Apple to Start Putting Sensitive Encryption Keys in China
Apple to Start Putting Sensitive Encryption Keys in China
Codes for Chinese users of iCloud will be kept in a secure location, company says
By Robert McMillan and Tripp Mickle Feb. 24, 2018 1:39 p.m. ET
When Apple Inc. next week begins shifting the iCloud accounts of its China-based customers to a local partner’s servers, it also will take an unprecedented step for the company that alarms some privacy specialists: storing the encryption keys for those accounts in China.
The keys are complex strings of random characters that can unlock the photos, notes and messages that users store in iCloud. Until now, Apple has stored the codes only in the U.S. for all global users, the company said, in keeping with its emphasis on customer privacy and security.
While Apple says it will ensure that the keys are protected in China, some privacy experts and former Apple security employees worry that moving the keys to China makes them more vulnerable to seizure by a government with a record of censorship and political suppression.
“Once the keys are there, they can’t necessarily pull out and take those keys because the server could be seized by the Chinese government,” said Matthew Green, a professor of cryptography at Johns Hopkins University. Ultimately, he says, “It means that Apple can’t say no.”
Apple says it is moving the keys to China as part of its effort to comply with a Chinese law on data storage enacted last year. Apple said it will store the keys in a secure location, retain control over them and hasn’t created any backdoors to access customer data. A spokesman in a statement added that Apple advocated against the new laws, but chose to comply because it “felt that discontinuing the [iCloud] service would result in a bad user experience and less data security and privacy for our Chinese customers.”
Apple’s move reflects the tough choice that has faced all foreign companies that want to continue offering cloud services in China since the new law. Other companies also have complied, including Microsoft Corp. for its Azure and Office 365 services, which are operated by 21Vianet Group , Inc., and Amazon.com Inc., which has cloud operating agreements with Beijing Sinnet Technology Co. and Ningxia Western Cloud Data Technology Co.
Amazon Web Services and Microsoft, which serve businesses in China, declined to say where encryption keys will be stored for businesses using their security tools there.
Privacy specialists are especially interested in Apple because of its enormous customer base and its history of championing customer privacy. Apple in 2016 fought a U.S. government demand to help unlock the iPhone of the gunman in the 2015 San Bernardino terrorist attack. “For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe,” Apple Chief Executive Tim Cook said then in a letter to customers explaining its decision.
Apple said it will provide data only in response to requests initiated by Chinese authorities that the company deems lawful and said it won’t respond to bulk data requests. In the first half of 2017, Apple received 1,273 requests for data from Chinese authorities covering more than 10,000 devices, according to its transparency report. Apple said it provided data for all but 14% of those requests.
Greater China is Apple’s second-most-important market after the U.S., with $44.76 billion in revenue in its last fiscal year, a fifth of the total. Some previous steps to comply with Chinese laws have been controversial, including removing apps from its China store for virtual private networks that can circumvent government blocks on websites. Apple has said it follows the law wherever it operates and hopes that the restrictions around communication in China are eventually loosened.
Apple’s cloud partner in China is Guizhou on the Cloud Big Data Industry Co., or Guizhou-Cloud, which is overseen by the government of Guizhou province. Apple plans to shift operational responsibility for all iCloud data for Chinese customers in China to Guizhou-Cloud by Feb. 28. Customer data will migrate to servers based in China over the course of the next two years. The company declined to say when the encryption keys would move to China.
Apple began notifying iCloud users in China last month that Guizhou-Cloud would be responsible for storing their data.
Updated terms and conditions for China users say that Apple and Guizhou-Cloud “will have access to all data” and “the right to share, exchange and disclose all user data, including content, to and between each other under applicable law.”
“Given that Apple’s China operations will be managed by a Chinese company, it seems implausible that the government will not have access to Apple data through the local company,” said Ronald Deibert, a political-science professor at the University of Toronto’s Munk School of Global Affairs who has researched Chinese government hacking operations.
Guizhou-Cloud and the Chinese cybersecurity administration didn’t immediately respond to requests for comment.
Reporters Without Borders has urged journalists in China to change their geographic region or close their accounts before Feb. 28, saying Chinese authorities could gain a backdoor to user data even if Apple says it won’t provide one.
Apple said it has advised Chinese customers that they can opt out of iCloud service to avoid having their data stored in China. Data for China-based users whose settings are configured for another country, or for Hong Kong and Macau, won’t go on Chinese servers, and Apple said it won’t transfer anyone’s data until they accept the new mainland-China terms of service.
Mr. Green and others say Apple should provide more technical details on its steps to secure its encryption keys and internet usage data that might be available on Guizhou-Cloud.
This usage information, called metadata, could tell Chinese authorities the identity of users who download a book or other files of interest to the government, said Joe Gross, a consultant on building data centers.
“You can tell whether people are uploading or downloading things,” he said “You can tell where they are. You may be able to tell whether they’re sharing things.”
Apple said there would need to be a legal request to obtain metadata.
—Yoko Kubota, Jay Greene and Xiao Xiao contributed to this article.