How China made Apple store iCloud user encryption keys on Chinese government servers

Russia and China require commercial companies to store personal data of local users on their territory. In the European Union, there is also a restriction on the transfer of personal data abroad. This is done to protect the privacy of citizens. According to the law of GDPR, in this case, the Internet company, telecom operator or other company that collects user data is considered as a temporary “custodian” of this data acting in the interests of the user, with his consent and his order. After a period of time, the company is obliged to automatically delete this data. Any movements are done only with the permission of the user - all procedures are transparent. In Russia and China, the spirit and the letter of the law are somewhat different from the GDPR.

However, foreign companies have to comply with local legislation, otherwise they are threatened with serious sanctions: from fines to a total ban on commercial activities in the country. And if the Russian market can often be neglected, then the loss of the Chinese market for a large IT company will be a disaster. That is why Google, and Apple, and others are forced to obey the requirements of the PRC.

On July 17, 2018, the Chinese data center operator Tianyi (a division of the state-owned operator China Telecom) signed an agreement for storing the data of Chinese users of the Apple iCloud service. All information, including user encryption keys, is now stored on state servers.


Signing an agreement between Tianyi and Guizhou-Cloud Big Data (GCBD)
')
The agreement was signed with Guizhou-Cloud Big Data (GCBD), which Apple initially chose to store data in China. An agreement was signed with her earlier this year, and GCBD has already transferred this right to Tianyi and China Telecom.

The migration of users' personal data to Chinese servers has raised concerns among some observers. They fear that now it will be easier for the authorities to get the encryption keys of those users against whom the state machine works. Before the migration, all keys were stored on servers in the United States, so in order to access personal data, it was necessary to pass through the American legal system.

Apple has always kept encryption keys for iCloud users. In this case, the data on the servers are stored in encrypted form, but Apple has the ability to decrypt them if necessary (for example, at the request of the user, if he forgot the password). So it happens from time to time. Apple obediently executes orders of the US courts and requests from the FBI, issuing personal data of users. You can recall the story of the iPhone 5c shooter from San Bernardino, where Tim Cook strongly opposed the FBI deciphering information (they had to resort to using third-party hackers), but in that case it was about the unlocking of the phone itself, and not about iCloud data . With access to cloud information, the US intelligence services have never had problems, and now there will be no Chinese.

When the decision was made in February of this year, Apple explained the need to transfer iCloud user data to the fact that it had to comply with local law. The company stressed that the legislation applies only to residents of mainland China, who chose China as their main country of residence when registering an Apple account. Requirements do not apply to residents of Hong Kong, Macau or Taiwan, as well as to all other Chinese, who prudently indicated a different location as the “main country”.

It is not entirely clear whether it is possible to “refuse” data storage in your own country if you change the settings of your Apple account right now and specify another country as your country of residence. TechCrunch recommends that in such a situation create a new account with indication of another country - this is the safest option for the safety of their data.

Similar requirements apply in Russia, although local authorities do not have much leverage over American corporations. It’s hard to imagine that in Russia they can prohibit the sale of iPhones or block access to Google or Facebook, so negotiations with US companies are sluggish. American companies understand that the law should be formally implemented, but no one can force them.