Apple to Start Putting Sensitive Encryption Keys in China


Apple to Start Putting Sensitive Encryption Keys in China

Codes for Chinese users of iCloud will be kept in a secure location, company says

By Robert McMillan and Tripp Mickle Feb. 24, 2018 1:39 p.m. ET

When Apple Inc. next week begins shifting the iCloud accounts of its China-based customers to a local partner’s servers, it also will take an unprecedented step for the company that alarms some privacy specialists: storing the encryption keys for those accounts in China.

The keys are complex strings of random characters that can unlock the photos, notes and messages that users store in iCloud. Until now, Apple has stored the codes only in the U.S. for all global users, the company said, in keeping with its emphasis on customer privacy and security.

While Apple says it will ensure that the keys are protected in China, some privacy experts and former Apple security employees worry that moving the keys to China makes them more vulnerable to seizure by a government with a record of censorship and political suppression.

“Once the keys are there, they can’t necessarily pull out and take those keys because the server could be seized by the Chinese government,” said Matthew Green, a professor of cryptography at Johns Hopkins University. Ultimately, he says, “It means that Apple can’t say no.”

Apple says it is moving the keys to China as part of its effort to comply with a Chinese law on data storage enacted last year. Apple said it will store the keys in a secure location, retain control over them and hasn’t created any backdoors to access customer data. A spokesman in a statement added that Apple advocated against the new laws, but chose to comply because it “felt that discontinuing the [iCloud] service would result in a bad user experience and less data security and privacy for our Chinese customers.”

Apple’s move reflects the tough choice that has faced all foreign companies that want to continue offering cloud services in China since the new law. Other companies also have complied, including Microsoft Corp. for its Azure and Office 365 services, which are operated by 21Vianet Group , Inc., and Amazon.com Inc., which has cloud operating agreements with Beijing Sinnet Technology Co. and Ningxia Western Cloud Data Technology Co.

Amazon Web Services and Microsoft, which serve businesses in China, declined to say where encryption keys will be stored for businesses using their security tools there.

Privacy specialists are especially interested in Apple because of its enormous customer base and its history of championing customer privacy. Apple in 2016 fought a U.S. government demand to help unlock the iPhone of the gunman in the 2015 San Bernardino terrorist attack. “For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe,” Apple Chief Executive Tim Cook said then in a letter to customers explaining its decision.

Apple said it will provide data only in response to requests initiated by Chinese authorities that the company deems lawful and said it won’t respond to bulk data requests. In the first half of 2017, Apple received 1,273 requests for data from Chinese authorities covering more than 10,000 devices, according to its transparency report. Apple said it provided data for all but 14% of those requests.

Greater China is Apple’s second-most-important market after the U.S., with $44.76 billion in revenue in its last fiscal year, a fifth of the total. Some previous steps to comply with Chinese laws have been controversial, including removing apps from its China store for virtual private networks that can circumvent government blocks on websites. Apple has said it follows the law wherever it operates and hopes that the restrictions around communication in China are eventually loosened.

Jingzhou Tao, a Beijing-based attorney at Dechert LLP, said Chinese iPhone users are disappointed by Apple’s changes to iCloud data storage because privacy protection in China is weak. However, he said users there “still consider that iPhone is better than some other pure Chinese-made phones for privacy policy and protection.”

Apple’s cloud partner in China is Guizhou on the Cloud Big Data Industry Co., or Guizhou-Cloud, which is overseen by the government of Guizhou province. Apple plans to shift operational responsibility for all iCloud data for Chinese customers in China to Guizhou-Cloud by Feb. 28. Customer data will migrate to servers based in China over the course of the next two years. The company declined to say when the encryption keys would move to China.

Apple began notifying iCloud users in China last month that Guizhou-Cloud would be responsible for storing their data.

Updated terms and conditions for China users say that Apple and Guizhou-Cloud “will have access to all data” and “the right to share, exchange and disclose all user data, including content, to and between each other under applicable law.”

“Given that Apple’s China operations will be managed by a Chinese company, it seems implausible that the government will not have access to Apple data through the local company,” said Ronald Deibert, a political-science professor at the University of Toronto’s Munk School of Global Affairs who has researched Chinese government hacking operations.

Guizhou-Cloud and the Chinese cybersecurity administration didn’t immediately respond to requests for comment.

Reporters Without Borders has urged journalists in China to change their geographic region or close their accounts before Feb. 28, saying Chinese authorities could gain a backdoor to user data even if Apple says it won’t provide one.

Apple said it has advised Chinese customers that they can opt out of iCloud service to avoid having their data stored in China. Data for China-based users whose settings are configured for another country, or for Hong Kong and Macau, won’t go on Chinese servers, and Apple said it won’t transfer anyone’s data until they accept the new mainland-China terms of service.

Mr. Green and others say Apple should provide more technical details on its steps to secure its encryption keys and internet usage data that might be available on Guizhou-Cloud.

This usage information, called metadata, could tell Chinese authorities the identity of users who download a book or other files of interest to the government, said Joe Gross, a consultant on building data centers.

“You can tell whether people are uploading or downloading things,” he said “You can tell where they are. You may be able to tell whether they’re sharing things.”

Apple said there would need to be a legal request to obtain metadata.

—Yoko Kubota, Jay Greene and Xiao Xiao contributed to this article.

https://www.wsj.com/articles/apple-to-start-putting-sensitive-encryption-keys-in-china-1519497574


Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more