Apple to move Chinese iCloud keys to China servers, opens door to government data requests...
In order to conform with Chinese cybersecurity laws, Apple will for the first time move cryptographic iCloud account keys out of the U.S. and into China when it migrates customer data to a local server farm in late February.
Apple notified users of the data transfer in January, saying stored information would be moved to servers operated by its in-country partner Guizhou-Cloud Big Data Industry Co. Ltd. At the time, Apple failed to detail what information would be included in the move.
On Friday, Reuters confirmed customer iCloud keys are part of the mass transfer, potentially making it easier for Chinese government agencies to obtain user texts, emails and other information.
Under Apple's security protocol, data stored in the cloud is encrypted, as are data transfers to and from user devices. Like other systems, cryptographic keys are required to access iCloud data. Currently, all iCloud keys -- even those for Chinese accounts -- are located on U.S. servers, meaning governmental requests for access fall under the purview of U.S. law.
Those protections will disappear as soon as Apple migrates the keys into China. Once on Chinese soil, government agencies will be able to request information through the Chinese legal system, which lacks the transparency, checks or oversight of its American counterpart.
Human rights activists have voiced concern that such change could be dangerous for users branded as political dissidents, whose communications and personal information might soon be open to surveillance.
For its part, Apple has repeatedly said the data migration is a requirement for operating iCloud and other cloud services in China, a lucrative region it cannot afford to overlook. Still, the decision to continue service in light of China's notorious record of censorship and government snooping is seemingly at odds with Apple's consumer privacy dogma.
"While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful," Apple said in a statement. The company went on to argue that maintaining iCloud with its partner GCBD is better than discontinuing the service, as doing so would lead to a negative user experience and would be detrimental to user privacy, the report said.
Sensitive to the political climate, Apple last year said its Chinese servers do not include backdoors and that it would be control of iCloud keys, not GCBD. That might not matter, however, as those keys will be subject to the Chinese legal system, an entity legal experts note lacks mechanics by which warrants are reviewed by an independent court, the report said.
Apple said it will not switch Chinese customer data over to GCBD servers until they agree to new terms of service, but points out that more than 99.9 percent of iCloud users have already done so, according to the report.
In previous statements on the matter, Apple said users who do not wish to have their data transferred have until the end of February to terminate their account.
Apple notified users of the data transfer in January, saying stored information would be moved to servers operated by its in-country partner Guizhou-Cloud Big Data Industry Co. Ltd. At the time, Apple failed to detail what information would be included in the move.
On Friday, Reuters confirmed customer iCloud keys are part of the mass transfer, potentially making it easier for Chinese government agencies to obtain user texts, emails and other information.
Under Apple's security protocol, data stored in the cloud is encrypted, as are data transfers to and from user devices. Like other systems, cryptographic keys are required to access iCloud data. Currently, all iCloud keys -- even those for Chinese accounts -- are located on U.S. servers, meaning governmental requests for access fall under the purview of U.S. law.
Those protections will disappear as soon as Apple migrates the keys into China. Once on Chinese soil, government agencies will be able to request information through the Chinese legal system, which lacks the transparency, checks or oversight of its American counterpart.
Human rights activists have voiced concern that such change could be dangerous for users branded as political dissidents, whose communications and personal information might soon be open to surveillance.
For its part, Apple has repeatedly said the data migration is a requirement for operating iCloud and other cloud services in China, a lucrative region it cannot afford to overlook. Still, the decision to continue service in light of China's notorious record of censorship and government snooping is seemingly at odds with Apple's consumer privacy dogma.
"While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful," Apple said in a statement. The company went on to argue that maintaining iCloud with its partner GCBD is better than discontinuing the service, as doing so would lead to a negative user experience and would be detrimental to user privacy, the report said.
Sensitive to the political climate, Apple last year said its Chinese servers do not include backdoors and that it would be control of iCloud keys, not GCBD. That might not matter, however, as those keys will be subject to the Chinese legal system, an entity legal experts note lacks mechanics by which warrants are reviewed by an independent court, the report said.
Apple said it will not switch Chinese customer data over to GCBD servers until they agree to new terms of service, but points out that more than 99.9 percent of iCloud users have already done so, according to the report.
In previous statements on the matter, Apple said users who do not wish to have their data transferred have until the end of February to terminate their account.
Comments
Stop being complicit.I know most of you sold your souls to free services ,but try to use encryption when you can.
🤢
And yes, in the US, the government can ask the same, that's why Apple is trying to move away from actually owning those encryption keys even for Icloud storage although they do have to "know" some of the metadata cause well, Apple knows who you are obviously. So, they could match a origin apple ID with a destination one and yet not know or be able to retrieve the content of the message.
Can a Chinese user travel to the U.S., buy their devices here, set up their accounts here, then go back to China and access the U.S. iCloud from there? I realize that they’d have to pay a lot for roaming data from a U.S. carrier, but for their wealthy it could be a way to avoid government snooping.
Microsoft did this years ago.
Google did this years ago.
There is no escaping Chinese law if you want to do business in China.
Obviously, encrypting your backups helps maintain your privacy even in China.
so, ChiCloud, please, Tim Cook!
As for the difference between accessing user data in China compared to the US or Europe or anywhere else in the world:
Policing or government agencies have to submit requests to Apple that are then judged for their legality. Some get tossed to the side almost immediately. Others may be complied with in a very limited way while others go thru a legal vetting process. For example the FBI wants access to your user data during an "investigation". Apple says no, too broad a request. FBI narrows it. Apple still says no, they still don't believe the request to be a legal on. The FBI goes to a judge and gets an order for it. Apple still says no, it's not a legal order because <> and they appeal it. A higher court agrees with Apple and the FBI is stymied. That's how it's supposed to work and the way Apple has always said it does work.
In China Apple has relinquished all responsibility for protecting customers from intrusions that Apple might otherwise properly deem illegal. Apple does not even need to be advised as China doesn't need their approval. At all. They are no longer part of the process, they're just the ones gathering it all up in one place to make it easier to get to.
But you want to make believe it's all about nothing? If this isn't enough to give you pause to consider what really drives Apple to do what they do and say what they say...
It doesn't make Apple evil, immoral or anything of that sort. They're a business. They chase PROFIT! just like other companies do. Corporate declarations, events organized by public relations, statements of principal and the like are all coordinated and crafted to support PROFIT!
Like any other company Apple too will modify policies and procedures if they negatively affect revenues. That's business and why Apple exists: To make the greatest amount of profit they can. "Making the world a better place" is along for the ride and helps Apple market their products, framing their public persona quite nicely in giving buyers a social reason on top of a hardware one for Apple products to be worth a premium. If there comes a time it does not they'll modify as needed. Standing up for customer privacy goes only so far and is not what drives Apple to do what they do.
How can any company do a global business without changing some policies? Not every country in the world is some democracy. These activist watchdogs so worried about Apple allowing stuff in China yet the American government doesn't even try to slow down the manufacturing of guns in the U.S. Let's worry about what's going on in our own country and less about what's going on in China. It's up to the citizens in China to change their own government policies. If they don't like Apple's decision forced by their own government, then those citizens will simply have to find another way to hide what they're doing online.
The Magi will collect insane amounts of data about every one using a computer in a particular region then analyze and store that info. Built with no feasible way of remote hacking or remote access of the system. To access information you have to be physically in the building, engaging with the computer in person, but there is no clicking on a keyboard and mouse accessing unlimited, unrelated and personal information about any one, to get information you have to talk or interrogate Magi e.g
Agent: Hello "M" I am officer KD6-3.7, authenticate.
Magi: good morning officer K what can I do for you this morning ?
K: a Robert Dear of Charleston, South Carolina and Louisville, Kentucky has been flagged, community members have reported N1 behavioral patterns triggering this "look see" any thing note worthy ?
Magi: let me see.... Ok I found this C2 level rhetoric on a marijuana Internet forum: "Turn to JESUS or burn in hell [...] WAKE UP SINNERS U CANT SAVE YOURSELF U WILL DIE AN WORMS SHALL EAT YOUR FLESH, NOW YOUR SOUL IS GOING SOMEWHERE."
Magi: He also posted notes on the same forum describing his own marijuana usage and stating that he was looking for women to "party" with.
K: any group links ?
Magi: none at this point
K: what's you're Determination ?
Magi: I recommend a (grade: 5 hate sentiment) reprimand, 10m radius prohibition zone and (level: 2 pri-monitor) serve.
K: I see, print the papper work, I'll petition a Judge's signature and pay Mr Dear a visit.
Yes I know very cute but, this way the police can have reasonable access to information they migh need but they have to ask for specific information related to suspicion or connection to probable cause or infliction of criminality or unlawfull pattens of behavior and or activity.
The government uses computer to sieve through these large data sets any way, it's not like supper computers aren't doing a lot of this already. What I think in undesirable is any group of people having this kind of power, people are corruptible and greedy and nasty even at their most noblest of causes and not to be trusted under the best circumstances. I believe this might be the greatest calling for computing, and who better positions to get them there than Apple. The system could rapidly get so sophisticated that it could flag people itself and warn of imminent danger. Could be cool, no ? Disagree ?