Apple makes much of their commitment to privacy, but when it comes to China their principles are much more flexible.
In July 2018, when Guizhou-Cloud Big Data (GCBD) agreed to a deal with state-owned telco China Telecom to move users’ iCloud data belonging to Apple’s China-based users to the latter’s servers, the shift raised concerns that it could make user data vulnerable to state surveillance.
Now, according to a deep-dive report from The New York Times, Apple’s privacy and security concessions have “made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts and locations of millions of Chinese residents.”
The revelations stand in stark contrast to Apple’s commitment to privacy, while also highlighting a pattern of conceding to the demands of the Chinese government in order to continue its operations in the country.
The report says that Apple has “largely ceded control to the Chinese government:”
And in its data centers, Apple’s compromises have made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts, and locations of millions of Chinese residents, according to the security experts and Apple engineers.
The primary issue in the report has to do with where the encryption keys to unlock that data are held. Apple has reportedly demanded it keep the keys in the US, but when the Chinese law went into effect in 2017, the location of the keys “was left intentionally vague.” Eight months later, the keys were being stored in China, explains the report:
But the iCloud data in China is vulnerable to the Chinese government because Apple made a series of compromises to meet the authorities’ demands, according to dozens of pages of internal Apple documents on the planned design and security of the Chinese iCloud system, which were reviewed for The Times by an Apple engineer and four independent security researchers.
The digital keys that can decrypt iCloud data are usually stored on specialized devices, called hardware security modules, that are made by Thales, a French technology company. But China would not approve the use of the Thales devices, according to two employees. So Apple created new devices to store the keys in China.
In a statement, Apple pushed back against the idea that it has compromised the security of users in China, saying that it controls the keys to the data:
The company said in a statement that it followed the laws in China and did everything it could to keep the data of customers safe. “We have never compromised the security of our users or their data in China or anywhere we operate,” the company said.
An Apple spokesman said that the company still controlled the keys that protect the data of its Chinese customers and that Apple used its most advanced encryption technology in China — more advanced than what it used in other countries.
The full report from the New York Times is well worth a read.