Throughout the West, Apple has rankled the targeted advertising industry with its recent changes that emphasize end user privacy. Between that and its steadfast refusal to assist US law enforcement agencies in breaking iPhone encryption, Apple has built its brand on being the most secure and user-focused option in the mobile device market. However, the company’s dealings across the Pacific tell a different story. Faced with unrelenting policy, Apple has reportedly turned over servers containing iCloud data to the charge of the Chinese government.
A recent New York Times report has found that Apple is moving some of the personal data of Chinese customers to a data center in Guiyang that is owned and operated by the Chinese government. State employees physically manage the facility and servers and have direct access to the data stored there; Apple has already abandoned encryption in China due to state limitations that render it ineffective.
Chinese government dictates data access terms to Apple
Doing business in China usually means capitulation to the terms of the Chinese government, and foreign companies interested in this highly lucrative market generally do not push back much (if at all). Those terms include allowing the government access to any personal data that it wants that is stored on servers located within China, the inverse of the position that Apple has taken toward government access in the United States. Chinese national security law not only mandates this absolute access to personal data, but new legislation that went into effect at the start of 2020 also requires that commercial entities maintain encryption backdoors or key escrows for government use.
Apple had already moved the digital encryption keys that secure iCloud data to China; this final step of moving user data to Chinese government-run servers simply cuts out whatever was left of the middleman. Not only is Apple inextricably tied to China due to basing most of its manufacturing there, the Chinese market is now also the source of 1/5 of Apple’s global revenue and is expected to continue growing.
This is not the first compromise Apple has made to placate China. Apple routinely removes apps from the Chinese version of the App Store that the government might disapprove of, has removed emojis that might be politically controversial in the country (such as the flag of Taiwan), removes VPN apps that might allow users to circumvent the “Great Firewall of China,” and has removed artists from iTunes that make reference to the Tiananmen Square protests in their music. These censorship measures date back to at least 2017.
The New York Times cites current and former Apple employees in saying that Apple CEO Tim Cook is the one who has ultimately approved the removal of controversial apps and the move of data to Chinese government servers. The decisions create obvious public dissonance given the principles that Apple markets itself on. Though the company may do these things solely to maintain its business interests in the country, the censorship apparatus it has created to manage its estimated 230 million Chinese device users now effectively functions as an arm of the country’s ruling party.
iCloud data freely available to Chinese officials, even if encrypted
Apple joined many American tech companies in moving manufacturing to China in the early 2000s, but it has doubled down in the past decade in such a way that it is extremely difficult for it to relocate to another country. The Chinese government poured billions of dollars into creating manufacturing infrastructure and facilities for Apple and facilitated the movement of millions of migrant workers needed to keep the company’s operations humming. The New York Times report indicates that Apple seems to have either not been aware of or simply not cared about the leverage that this would give the Chinese government over their operations. Apple supply chain consultant Doug Guthrie, who worked from the company from 2014 to 2019 on foreign manufacturing operations, is quoted as saying there was no “Plan B” if Chinese authorities used this leverage to make onerous or even compromising demands.
The Times report says that there is presently no evidence that the Chinese government has used the stored keys to access iCloud data, but that all of the pieces are in place for it to do so whenever it chooses to. This move precludes the need for government officials to demand the data of Chinese citizens from Apple, something that it does sometimes push back on in limited cases where the company might also be in violation of US law if it complies (some 42 identified by the Times).
Apple isolates the servers that hold the iCloud data of Chinese citizens from the rest of the world, so the Chinese government should not have access to user data of those who live outside of the country. The shift of iCloud data to the Chinese servers is scheduled for next month. Apple does not have the option of moving the iCloud data stored in Chinese accounts out of the country due to a 2017 law that requires all China-based “personal information and important data” to be stored within the country. Apple has refuted the Times story, saying that it has “never compromised” the security of its users and that iCloud services in China have “sophisticated protections.” The company also claims that it still controls the encryption keys for individual accounts.