Apple is under scrutiny yet again for the concessions it makes in China. A new report from the New York Times today focuses broadly on Apple’s relationship with the Chinese government, citing internal documents from the company and interviews with 17 current and former Apple employees.
Some of the most notable details in the report cover Apple complying with local regulations in the country related to storing Chinese user data on local servers. Apple has refuted some of the claims made in the report.
When Apple moved Chinese user data to local servers, the company promised that the data would be safe and managed with Apple’s strict approach to privacy. Today’s report says that Apple has “largely ceded control to the Chinese government.”
The main point in the article comes down to where the encryption keys to unlock that data are held. Initially, Apple has reportedly demanded it keep the keys in the United States. When the law went into effect in 2017, the location of the keys “was left intentionally vague,” and eight months later, the keys were being stored in China.
And in its data centers, Apple’s compromises have made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts, and locations of millions of Chinese residents, according to the security experts and Apple engineers.
As the report explains, this means that the keys to unlock the user data in China are stored “in the data centers they’re meant to secure.” With that being said, however, there is no evidence that the data has been accessed by the Chinese government. The documents reviewed by the Times indicate that “Apple has made compromises” that make it easier for the government to access that data if needed.
But the iCloud data in China is vulnerable to the Chinese government because Apple made a series of compromises to meet the authorities’ demands, according to dozens of pages of internal Apple documents on the planned design and security of the Chinese iCloud system, which were reviewed for The Times by an Apple engineer and four independent security researchers.
The digital keys that can decrypt iCloud data are usually stored on specialized devices, called hardware security modules, that are made by Thales, a French technology company. But China would not approve the use of the Thales devices, according to two employees. So Apple created new devices to store the keys in China.
In a statement, Apple refuted the idea that it has compromised the security of users in China and said that it controls the keys to the data:
Apple also added that its Chinese data centers “feature our very latest and most sophisticated protections.” The company is working up against a June 2021 deadline for storing data on new Chinese data servers, the report says.
The company said in a statement that it followed the laws in China and did everything it could to keep the data of customers safe. “We have never compromised the security of our users or their data in China or anywhere we operate,” the company said.
An Apple spokesman said that the company still controlled the keys that protect the data of its Chinese customers and that Apple used its most advanced encryption technology in China — more advanced than what it used in other countries.
The full report from the New York Times is worth a read and can be found here. It includes additional reporting on the App Store in China.
Apple has tried to isolate the Chinese servers from the rest of its iCloud network, according to the documents. The Chinese network would be “established, managed, and monitored separately from all other networks, with no means of traversing to other networks out of country.” Two Apple engineers said the measure was to prevent security breaches in China from spreading to the rest of Apple’s data centers.
Apple said that it sequestered the Chinese data centers because they are, in effect, owned by the Chinese government, and Apple keeps all third parties disconnected from its internal network.