Apple’s Success in China (Part 7): Moving iCloud to China

This is Part 7 of a 9-part essay series on Apple’s Success in China. Part 1 introduces the essay series. Part 2 explains Apple’s product-zeitgeist fit in China. Part 3 looks at product localization. Part 4 looks at Apple’s services in China and relationship with Tencent. Part 5 looks at the complexities of operating in China. Part 6 and Part 7 look at Apple’s compliance efforts in respect of the App Store and iCloud respectively. Part 8 looks at Apple’s investment in DiDi. Part 9 concludes with lessons from Apple’s experience in China.

To my knowledge, there is as yet no comprehensive, authoritative account of Apple’s decision to comply with Chinese regulations requiring the data of Chinese iCloud users to be stored in China. The following is an attempt to provide such an account as far as possible using publicly available information. However, it is likely to be imperfect as the complex swirl of events make it difficult to tease out causality.

Snowden Revelations

The Chinese government has long made clear its distrust towards the US government and US technology companies, most obviously in the Great Firewall, but also its general attempt to reduce reliance on US technology providers. This distrust is not unjustified: US intelligence agencies have the legal right to monitor foreign communications as they go through to US service providers and since most of the popular Internet services used by the rest of the world are made by U.S. companies, these foreign users are thus “a legal target for U.S. intelligence”.

This distrust was further fueled in the wake of the Snowden revelations in 2013. Among other things, these revelations alleged that the National Security Agency (NSA), as part of a previously undisclosed program called PRISM, “has obtained direct access to the systems” of US tech companies, including Apple.

Despite my best efforts and the time that has elapsed since the revelations, I was unable to come to a view on the exact nature of NSA’s collection activities—what kinds of data were collected, what was it used for, the knowledge and assistance of the various tech companies and so on. In fairness to Apple, its hardware-based business model is the least reliant on mass data collection. Nonetheless, the perception of Apple’s complicity with US surveillance efforts is enough to lead the Chinese government to take additional measures.

Migrating iCloud Data to China

In August 2014, Apple confirmed that they had moved some of its iCloud data to servers operated by China Telecom, a state-owned telecommunications carrier. According to statement from a China Telecom business unit, Apple tested and evaluated their service for 15 months before choosing the company as “its first and only cloud provider in the country”. Apple tried to present this move as driven by user experience, arguing that it would “increase bandwidth and improve performance for [its] customers in mainland China”. But the better view is this is likely to be related to the Chinese government’s desire to keep Chinese user data within China, which is consistent with criticisms by Chinese state media concerning the privacy risks of iPhone discussed in Part 5.

It is unclear whether this first migration of encrypted iCloud data onto China was necessary to comply with Chinese laws at that point in time. Apple also further noted that the encryption keys were stored offshore and not available to China Telecom. From the perspective of safeguarding iCloud data from the Chinese government, if Apple remains in control of the encryption keys, government requests for user data must still go through Apple’s process. From the perspective of safeguarding iCloud data from the US government, if the data is stored directly on China Telecom’s servers and does not pass through American servers, US intelligence agencies do not have a legal right to monitor such data.

Obviously, the history of communication between Apple and the Chinese government is not publicly available. (Likewise, any communication between Apple and the US federal government or any rumored litigation between them in the secret FISA court are not publicly available.) It is known that Tim Cook met with Chinese Vice Premier Ma Kai on 22 October 2014 to discuss privacy and security. Days before the meeting, it was reported that Apple’s iCloud service in China was subject to a man-in-the-middle attack, allegedly conducted by the Chinese government. The meeting is probably scheduled in advanced and it is uncertain if the attack is meant to send what, if any, message.

In 2016, the Chinese government enacted the Cyber Security Law, which was implemented on 1 June 2017. The legal requirements are complex and unclear, even today. But they include mandating data localization by foreign firms and yearly reviews for businesses transferring over 1,000 GB of data. Apple advocated against iCloud being subject to this law, but was unsuccessful.

While iCloud is an optional feature of Apple’s hardware products, removing it would seriously impair the user experience and is thus not feasible. In order to comply with these legal requirements, in 2017, Apple entered into an agreement with Guizhou Cloud Big Data (云上贵州大数据产业发展有限公司), hereafter simply “GCBD”, a company co-founded by the Guizhou provincial government, to have the iCloud data of users with Apple ID in mainland China mirrored and backed up by GCBD’s servers. iCloud data of Apple IDs registered in Hong Kong, Taiwan, and Macau will be kept in Apple data centers in Japan and the US and were not affected by the data migration. Notice was given to Chinese Apple ID users, who had to agree to new terms of service. This migration took place on 28 February 2018. iCloud accounts in mainland China are now co-branded with the name of GCBD.1 In July 2018, it is reported that GCBD entered into an agreement with China Telecom to move Apple user data to the latter’s servers. The significance of this later agreement is unclear.

Mixed Motives

On top of national security considerations, the Chinese government is likely motivated by industrial policy considerations.

GCBD is also a creature of the Chinese government’s industrial policy to promote Guizhou as a data center hub because of the region’s lack of development and availability of land, labor and hydroelectricity. Other Chinese companies, such as Huawei, Alibaba, China Telecom, China Mobile and China Unicom, “have already been operating data centers in the province, or have teamed up with [GCBD] to store data there”. As such, whereas most of the English-language coverage emphasizes the potential security and privacy risks, the industrial policy angle to compelling Apple to work with a local partner to manage the iCloud data of Chinese users should not be ignored.

Apple emphasizes that it “has strong data privacy and security protections in place and no backdoors will be created into any of our systems” and further clarified that only its employees have access to the encryption keys to the iCloud data stored on the servers of its Chinese partners. Thus, official data access requests by the government must still go through Apple.

However, as a result of this new law, Apple now stores these encryption keys within China, instead of offshore. The legal significance of this is unclear, but it has led commentators to argue that it meant that “Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users”.

What do the Numbers Say?

In order to verify these arguments I have used statistics from Apple Transparency Report, which lists the number of account requests, device requests, and financial identifier requests. These three categories of statistics are chosen because Chinese government has made significant number of requests in these three categories. Apple defines these requests as:

  1. Account requests: these requests are based on account identifiers such as Apple ID or email address and generally seek information regarding customers’ Apple ID accounts, such as account holder name and address and account connections to Apple services – for example, law enforcement investigations where an account may have been used unlawfully. Account requests may also seek customers’ content data, such as photos, email, iOS device backups, contacts or calendars. These content data are likely to form the bulk of the user data stored on iCloud.
  2. Device requests: these requests are based on device identifiers such as Apple serial number, IMEI or MEID and generally seek information regarding customers associated with devices and device connections to Apple services – for example, law enforcement investigations on behalf of customers regarding lost or stolen devices. Additionally, Apple regularly receives multi-device requests related to fraud investigations.
  3. Financial identifier requests: these requests are based on financial identifiers such as credit/debit card or iTunes Gift Card and generally seek information regarding suspected fraudulent transactions – for example, law enforcement investigations on behalf of customers in which a credit card was fraudulently used to purchase Apple products or services.

The first two statistics have been released since 2013 H1 to 2019 H1, whereas the third statistics have been released since 2016 H2 to 2019 H1.

An analysis of account requests show that from 2013 H1 to 2015 H1, the total number of account specified in requests by the Chinese government in each period is fairly small (ranging from 2 to 85, with a median of 10 and average of 28.4). From 2015 H2 to 2019 H1, the number of accounts specified increased significantly (ranging from 585 to 35,491, with a median of 6,939 and an average of 11,534). The percentage of requests where some data is provided also exhibited a step change, with 2015 H2 marking the turning point at which the percentage increased substantially. It is not clear what might be explaining these changes.

Nonetheless, the data shows that in most instances, Apple only provides non-content data and, in this period of time, Apple has only provided content data in four requests. It might perhaps be worrying that these requests took place in 2018 H2 and 2019 H1, after the migration of iCloud data to GCBD in February 2018. Might this be the start of a trend? We can only await the release of statistics in subsequent time periods in order to make this judgment.

With this exception, if migrating iCloud data to China Telecom’s servers in August 2014 and to GCBD’s servers in 2018 H1 has affected how Apple has processed requests for iCloud data, these changes were mostly not reflected in these account requests statistics.

The data requested under device requests and financial identifier requests most likely do not fall under iCloud data. Looking at these statistics, there are far fewer discernible trends. The only remarkable pattern is that the percentage of device requests by the Chinese government where data provided is lower than 80% prior to 2016 H2, after which it has been 80% or higher. The significance of this is unclear.

I also tried comparing these trends to how Apple processes requests by the Chinese government to those by other governments, but no clear pattern emerges.

On Cloud Key Vault

It should be noted that the above discussion applies only to iCloud data that are encrypted at rest and whose encryption keys are stored by Apple directly. It does not apply to Apple’s Cloud Key Vault, which is used to implement iCloud Keychain, a service for “storing passwords and keys for applications using a much stronger protection level than is used in the rest of iCloud”.

Briefly, the Cloud Key Vault uses a Hardware Security Module (HSM) to store encryption keys and users can access their own keys “if and only if they know their iCloud Keychain password, which is typically the same as the PIN/password on your iOS device. However, if anyone attempts to guess this PIN too many times, the HSM will wipe that user’s stored keys.” In this case, even Apple cannot unilaterally decrypt the data.

As far as I could tell, based on Apple’s official website, the language used in the Chinese version of iOS and so on, Cloud Keychain is available to Chinese iCloud users on the same terms as all other users. This is remarkable as it would imply some user data of Chinese users are being stored in a highly secure manner beyond the reach of even Apple itself. It is unclear whether this arrangement is in compliance with Chinese laws and regulations.

Understandably, this has led to speculation as to whether Apple might have re-designed the architecture of its Cloud Key Vault for Chinese users or and whether Apple’s iCloud compliance efforts in China might influence its future designs of iCloud. For the most part, Apple has not been forthcoming with these technical details of iCloud and their corresponding trade-offs.

This, along with its compliance strategy in China generally, is likely to be a gray area to which Apple would prefer not drawing too much attention.

Conclusion

The account above is the most holistic attempt at reconstructing Apple’s decision to move the data of Chinese iCloud users to China based on publicly available information. As is obvious, many uncertainties remain. Nonetheless, I believe it is a good account of the types of trade-offs in play behind such a decision as well as a good glimpse into the business and policy considerations motivating Apple and various entities of the Chinese state respectively.

  1. This is basically unprecedented for Apple, which is jealous about owning the customer experience.[]