Privacy concerns raised as Apple moves iCloud keys to China

CHINESE authorities are tipped to have far easier access to text messages, email and other data stored in Apple’s iCloud accounts when the company moves Chinese users’ accounts to a new data center in the country to comply with new laws there.

Apple has given its Chinese users notifications about the Feb 28 switchover to the Chinese data center in the form of emailed warnings and so-called push alerts, reminding users that they can choose to opt out of iCloud and store information solely on their device.

The change only affects users who set China as their country on Apple devices and doesn’t affect users who select Hong Kong, Macau or Taiwan.

The privacy concerns have surfaced based on how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the US legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the US courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts told Reuters.

People celebrating European data residency laws as a win for personal integrity may want to take note that Apple is now required to store iCloud data for its Chinese users in China. Governments as protectors of your data don't have a great track record.

— Andreas Ehn (@ehn) February 26, 2018

Human rights activists say they fear the authorities could use that power to track down dissidents, citing cases from more than a decade ago in which Yahoo Inc handed over user data that led to arrests and prison sentences for two democracy advocates.

Jing Zhao, a human rights activist and Apple shareholder, said he could envisage worse human rights issues arising from Apple handing over iCloud data than occurred in the Yahoo case.

In a statement, Apple said it had to comply with recently introduced Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China. It said that while the company’s values don’t change in different parts of the world, it is subject to each country’s laws.

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

As a result, Apple has established a data center for Chinese users in a contractual arrangement with state-owned firm Guizhou – Cloud Big Data Industry Co Ltd. The firm was set up and funded by the provincial government in the relatively poor southwestern Chinese province of Guizhou in 2014. The Guizhou company has close ties to the Chinese government and the Chinese Communist Party.

The Apple decision highlights a difficult reality for many U.S. technology companies operating in China. If they don’t accept demands to partner with Chinese companies and store data in China, then they risk losing access to the lucrative Chinese market, despite fears about trade secret theft and the rights of Chinese customers.

Broad powers

Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys. But Chinese customers will notice some differences from the start: their iCloud accounts will now be co-branded with the name of the local partner, a first for Apple.

And even though Chinese iPhones will retain the security features that can make it all but impossible for anyone, even Apple, to get access to the phone itself, that will not apply to the iCloud accounts. Any information in the iCloud account could be accessible to Chinese authorities who can present Apple with a legal order.

Apple said it will only respond to valid legal requests in China, but China’s domestic legal process is very different than that in the US, lacking anything quite like an American “warrant” reviewed by an independent court, Chinese legal experts said. Court approval isn’t required under Chinese law and police can issue and execute warrants.

“Even very early in a criminal investigation, police have broad powers to collect evidence,” said Jeremy Daum, an attorney and research fellow at Yale Law School’s Paul Tsai China Center in Beijing. “(They are) authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”

Until now, Apple appears to have handed over very little data about Chinese users. From mid-2013 to mid-2017, Apple said it did not give customer account content to Chinese authorities, despite having received 176 requests, according to transparency reports published by the company. By contrast, Apple has given the United States customer account content in response to 2,366 out of 8,475 government requests.

Additional reporting by Reuters

---

---

---