When one travels to China, is the iCloud data entirely compromised?
I'm looking for someone that works at Apple iCloud that can speak authoritatively. When one travels to China, is the iCloud data entirely compromised by Chinese access? For example is it all synched?
Apple has already publicly said in court filings, and under threat of perjury, that they don't make any exceptions for China.
From Apple's filing [1]:
>Finally, the government attempts to disclaim the obvious international implications of its demand, asserting that any pressure to hand over the same software to foreign agents “flows from [Apple’s] decision to do business in foreign countries . . . .” Opp. 26. Contrary to the government’s misleading statistics (Opp. 26), which had to do with lawful process and did not compel the creation of software that undermines the security of its users, Apple has never built a back door of any kind into iOS, or otherwise made data stored on the iPhone or in iCloud more technically accessible to any country’s government. See Dkt. 16-28 [Apple Inc., Privacy, Gov’t Info. Requests]; Federighi Decl. ¶¶ 6–7. The government is wrong in asserting that Apple made “special accommodations” for China (Opp. 26), as Apple uses the same security protocols everywhere in the world and follows the same standards for responding to law enforcement requests. See Federighi Decl. ¶ 5.
and a declaration from Craig Federighi personally [2]:
>Apple uses the same security protocols everywhere in the world.
>Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country's government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code. While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.
>It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products and services.
>I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct.
When China wants something from iCloud they do it the same way that law enforcement does it everywhere in the world, which is through Apple.
[1] https://assets.documentcloud.org/documents/2762131/C-D-Cal-1...
[2] https://www.documentcloud.org/documents/2762118-Federighi-De...
> It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products and services.
So Craig's declaration is not that they haven't created any backdoors for governments, just that he doesn't know of any.
That's an uncharitable reading of an extremely clear statement. And it's also understandable why it's less affirmative. He's being conservative because he can't speak for what everyone who works for him may or may not have done, for example a rogue employee.
The main Apple filing is unequivocal:
>Apple has never built a back door of any kind into iOS, or otherwise made data stored on the iPhone or in iCloud more technically accessible to any country’s government. The government is wrong in asserting that Apple made “special accommodations” for China (Opp. 26), as Apple uses the same security protocols everywhere in the world and follows the same standards for responding to law enforcement requests.
Craig's declaration might have been true in 2016 when he made it. It definitely has not been true since 2018. https://www.amnesty.org/en/latest/news/2018/02/5-things-you-...
Replying to this just for anyone else that reads this later:
Tim Cook confirmed this was still the case in this 2018 interview with Vice.
https://www.youtube.com/watch?v=VD1cP8SK3Q0&feature=youtu.be...
Transcript of relevant section:
https://youtu.be/VD1cP8SK3Q0?t=244
> VICE News: In terms of privacy as a human right, does that apply to how you do business in China?
> Apple CEO Tim Cook: It absolutely does. Encryption for us is the same in every country in the world. We don't design encryption for, you know, for the US and do it differently everywhere else. It's the same. And so to send a message in China, it's encrypted. I can't produce the content. I can't produce it in the United States either. If you lock your phone in China, I can't open it.
> The thing in China that some people have confused is certain countries, and China's one of them, has a requirement that data from local citizens has to be kept in China. We worked with a Chinese company to provide iCloud. But the keys, which are- which is the "key" so to speak, pardon the pun, are ours.
> VICE: But haven't they moved to China, meaning it's much easier for the Chinese government to get to them?
> Cook: No, I wouldn't- I wouldn't get caught up in the, uh, "where's the location" of it. I mean, we have servers located in many different countries in the world. It's- they're not easier to get data, uh, from being in one country versus the next. The key question is, how does the encryption process work, and who owns the keys if anyone. In most cases for us, you and the receiver own the keys.
VICE interviews are not held under penalty of perjury, of course, but we may give Apple's CEO the benefit of the doubt.
As Mr. Cook acknowledges, Apple did make significant changes to iCloud data storage for Chinese users, though he suggests in "most cases" users have control over encrypted data. The encryption angle was addressed in the article from Amnesty International as well.
Since the changes to iCloud for Chinese users in 2018 postdate the court filings in 2016, it does seem reasonable to feel less confidence in previous assurances with regards to China. They are not as ironclad as "threat of perjury" might suggest, at least.
Anyone that's expecting Apple to annually refresh their statements about this under oath to not be considered compromised is probably acting in bad faith.
The first time was good enough for anyone that actually wants to know if Apple had to make compromises to be in China. The answer is no and the reason why is obvious, Apple has some leverage in being a major employer and a highly visible American company operating in China.
Apple's press statements as well as that on-the-record interview with the CEO are perfectly consistent with the court filings.
>Originally, iCloud data was stored on Apple-controlled servers, with the Cupertino company holding the encryption keys. Apple announced a year ago that this would change to comply with new laws in China, and that data for Chinese iCloud accounts would be moved to a server run by Guizhou-Cloud Big Data (GCBD), a company owned by the provincial government.
>However, I have spoken to Apple today, who confirmed that it still holds the encryption keys, and states categorically that they have not been made available to either GCBD or China Telecom.
https://9to5mac.com/2018/07/18/chinese-icloud-data-china-tel...
And the use of mutliple zero day exploits to target the Uyghurs basically confirms that China doesn't have direct, backdoor access to Apple products.
> And the use of mutliple zero day exploits to target the Uyghurs basically confirms that China doesn't have direct, backdoor access to Apple products.
Nobody claimed that the Chinese government has backdoor access to the phones themselves. They do have complete access to Chinese users' iCloud and iMessage data.
Doesn't it also paint an incomplete picture to present Apple's reassurances as backed by penalty of perjury when the most significant developments took place long after those statements in question? The fact that the iCloud China controversy happened years after those court filings was not disclosed in the original comment.
The concerns expressed by human rights groups such as Amnesty International are nothing so blatant as a direct backdoor, but the erosion of layers of protection that extend beyond technical measures. As the previously cited report notes:
https://www.amnesty.org/en/latest/news/2018/02/5-things-you-...
> Apple says it has control over encryption keys and that it won't allow backdoors. Won't that protect users in China?
> It all depends on the circumstances under which the company will allow GCBD – and the Chinese authorities – access to intelligible decrypted data on iCloud users. When users accept [the terms of service for iCloud in China](https://www.apple.com/legal/internet-services/icloud/en/gcbd...), they agree to allow their information and content to be turned over to law enforcement “if legally required to do so”. Significantly, from now on Apple will store the encryption keys for Chinese users in China, not in the US – making it all but inevitable that the company will be forced to hand over decrypted data so long as the request complies with Chinese law.
> Given that many provisions of Chinese law offer inadequate protection to privacy, freedom of expression and other rights, simply checking whether government information requests comply with Chinese law doesn’t address whether complying with the request might contribute to human rights violations. Apple hasn’t confirmed whether or how it will assess whether government information requests might violate users’ human rights. We won't really know how Apple will respond until it's put to the test, and unfortunately that’s probably just a matter of time.
> As for “backdoors”, or technical measures that would allow law enforcement or other government agencies to access unencrypted user data without having to ask for it, Apple’s commitment to prevent their use is admirable. But the commitment is meaningless if law enforcement can get the companies to decrypt user information simply by saying that it is for a criminal investigation.
Cook confuses iMessage security with iCloud security in this interview, whether on purpose or out of ignorance. Yes, only the users have the private keys in the iMessage case, but this doesn't matter in practice because Apple (or for Chinese users, China) controls the server that distributes the public keys, allowing the Chinese government to eavesdrop on any conversation involving at least one Chinese party trivially. By pretending that only where the iMessage private keys are is an issue, he also distracts the interviewer from the fact that China has gets to determine when to decrypt any Chinese user's iCloud data, which Apple itself had already confirmed to Reuters. https://www.reuters.com/article/china-apple-icloud/rpt-insig...
For Chinese users, iCloud is operated by Cloud Big Data Industrial Development Co., Ltd.
My understanding is that Chinese users in mainland China have a different set of product terms that are vague or silent about certain privacy features or what the the Chinese partner does.
If you are a foreigner, you use the Apple owned service.
What I don’t know is where you connection terminates. With Microsoft, depending on the type of cloud, Office 365 TLS connections terminate at a local Microsoft point of presence. So you are in clear text outside of your jurisdiction for a limited period of time. (Not sure about China, but I’ve verified for other countries.)
Bottom line, if I had information of interest to Chinese interests, I wouldn’t expose an account with that data there or would get real paid advice about how to do it.
Thanks for the response, it would be great if this is the case but is this actually true? I'd like to read this from Apple, or an apple spokes person.