud services disabled because it's not worth the privacy risk and me having to check and make sure everything I store there not only is within the laws of my own country, but is also not going to set off some alarm in the US.
As someone not in the US, why should the FBI, NSA or CIA have access to the contents of my phone?
[ link to this | view in thread ]
Re: Re:
This is kind of correct and kind of not. iCloud is more complex than the other cloud solutions.
Apple has the keys to your iCloud volume, but most of the stuff stored on there is encrypted against your phone, not against Apple's iCloud key.
Added to that, the main data is actually farmed out to S3 and Google Cloud, with the encryption keys for that being stored on iCloud.
So when US authorities gain legal access to your iCloud account, they gain access to your Apple ID and the metadata stored in your iCloud account. They then have to get a further warrant to get the encrypted data stored elsewhere. After that, they may still end up with encrypted data that Apple can't decrypt.
So mostly what they get is dates, times, and file names.
[ link to this | view in thread ]
This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications.
But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?
Am I missing something? Do not think that Apple has ever said it is not willing to work with US law-enforcement. Or, are we to now understand that a company or individual making use of the legal process bad?
Also, is there any evidence that Apple is willing to do something for Chinese law-enforcement that it is not doing for US law-enforcement? Do not think that there exists any.
[ link to this | view in thread ]
we keep making China rich
[ link to this | view in thread ]
Re: Re:
Certainly more than the cloud is.
[ link to this | view in thread ]
Re: Re: We should all...
[ link to this | view in thread ]
Re: Re:
Phone backs up to computer when I plug it in at night. Backup is ALL data and is encrypted by a long passphrase.
Computer backs up to two NAS volumes at different locations in my house on an hourly basis.
Computer also backs up to a connected external drive that gets swapped out with the one in a safe deposit box across town on a bi-monthly basis. All backups are encrypted.
For some long-term data, I've written it to an encrypted volume that is stored with a relative out of state.
I also keep a minimal set of encrypted data on iCloud, but that has PII minimized as much as possible.
[ link to this | view in thread ]
Re: Re: Re:
So no, a safe deposit box is not under your control. Whether it is more under your control than the cloud depends a lot on what types of control you value.
1) Both can block your access or throw out/give away your stuff at a whim.
2) Safe deposit boxes have limited access, cloud storage does not.
3) Cloud providers can search your storage faster than deposit box providers, though both can search it within a day so the difference is minimal
etc. etc.
Your seem most interested in (3), others maybe interested in different types of control.
[ link to this | view in thread ]
Re: question about apple
[ link to this | view in thread ]