How China made Apple store iCloud user encryption keys on state Chinese servers

Russia and China require commercial companies to store personal data of local users on their territory. In the European Union, there is also a restriction on the transfer of personal data abroad. This is done to protect the privacy of citizens. According to the GDPR law, in this case, an Internet company, telecom operator or other company that collects user data is considered a temporary “custodian” of this data, acting in the interests of the user, with his consent and by his order. After some time, the company is obliged to automatically delete this data. Any movements are made only with the permission of the user - all procedures are transparent. In Russia and China, the spirit and letter of the law is somewhat different from GDPR.

However, foreign companies have to comply with local laws, otherwise they will face serious sanctions: from a fine to a complete ban on commercial activities in the country. And if the Russian market can often be neglected, then the loss of the Chinese market for a large IT company will be a disaster. That is why both Google, and Apple, and the rest are forced to comply with the requirements of China.

On July 17, 2018, the Chinese data center operator Tianyi (a division of the state-owned operator China Telecom) signed an agreement to store data from Chinese users of Apple iCloud. All information, including user encryption keys, is now stored on public servers.


Signing an agreement between Tianyi and Guizhou-Cloud Big Data (GCBD) The

agreement is signed with Guizhou-Cloud Big Data (GCBD), which Apple originally chose to store data in China. An agreement was signed with her earlier this year, and the GCBD has already transferred this right to Tianyi and China Telecom.

Migration of user data to Chinese servers raised concernssome observers. They fear that it will now be easier for authorities to obtain the encryption keys of those users against whom the state machine works. Prior to migration, all keys were stored on servers in the USA, so to access personal data, you had to go through the American legal system.

Apple has always kept encryption keys for iCloud users. In this case, the data on the servers are stored in encrypted form, but Apple has the ability to decrypt it if necessary (for example, at the request of the user if he forgot the password). So it happens from case to case. Apple obediently obeys U.S. courts and FBI requests to provide users with personal information. You can recall the story of the shooter from San Bernardino’s iPhone 5c phone, where Tim Cook strongly opposed decryption of information from the FBI (they had to resort to the help of third-party hackers), but in that case it was about unlocking the phone itself, and not about iCloud data . American intelligence has never had problems with access to cloud information, and now the Chinese will not.

When the decision was made in February this year, Apple explained the need to transfer data from iCloud users by the fact that it is forced to comply with local laws. The company emphasized that legislation only applies to residents of mainland China who choose China as their main country of residence when registering for an Apple account. The requirements do not apply to residents of Hong Kong, Macau or Taiwan, as well as to all other Chinese who prudently indicated a different location as the “main country”.

It’s not entirely clear whether it is possible to “refuse” to store data in your own country if you change the settings of your Apple account right now and specify a different state by your country of residence. Techcrunchrecommends in this situation to create a new account indicating another country - this is the safest option for the safety of your data.

Similar requirements apply in Russia, although local authorities do not have so many levers of pressure on American corporations. It is hard to imagine that in Russia they can ban the sale of iPhone phones or block access to Google or Facebook, so negotiations with US companies are sluggish. American companies understand that the law must be formally implemented, but no one can force them.