Apple’s iCloud Data Storage in China Includes Cryptographic Keys – Decision Raises Security Concerns
Apple will begin hosting iCloud data of its Chinese users in a new data center in China. Complying with the tougher Chinese laws, the local authorities will start having faster access to iPhone users' data stored in the cloud. The company had first announced this move last summer after the new cybersecurity laws were passed in China requiring all the foreign companies to use locally managed businesses to store data.
This data, that is currently stored in the United States, will now be stored locally in China and includes, among other things, iCloud cryptographic keys needed to unlock an account. This essentially means that China will no longer need to reach out to the US government or deal with US legal system to seek information on a Chinese Apple user. While this is becoming an increasingly common practice with the US itself pushing for a similar strategy, the approach does raise user privacy and security concerns. Reuters reports today that it's the first time for Apple to store keys outside of the United States.
That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
For a perspective, Apple reportedly refused all requests it received from the Chinese authorities for information on over 176 users between 2013 and mid-2017. Considering China's tightening control over local internet access, human rights advocates warn that this move will make it impossible for dissidents and journalists in China to freely communicate, as it will become easier for the authorities to track them down. They are also pointing to a similar move taken by Yahoo several years ago, when this data access was used to arrest dissidents and human rights activists.
"Jing Zhao, a human rights activist and Apple shareholder, said he could envisage worse human rights issues arising from Apple handing over iCloud data than occurred in the Yahoo case," Reuters report added.
This is not a backdoor, Apple clarifies
In its statement Apple said it has to comply with the local laws as it does in the United States, as well. The iPhone maker also said that the company's values don't change, however, it is subject to local laws. The move does raise questions over Apple's previous strategy of keeping user security at the center of its business - something that no longer seems to be the case.
"While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful," Apple said in its statement. The company said offering this new system was a better choice than discontinuing it which would have led to bad user experience. However, the company adds this is not a backdoor access and that Apple alone will control the encryption keys.
Note that this iCloud access doesn't mean that China or even Apple could get into the iPhone itself since Apple has argued that its products cannot be broken into without the passcode chosen by the user. While some suggest that Apple actually does have this ability, the company has quite ingeniously continued to maintain its position everywhere from the US to China. In short, the latest move affects only the data stored in cloud that will now be easily accessible to Chinese authorities who will just need to push Apple with a local legal warrant.
While Apple led the industry with user-focused decisions for years, it continues to make moves that no longer align with the company's previous focus on user privacy. The company recently also removed VPN apps from its Chinese App Store raising questions from the United Nations. Tim Cook had said at the time that the company was "just following the law."
Privacy advocates warn that Apple's decision to comply with the Chinese demands will only hurt Apple and other tech companies in the long run, since more governments will follow to make similar demands. The company's position, however, aligns with what Bill Gates had said earlier this month - follow whatever governments legally ask you or be ready for strict government regulation.