Jack Nicas, Raymond Zhong, and Daisuke Wakabayashi, New York Times:
Internal Apple documents reviewed by The New York Times, interviews with 17 current and former Apple employees and four security experts, and new filings made in a court case in the United States last week provide rare insight into the compromises Mr. Cook has made to do business in China. They offer an extensive inside look — many aspects of which have never been reported before — at how Apple has given in to escalating demands from the Chinese authorities.
Mr. Cook often talks about Apple’s commitment to civil liberties and privacy. But to stay on the right side of Chinese regulators, his company has put the data of its Chinese customers at risk and has aided government censorship in the Chinese version of its App Store. After Chinese employees complained, it even dropped the “Designed by Apple in California” slogan from the backs of iPhones.
This report is pretty damning of the Chinese government’s policies, but its specific highlighting of Apple is on shakier ground. All companies operating in China face the same requirements and must observe the same laws. While Apple is powerful enough to delay and bargain for exceptions, it had to eventually comply, and June is apparently its agreed-upon deadline for storing Chinese users’ data in a government-run data centre.
But, while it is not the only company that is following these rules, it is the only company in such a unique predicament: no company is quite as large, no company of a similar scale has the same outspoken stance on privacy, and no other company relies so much on a supply chain centred in China. If Apple were not involved in hardware and software and services, it would have less complicity but, also, less potential influence. It looks like that balance is tipping in the direction of this combination being a liability in the country.
The Chinese government regularly demands data from Chinese companies, often for law-enforcement investigations. Chinese law requires the companies to comply.
U.S. law has long prohibited American companies from turning over data to Chinese law enforcement. But Apple and the Chinese government have made an unusual arrangement to get around American laws.
Under the new setup, Chinese authorities ask GCBD — not Apple — for Apple customers’ data, Apple said. Apple believes that gives it a legal shield from American law, according to a person who helped create the arrangement. GCBD declined to answer questions about its Apple partnership.
This arrangement has been reported before; what wasn’t clear is why it was structured this way. Now we know. iCloud in China is operated less like an Apple service that occasionally provides access to government demands, and more like a government service for which Apple creates front-end features. Apple even had to use a different kind of encryption in China:
The digital keys that can decrypt iCloud data are usually stored on specialized devices, called hardware security modules, that are made by Thales, a French technology company. But China would not approve the use of the Thales devices, according to two employees. So Apple created new devices to store the keys in China.
According to the Times, Apple says that the encryption technology it uses in China is “more advanced” than used anywhere else. The extent to which that may be true is unclear. It appears to be proprietary, and security researchers interviewed by the Times raised concerns about its design and implementation.
Matthew Green, one of the researchers quoted by the Times, expanded on this in a Twitter thread:
It’s really hard to know what to make of this. There are two good theories:
China does not trust western HSM hardware to keep them safe.
China felt the Thales HSMs were *too* safe, ie they would be difficult to for China to access.
Or, perhaps, both.
I find that much of the reporting on China in the Canadian and U.S. press, in particular, tends to simplify our understanding of the country as “evil” with little nuance. Laws like the local storage requirement are entirely sensible; it is wildly myopic to think that all of our stuff should be stored on U.S. servers. And, as we have seen, the U.S. also surveils its citizens.
But it would be a mistake to equate the two countries’ policies. For a start, only one country’s government is currently committing genocide. I may find it okay that iCloud data is stored in the same country as users, but that is because I live in a country that ranks similarly to the U.S. on freedom indices, if not better. There are many reasons why someone may prefer for their profile to be U.S.-hosted. I certainly find it worrisome that authorities in China have effectively taken control over iCloud data — but that is not unique to iCloud nor Apple in China. It is kind of the same story with the App Store: I do not think regulations that prohibit some kinds of apps are inherently wrong, but while those laws are onerous in China, Apple is not the only company that must abide by them.
I think it is reasonable to argue that Apple ought to pull out of the market instead of complying with these onerous laws that make it complicit in the surveillance and potential persecution of its users in China. That would allow it to maintain its stance that privacy is a fundamental human right, even though it does nothing to change the minds of the Chinese government. But if it were to stop operating in China, it risks the operation of its supply chain — and that is no small compromise. As a former liaison for Apple in China said, there is no real Plan B there — or, perhaps, there was no Plan B. One imagines the situation has shifted enough that there are many contingency plans.