What happens when an unstoppable force meets an immovable object? We may be witnessing the answer with Apple, a long-time privacy advocate, acceding to Chinese demands on access to its iCloud services in the country.
China is not big on privacy. The Communist Party government in the People’s Republic is currently in the process of developing a so-called “social credit system” for its citizens, which will use various forms of data, much of it personal and obtained through mass surveillance, to establish a national “reputation” database.
That might sound like something from a dystopian TV drama, but bit by bit, Xi Jinping’s government has been legislating to bring about such a reality. One example is the new cybersecurity law introduced last summer, one of the provisions of which requires companies that hold the data of Chinese citizens to store that data on Chinese servers and effectively make it available to the Chinese government.
Apple, the world’s largest IT company by revenue, is big on privacy. The California-based tech superpower has doggedly refused various FBI and US government requests to extract data from locked iPhones, most notably in 2016 when the FBI wanted to extract data from the iPhone of one of the terrorists from the 2015 San Bernardino attack.
The pioneering company regularly promotes its own privacy and encryption standards — in 2016, CEO Tim Cook sent a public letter talking about the intrinsic importance of privacy to Apple.
“Here’s the situation,” said Cook, in an interview around the same time. “On your iPhone today, there is likely health information, financial information, there are intimate conversations with family and co-workers and there are probably business secrets and you should have the ability to protect it.”
Except, it seems, in China, where the company earns tens of billions of dollars a year. From today (February 28), Apple is transferring the operation of its iCloud service for Chinese users to a local, state-owned firm called Guizhou-Cloud Big Data (GCBD).
That means that the Chinese government will now have far easier access to whatever Chinese users store on Apple’s cloud services within the country. Privacy advocates and human rights activists are appalled but Apple claims that not agreeing to the move would have actually led to less privacy and security for its Chinese users.
The Apple of China’s omnipresent eye
The move has been in the offing since last year, when Apple and GCBD announced a partnership agreement. Apple wrote in an email to its users in mainland China that the move “enables us to continue improving the speed and reliability of iCloud and to comply with Chinese regulations.”
Those Chinese regulations show scant regard for users’ rights to privacy, particularly if Chinese police or government officials argue that “national security” is at stake. For example, if Chinese authorities approach GCBD in the future about accessing the data of a Chinese-based iCloud user for a criminal investigation, the company has a legal obligation to provide access.
Access is provided to iCloud accounts via cryptographic keys and until now, all such keys have been based on US servers, meaning any attempts — by China or anyone else — to access them had to go through the US legal system.
However, Apple’s acquiescence to the Chinese means that for the first time, those keys will be stored on Chinese servers meaning access to them is subject to Chinese legal processes only.
“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” Apple said. It claims it will still maintain control over encryption keys for users, but it is hard to square that claim with the fact that access will now be a mere Chinese legal ruling away for whatever entity in China pursues it.
Likewise, Apple’s claim that there will be no “backdoors” — ways for hackers to access iCloud accounts by copying or learning from how others were accessed — is largely irrelevant, given that users’ accounts will be easily accessed through legal means.
Human rights groups such as Amnesty International and Human Rights Watch have heavily criticized the move by Apple, while Jeremy Daum, an attorney and research fellow at Yale Law School’s Paul Tsai China Center in Beijing, told Reuters that any attempts by Apple to block Chinese access will be easily overcome.
“Even very early in a criminal investigation, police have broad powers to collect evidence,” he said. “(They are) authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”
Profit before privacy?
To be fair to Apple, it has given its Chinese users plenty of notice of the change. It also says it will not switch customers’ accounts to the Chinese data center until they agree to new terms of service — something 99.9 percent of users have already done — and has reminded them that they can opt out of iCloud if not happy with the new arrangements.
As well as that, Apple has until now been seemingly resilient in resisting attempts from the Chinese government to access user data, saying it turned down all 176 requests from the Chinese government from mid-2013 to mid-2017, before the new Chinese cybersecurity laws came into place.
The softening since towards Chinese surveillance must be seen in the context of Apple’s increasing business presence in the world’s second largest economy. Apple recently returned to growth in China after a period of stagnation, taking in $9.8 billion (€8.02 billion) in revenue in the third quarter of 2017.
China is a huge potential growth market for Apple and the latest bow to Chinese legislation follows last year’s move by the company to remove VPN apps from its app store in China, VPNs being devices used to hide an internet user’s information. Apple has also been criticized for blocking Chinese users’ access to the different news apps, a move reflective of China’s strict censorship culture.
Other large US tech companies, such as Amazon and Microsoft, have made similar concessions to China recently, in an attempt to further access the market there.
Apple often talks of its “values,” privacy high among them. Discarding some of those “values” appears to be the price that must be paid if a large international company wants to maximize its business in Xi Jinping’s China.