Apple to store keys for China iCloud accounts in China itself

February 28, 2018 13:47
Apple's plan to shift encryption keys for China iCloud accounts to a Chinese data center has added to worries about potential government snooping. Photo: Reuters

Last month, Apple announced that it would begin shifting the iCloud accounts of its China-based users into a new Chinese data center at the end of February. Now, we have news that the company will also store the encryption keys for the Chinese iCloud accounts in China itself.

The cryptographic keys are needed to unlock the photos, notes, and messages that users store in iCloud. The company had stored the keys only in the United States for all global users, meaning that any government or law enforcement authority seeking access to an iCloud account needed to go through the US legal system, Reuters reports.

But now, Apple says it is moving the keys for Chinese iCloud accounts to China, an unprecedented step for the company. That means Chinese authorities can use their own legal system to ask Apple to hand over iCloud data for Chinese users in the future, the news agency said, citing legal experts.

Apple explained the move in a statement, saying that it had to comply with recently enacted Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China.

"While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. The company’s values don’t change in different parts of the world, Apple said, but pointed out that "it is subject to each country’s laws.”

Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

"It means that Apple can’t say no," Matthew Green, a professor of cryptography at Johns Hopkins University, told the Wall Street Journal. "Once the keys are there, they can’t necessarily pull out and take those keys because the server could be seized by the Chinese government."

In its statement, Apple said it will only respond to valid legal requests in China and that it won’t respond to bulk data requests.

In the first half of 2017, Apple received 1,273 requests for data from Chinese authorities covering more than 10,000 devices, according to its transparency report, the Wall Street Journal reports. Apple said it provided data for all but 14 percent of those requests.

Apple has established a data center for Chinese users in a contractual arrangement with state-owned firm, Cloud Big Data Industry Co, which is overseen by the Guizhou provincial government.

Apple says the joint venture does not mean that China has any kind of "backdoor” into user data and that Apple alone will control the encryption keys, Reuters reports.

Apple will start to shift operational responsibility for all iCloud data for Chinese customers in China to Guizhou-Cloud by February 28.

Customer data will migrate to servers based in China over the next two years, but the firm has not disclosed the schedule of the move of encryption keys to China, according to WSJ.

Terms and conditions for China-based iCloud users have been updated, saying that Apple and Guizhou-Cloud “will have access to all data,” and “the right to share, exchange and disclose all user data, including content, to and between each other under applicable law,” the paper noted.

Apple has given its Chinese users notifications about the move, reminding Chinese customers that they can opt out of iCloud service to avoid having their data stored in China.

Data for China-based users whose settings are configured for another country, or for Hong Kong and Macau, won't go on Chinese servers, the company said.

This article appeared in the Hong Kong Economic Journal on Feb 28

Translation by Ben Ng with additional reporting

[Chinese version 中文版]

– Contact us at [email protected]


Hong Kong Economic Journal