To Comply With Recent Legislation, Apple Is Now Storing Russian Users’ Data on Local Servers

Amy MacKinnon, Foreign Policy:1

Roskomnadzor, the Russian government agency that oversees media and telecommunications, has confirmed for the first time that Apple Russia is to adhere to a 2014 law that requires any company handling the digital data of Russian citizens to process and store it on servers physically located in Russia. Under Russian counterterrorism laws, Apple could be compelled to decrypt and hand over user data to security services on request.


It’s not clear what data Apple will store on its servers in Russia. The company’s registration with the media agency lists names, addresses, email addresses, and phone numbers as the kinds of user data it processes. Apple Russia’s registration documents, filed on Dec. 25, make no mention of its iCloud service, which can host user photos, videos, documents, contacts, and messages.

“Seems that something is hidden here because of course Apple collects more data,” said Sergey Medvedev, a senior lawyer with the Moscow-based law firm Gorodissky and Partners.

Russian law takes a broad interpretation of personal data and applies it to anything that could be used to identify individuals or their behavior. Photos, music, and e-book downloads would all indirectly be defined as personal data, said Medvedev, who specializes in internet and e-commerce law.

This is very similar to China’s requirements for iCloud, but it’s odd that the filing does not mention iCloud or its data types. It isn’t clear to me how Russia could expect to decrypt any user data with the exception of email, as it’s end-to-end encrypted in Russia the same way as it is anywhere else.

So far, it seems that Apple has been happy to move data to local servers so long as they get to maintain control over encryption and privacy practices. But what happens when a country passes a law that requires them to relinquish their ability to secure user data? Australia is in the process of doing so, but there’s no sign of a difference on Apple’s iCloud security page, so I’m not sure what to make of that situation at this point. Does Apple modify their encryption practices to satisfy a single country? Enabling such an egregious privacy violation sets a pretty dangerous precedent, I think, particularly for totalitarian states like Russia and China. Does Apple pull their services from Australia? I doubt it, but I suppose we’ll find out.

  1. Which, by the way, has one of the worst websites I’ve visited in a long time. In the time it took me to read the article, write this post’s title, and write the preceding words in this footnote alone, over a thousand HTTP requests have been made. Scorecard, Chartbeat, Quantserve, and so many other analytics scripts produce hundreds of requests every minute. There’s simply no reason any website needs to have such granular or frequent measurements. The only reason I’m sending you, valuable reader, to Foreign Policy is because they were the first to report this story and they have the best explanation. The page is now well over two thousand HTTP requests deep, and on its way to three thousand. I strongly recommend that you have a content blocker switched on. ↥︎