Today Apple formally transferred its Chinese iCloud operations to a local firm in southern China. It also began hosting its iCloud encryption keys in China, instead of the US, for the first time. The move has been expected since last year when Apple announced its partnership with Guizhou-Cloud Big Data (GCBD), a Chinese firm supervised by a board ran by government-owned businesses, with close ties to the government and Chinese Communist Party.
Apple users with iCloud accounts registered in China will now have their data hosted by the GCBD center. Users who don’t want their data handed over can choose to delete their Chinese iCloud accounts. Apple has told Reuters that it won’t transfer accounts over to the new data center unless users first agree to the updated terms of service.
Since the news was first announced, security experts, lawyers, activists like China’s Chen Guangcheng, and multiple nonprofit organizations have all weighed in to point out the potential security risks. Experts say the move could force Apple to obey various government requests to access Chinese iCloud data.
Meanwhile, Apple has said that GCBD’s close ties to the government are actually a perk. In emails to mainland Chinese customers last month, Apple said that the move enables “us to continue improving the speed and reliability of iCloud and to comply with Chinese regulations.”
It is the latest development in a pattern of Apple acquiescing to Beijing’s demands. Last July, Apple deleted VPN apps from the App Store that let mainland Chinese internet users evade censorship. Apple’s lawyers have also added a clause in the Chinese terms of service that states both Apple and GCBD may access all user data. Apple has not responded to requests for comment.
Jeremy Daum, a lawyer and research fellow at Yale Law School’s Paul Tsai China Center in Beijing, explained, “Search warrants in China are issued by police to police following internal review, not by an independent court.” He added that since police are expected to maintain confidentiality of information, issues like personal privacy or commercial secrets are not considered barriers to police collecting information.
Meanwhile, Chinese laws do not protect internet users’ privacy from government intrusion. In 2015, China passed a National Security Law, which included a provision to give police the authority to demand companies let them bypass encryption or other security tools to access personal data. The National People’s Congress was not available to comment.
The 2017 Cybersecurity Law, which requires companies operating in mainland China to host all data within the country, was likely what led Apple to partner with the new data center. Those defending Apple say that acquiescing to the Chinese government is just the cost of doing business in China. Both Tencent and Alibaba host their data in China.
There may be some small upside to the move for mainland Apple users. “My guess is that Chinese iCloud operations could become faster in China, as they don’t have to go through the firewall,” says Nir B. Kshetri, professor of management at the University of North Carolina, Greensboro.
Chinese users can supposedly enjoy faster download times and a more stable network by connecting to the GCBD.
According to the state-run Global Times, Chinese users will supposedly enjoy faster download times and a more stable network. Global Times published a piece earlier this month titled, “Reasons to be happy about Apple’s local data deal.”
“Some users seem to be concerned about the fact that the new data center in Southwest China’s Guizhou Province will be operated by Apple’s local partner - the government-owned Guizhou-Cloud Big Data Industry Co (GCBD) - fearing their personal data might be scrutinized,” it wrote, “But such fears should by no means mask the positive effects of the venture.”
The GT opinion piece says the Chinese government will “effectively ensure data security,” and that, “Chinese businesses and institutions might no longer have to worry about the possible loss of Chinese data stored in overseas data centers and may accordingly increase their use of iCloud services.”
“I do not doubt that the Chinese authorities can keep data secure—but that is not the problem.”
Charlie Smith, a co-founder of anti-censorship sites GreatFire.org and FreeWeibo.com, says there’s truth behind the data security claim the Global Times piece makes, but it’s not the main issue. “I do not doubt that the Chinese authorities can keep data secure. Baidu could likely keep data secure from the prying eyes of the NSA—but that is not the problem,” he said. “The problem is that the Chinese authorities can and will access this data whenever they deem it to be necessary. And the rationale for accessing this data is broad.”
Apple’s iCloud data is end-to-end encrypted and many experts point out that the concern isn’t outsider hacking, but rather full government access. According to Apple’s own transparency reports, between 2013 to mid-2017, the company shared a small amount of data with Chinese authorities, but caveated that it was only subscriber and transactional data and not photos, emails, or contacts. The percentage of data access requests Apple has approved has gone up over time. Apple provided data in response to 96 percent of requests during the first half of last year. It’s unclear how much data Apple will give out now that the Cybersecurity Law of 2017 has taken effect.
Amie Stepanovich, US Policy Manager for Access Now, an advocacy group dedicated to protecting users’ digital rights, argues that Apple’s use of data localization, especially of encryption keys, is wrong. “Encryption is still our best defense against unauthorized access to data, and policies that put keys into a single place provides an enticing target for bad actors,” she told The Verge.
Many Apple users in China may not notice the transition. Meanwhile, Apple is telling customers their data will remain secure and private. “Apple has strong data privacy and security protections in place and no backdoors will be created into any of our systems,” it said in a statement. Private, that is, until the Chinese government requests to see it.
Update February 28, 11:20 AM ET: This article has been updated with comments from Jeremy Daum.