Apple begins storing Russian iCloud data within country, complying with new law - report
Apple is said to have partnered with a Russian data center to host iCloud data for users in that country, responding to a new law that went into effect on Sept. 1.
Racks of Apple's iCloud servers in Maiden, NC
Apple reportedly brokered a deal with Moscow's IXcellerate to host Russian user data locally, according to local newspaper Kommersant, as discovered by The Moscow Times. Apple's compliance ensures that its online services won't be blocked in Russia.
With the new law now in effect, Russia's government-run communications regulator Roskomnadzor has warned that it will begin conducting compliance inspections this year. The law is said to affect some 2.6 million companies.
If a company refuses to host its user data within Russia, Roskomnadzor can restrict access to websites and services for Russian users. Most companies have agreed to the new rules, but some --?including Facebook --?are said to be reluctant to comply.
Russia's new laws governing the Internet were one of the chief reasons cited by Spotify earlier this year, when the music streaming service abandoned its plans to launch in the country. And last year, Google also closed its engineering operations in Moscow, as criticism over the government's Internet policies began to grow.
The move to store data locally isn't unprecedented for Apple --?the company began storing Chinese users' account data on servers owned by China Telecom last year. At the time, the iPhone maker noted it takes "user security and privacy very seriously," and that all data stored on the servers is encrypted and could not be accessed by outside parties.
Racks of Apple's iCloud servers in Maiden, NC
Apple reportedly brokered a deal with Moscow's IXcellerate to host Russian user data locally, according to local newspaper Kommersant, as discovered by The Moscow Times. Apple's compliance ensures that its online services won't be blocked in Russia.
With the new law now in effect, Russia's government-run communications regulator Roskomnadzor has warned that it will begin conducting compliance inspections this year. The law is said to affect some 2.6 million companies.
If a company refuses to host its user data within Russia, Roskomnadzor can restrict access to websites and services for Russian users. Most companies have agreed to the new rules, but some --?including Facebook --?are said to be reluctant to comply.
Russia's new laws governing the Internet were one of the chief reasons cited by Spotify earlier this year, when the music streaming service abandoned its plans to launch in the country. And last year, Google also closed its engineering operations in Moscow, as criticism over the government's Internet policies began to grow.
The move to store data locally isn't unprecedented for Apple --?the company began storing Chinese users' account data on servers owned by China Telecom last year. At the time, the iPhone maker noted it takes "user security and privacy very seriously," and that all data stored on the servers is encrypted and could not be accessed by outside parties.
Comments
This is a turnabout. Google and Facebook hesitant to agree to Russian access, but Apple deciding the money is worth it? A bit of a surprise.
It's worth it until it's not. Apple has enough confidence in their encryption that if Russia wants to spy on the data they'll have to make a demand, and Apple can decide what to do at that time: comply, compromise, or pull out, and Russia will be the one that risks looking unreasonable.
It's worth it until it's not. Apple has enough confidence in their encryption that if Russia wants to spy on the data they'll have to make a demand, and Apple can decide what to do at that time: comply, compromise, or pull out, and Russia will be the one that risks looking unreasonable.
Isn’t the reason Apple has not complied with a recent request by the U.S. government because it said it couldn’t comply as the data is encrypted and Apple does not have the encryption key? If that’s the case and Russian law does not mandate backdoor access then Apple couldn’t comply with a Russian request either. So I suspect those Russian servers are wide open to Putin’s KGB (or whatever they call it these days.)
I suppose it's comforting to have all my data stored where all my porn comes from
" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
Isn’t the reason Apple has not complied with a recent request by the U.S. government because it said it couldn’t comply as the data is encrypted and Apple does not have the encryption key? If that’s the case and Russian law does not mandate backdoor access then Apple couldn’t comply with a Russian request either. So I suspect those Russian servers are wide open to Putin’s KGB (or whatever they call it these days.)
In Russia, Systems Backdoor YOU!
remember there is metadata that you can track when the storage is in country (IP addresses creating files, etc). So even if not 'wide open' access logs may be enough to prove you guilty enough to put you in the Gulags, without the content of any message.
This is a turnabout. Google and Facebook hesitant to agree to Russian access, but Apple deciding the money makes it worthwhile? A bit of a surprise.
Indeed.
This is a turnabout. Google and Facebook hesitant to agree to Russian access, but Apple deciding the money makes it worthwhile? A bit of a surprise.
With the Apple data encrypted, does it really matter? They are not giving Russia access, just storing the encrypted data in a datacenter in Russia.
Not certain, but wasn't the Google/China issue as much over access as data location? This appears to be only about location... For the moment
This is what the Chinese draft rules require of companies providing internet access, which by definition would include Apple. Russian rules may or may not be similar:
-Provide “Backdoors” to Government Authorities: Article 15 requires ISPs to install “technical interfaces in the design, construction, and operation of telecommunication and Internet [services].” These technical “interfaces” would act as backdoors for government access. China’s law enforcement authorities may use these backdoors to “prevent” or “investigate” terrorist activities.
-Provide Encryption Keys to Government Authorities: Article 15 requires ISPs to “report their encryption scheme” to the “departments responsible for encryption [likely the State Commercial Cryptography Administration] for examination.” No further details are given regarding the scope of this “examination.”
-Article 16 requires ISPs that provide “encrypted transmission services” to file their encryption scheme with “network communication departments [likely the Ministry of Industry and Information Technology] and public security organs,” and to assist such organs in any subsequent investigative work. Essentially, this requires ISPs to provide the encryption keys to relevant government departments for use during any later investigation.
-Data Localization: Article 15 states that any ISP “providing telecommunications or Internet service within the borders of the People’s Republic of China must locate its related servers and domestic user data within the borders of [China].” This data localization requirement follows on the heels of a similar measure in Russia, and appears aimed at ensuring that the Chinese government has full access to all information transmitted within its borders. This requirement is in keeping with China’s recent embrace of the principle of “cyber-sovereignty,” which holds, in part, that States, rather than a multi-lateral coalition of stakeholders, should be free to regulate all content transmitted within their physical, geographical borders. By requiring international companies to place their servers in China, the draft law would ensure that international companies fall under Chinese jurisdiction.
Now this in no guarantee that Apple is 100% complying with all the demands but IMHO they will have little choice if they wish to have unfettered access to Chinese and Russian customers.
Sorry to say, that's naïve.
Encryption is only as reliable as the implementation is bug free, the algorithms and corresponding parameters are wisely chosen.
E.g. there is well founded suspicion that widely used encryption used parameters chosen by the NSA to make things vulnerable to their attack, which goes to prove "encrypted = safe" is much too simple a view, particularly when you try to protect yourself not against some random small time criminals but against big criminals such as governments.
Anything that can be viewed on a web client without being decrypted locally in the browser by passwords entered by the user or stored in a locally present, well encrypted keychain, you have to consider potentially compromised, because even though the data may be stored encrypted and is transferred encrypted, it first was decrypted on the server to render the content into a description of a viewable web page. This means the server, and thus anyone with a search warrant and some technical savvy, can potentially render that information into the clear; one of many reasons why cloud solutions simply suck.
Isn’t the reason Apple has not complied with a recent request by the U.S. government because it said it couldn’t comply as the data is encrypted and Apple does not have the encryption key? If that’s the case and Russian law does not mandate backdoor access then Apple couldn’t comply with a Russian request either. So I suspect those Russian servers are wide open to Putin’s KGB (or whatever they call it these days.)
Two different things. Apple doesn't have the encryption key to a user's phone but they definitely have the encryption key to the files on the server otherwise they would not be able to serve any of your files such as iCloud documents, iTunes, email, or anything else you might view in a browser.
Isn’t the reason Apple has not complied with a recent request by the U.S. government because it said it couldn’t comply as the data is encrypted and Apple does not have the encryption key? If that’s the case and Russian law does not mandate backdoor access then Apple couldn’t comply with a Russian request either. So I suspect those Russian servers are wide open to Putin’s KGB (or whatever they call it these days.)
For the real-time transmission acquisition I'm still unsure why they couldn't "comply" by delivering, when properly served, that encrypted stream. It's what they're in possession of after all. Same to FBI etc.
Post Snowden everyone knows your data isn't safe just because it is in the U.S. So the argument against locating data in a given country carries less weight.
Not certain, but wasn't the Google/China issue as much over access as data location? This appears to be only about location... For the moment
Let me fix that first sentence...
Post Snowden, everyone knows your data isn't safe because it is in the U.S.