By Robert McMillan and Tripp Mickle
When Apple Inc. next week begins shifting the iCloud accounts of
its China-based customers to a local partner's servers, it also
will take an unprecedented step for the company that alarms some
privacy specialists: storing the encryption keys for those accounts
in China.
The keys are complex strings of random characters that can
unlock the photos, notes and messages that users store in iCloud.
Until now, Apple has stored the codes only in the U.S. for all
global users, the company said, in keeping with its emphasis on
customer privacy and security.
While Apple says it will ensure that the keys are protected in
China, some privacy experts and former Apple security employees
worry that moving the keys to China makes them more vulnerable to
seizure by a government with a record of censorship and political
suppression.
"Once the keys are there, they can't necessarily pull out and
take those keys because the server could be seized by the Chinese
government," said Matthew Green, a professor of cryptography at
Johns Hopkins University. Ultimately, he says, "It means that Apple
can't say no."
Apple says it is moving the keys to China as part of its effort
to comply with a Chinese law on data storage enacted last year.
Apple said it will store the keys in a secure location, retain
control over them and hasn't created any backdoors to access
customer data. A spokesman in a statement added that Apple
advocated against the new laws, but chose to comply because it
"felt that discontinuing the [iCloud] service would result in a bad
user experience and less data security and privacy for our Chinese
customers."
Apple's move reflects the tough choice that has faced all
foreign companies that want to continue offering cloud services in
China since the new law. Other companies also have complied,
including Microsoft Corp. for its Azure and Office 365 services,
which are operated by 21Vianet Group, Inc., and Amazon.com Inc.,
which has cloud operating agreements with Beijing Sinnet Technology
Co. and Ningxia Western Cloud Data Technology Co.
Amazon Web Services and Microsoft, which serve businesses in
China, declined to say where encryption keys will be stored for
businesses using their security tools there.
Privacy specialists are especially interested in Apple because
of its enormous customer base and its history of championing
customer privacy. Apple in 2016 fought a U.S. government demand to
help unlock the iPhone of the gunman in the 2015 San Bernardino
terrorist attack. "For many years, we have used encryption to
protect our customers' personal data because we believe it's the
only way to keep their information safe," Apple Chief Executive Tim
Cook said then in a letter to customers explaining its
decision.
Apple said it will provide data only in response to requests
initiated by Chinese authorities that the company deems lawful and
said it won't respond to bulk data requests. In the first half of
2017, Apple received 1,273 requests for data from Chinese
authorities covering more than 10,000 devices, according to its
transparency report. Apple said it provided data for all but 14% of
those requests.
Greater China is Apple's second-most-important market after the
U.S., with $44.76 billion in revenue in its last fiscal year, a
fifth of the total. Some previous steps to comply with Chinese laws
have been controversial, including removing apps from its China
store for virtual private networks that can circumvent government
blocks on websites. Apple has said it follows the law wherever it
operates and hopes that the restrictions around communication in
China are eventually loosened.
Jingzhou Tao, a Beijing-based attorney at Dechert LLP, said
Chinese iPhone users are disappointed by Apple's changes to iCloud
data storage because privacy protection in China is weak. However,
he said users there "still consider that iPhone is better than some
other pure Chinese-made phones for privacy policy and
protection."
Apple's cloud partner in China is Guizhou on the Cloud Big Data
Industry Co., or Guizhou-Cloud, which is overseen by the government
of Guizhou province. Apple plans to shift operational
responsibility for all iCloud data for Chinese customers in China
to Guizhou-Cloud by Feb. 28. Customer data will migrate to servers
based in China over the course of the next two years. The company
declined to say when the encryption keys would move to China.
Apple began notifying iCloud users in China last month that
Guizhou-Cloud would be responsible for storing their data.
Updated terms and conditions for China users say that Apple and
Guizhou-Cloud "will have access to all data" and "the right to
share, exchange and disclose all user data, including content, to
and between each other under applicable law."
"Given that Apple's China operations will be managed by a
Chinese company, it seems implausible that the government will not
have access to Apple data through the local company," said Ronald
Deibert, a political-science professor at the University of
Toronto's Munk School of Global Affairs who has researched Chinese
government hacking operations.
Guizhou-Cloud and the Chinese cybersecurity administration
didn't immediately respond to requests for comment.
Reporters Without Borders has urged journalists in China to
change their geographic region or close their accounts before Feb.
28, saying Chinese authorities could gain a backdoor to user data
even if Apple says it won't provide one.
Apple said it has advised Chinese customers that they can opt
out of iCloud service to avoid having their data stored in China.
Data for China-based users whose settings are configured for
another country, or for Hong Kong and Macau, won't go on Chinese
servers, and Apple said it won't transfer anyone's data until they
accept the new mainland-China terms of service.
Mr. Green and others say Apple should provide more technical
details on its steps to secure its encryption keys and internet
usage data that might be available on Guizhou-Cloud.
This usage information, called metadata, could tell Chinese
authorities the identity of users who download a book or other
files of interest to the government, said Joe Gross, a consultant
on building data centers.
"You can tell whether people are uploading or downloading
things," he said "You can tell where they are. You may be able to
tell whether they're sharing things."
Apple said there would need to be a legal request to obtain
metadata.
Yoko Kubota, Jay Greene and
Xiao Xiao
contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Tripp
Mickle at Tripp.Mickle@wsj.com
(END) Dow Jones Newswires
February 24, 2018 13:54 ET (18:54 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Mar 2024 to Apr 2024
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Apr 2023 to Apr 2024
