1 May 2020 | By DF
This is a 9-part essay series on Apple’s Success in China. Part 1 introduces the essay series. Part 2 explains Apple’s product-zeitgeist fit in China. Part 3 looks at product localization. Part 4 looks at Apple’s services in China and relationship with Tencent. Part 5 looks at the complexities of operating in China. Part 6 and Part 7 look at Apple’s compliance efforts in respect of the App Store and iCloud respectively. Part 8 looks at Apple’s investment in DiDi. Part 9 concludes with lessons from Apple’s experience in China.
There is as yet no comprehensive, authoritative account of Apple’s decision to comply with Chinese regulations requiring the data of Chinese iCloud users to be stored in China. The following is an attempt to reconstruct this series of events based on publicly available information. However, it is likely to be imperfect as the complex swirl of events make it difficult to tease out causality.
The Chinese government has long made clear its distrust towards the US government and US technology companies, most obviously in the Great Firewall, but also its general attempt to reduce reliance on US technology providers. This distrust is not unjustified: US intelligence agencies have the legal right to monitor foreign communications as they go through to US service providers and since most of the popular Internet services used by the rest of the world are made by U.S. companies, these foreign users are thus “a legal target for U.S. intelligence”.
This distrust was further fueled in the wake of the Snowden revelations in 2013. Among other things, these revelations alleged that the National Security Agency (NSA), as part of a previously undisclosed program called PRISM, “has obtained direct access to the systems” of US tech companies, including Apple.
Despite my best efforts and the time that has elapsed since the revelations, I was unable to come to a view on the exact nature of NSA’s collection activities—what kinds of data were collected, what was it used for, the knowledge and assistance of the various tech companies and so on. In fairness to Apple, its hardware-based business model is the least reliant on mass data collection. Nonetheless, the perception of Apple’s complicity with US surveillance efforts is enough to lead the Chinese government to take additional measures.
In August 2014, Apple confirmed that they had moved some of its iCloud data to servers operated by China Telecom, a state-owned telecommunications carrier. According to statement from a China Telecom business unit, Apple tested and evaluated their service for 15 months before choosing the company as “its first and only cloud provider in the country”. Apple tried to present this move as driven by user experience, arguing that it would “increase bandwidth and improve performance for [its] customers in mainland China”. But the better view is this is likely to be related to the Chinese government’s desire to keep Chinese user data within China, which is consistent with criticisms by Chinese state media concerning the privacy risks of iPhone discussed in Part 5.
It is unclear whether this first migration of encrypted iCloud data onto China was necessary to comply with Chinese laws at that point in time. Apple also further noted that the encryption keys were stored offshore and not available to China Telecom. From the perspective of safeguarding iCloud data from the Chinese government, if Apple remains in control of the encryption keys, government requests for user data must still go through Apple’s process. From the perspective of safeguarding iCloud data from the US government, if the data is stored directly on China Telecom’s servers and does not pass through American servers, US intelligence agencies do not have a legal right to monitor such data.
Obviously, the history of communication between Apple and the Chinese government is not publicly available. (Likewise, any communication between Apple and the US federal government or any rumored litigation between them in the secret FISA court are not publicly available.) It is known that Tim Cook met with Chinese Vice Premier Ma Kai on 22 October 2014 to discuss privacy and security. Days before the meeting, it was reported that Apple’s iCloud service in China was subject to a man-in-the-middle attack, allegedly conducted by the Chinese government. The meeting is probably scheduled in advanced and it is uncertain if the attack is meant to send what, if any, message.
In 2016, the Chinese government enacted the Cyber Security Law, which was implemented on 1 June 2017. The legal requirements are complex and unclear, even today. But they include mandating data localization by foreign firms and yearly reviews for businesses transferring over 1,000 GB of data. Apple advocated against iCloud being subject to this law, but was unsuccessful.
While iCloud is an optional feature of Apple’s hardware products, removing it would seriously impair the user experience and is thus not feasible. In order to comply with these legal requirements, in 2017, Apple entered into an agreement with Guizhou Cloud Big Data (云上贵州大数据产业发展有限公司), hereafter simply “GCBD”, a company co-founded by the Guizhou provincial government, to have the iCloud data of users with Apple ID in mainland China mirrored and backed up by GCBD’s servers. iCloud data of Apple IDs registered in Hong Kong, Taiwan, and Macau will be kept in Apple data centers in Japan and the US and were not affected by the data migration. Notice was given to Chinese Apple ID users, who had to agree to new terms of service. This migration took place on 28 February 2018. iCloud accounts in mainland China are now co-branded with the name of GCBD.((This is basically unprecedented for Apple, which is jealous about owning the customer experience.)) In July 2018, it is reported that GCBD entered into an agreement with China Telecom to move Apple user data to the latter’s servers. The significance of this later agreement is unclear.
On top of national security considerations, the Chinese government is likely motivated by industrial policy considerations.
GCBD is also a creature of the Chinese government’s industrial policy to promote Guizhou as a data center hub because of the region’s lack of development and availability of land, labor and hydroelectricity. Other Chinese companies, such as Huawei, Alibaba, China Telecom, China Mobile and China Unicom, “have already been operating data centers in the province, or have teamed up with [GCBD] to store data there”. As such, whereas most of the English-language coverage emphasizes the potential security and privacy risks, the industrial policy angle to compelling Apple to work with a local partner to manage the iCloud data of Chinese users should not be ignored.
Apple emphasizes that it “has strong data privacy and security protections in place and no backdoors will be created into any of our systems” and further clarified that only its employees have access to the encryption keys to the iCloud data stored on the servers of its Chinese partners. Thus, official data access requests by the government must still go through Apple.