Apple’s China Data Conundrum

Where there are servers, data resides.

And where there’s data, value exists too — value that may prove alluring to individuals, companies, even governments.

By shifting some of its iCloud operations to the Chinese mainland, Apple’s latest corporate actions have raised eyebrows and debate around data privacy.

As reported, the company is moving iCloud accounts that are registered to China’s mainland to servers that are run by the state.

As Apple moves those operations to China, and works to store Chinese iCloud data with a local firm, it means, in effect, that Chinese authorities have a shorter path to accessing that data — theoretically — or even spying on Apple customers there.

The firm in China, Guizhou-Cloud Big Data Industry Co., was, as Reuters reported, established by a provincial government in Guizhou. The company, stated the newswire, has “close ties” to China’s government and to the Communist Party.

By hosting the iCloud accounts maintained by Chinese users locally, the tech giant is working within the confines of laws that dictate how data, which spans email and other information, is stored and where.

One key change (no pun intended) centers on where the actual cryptographic keys are stored — the very keys that can access the accounts. The keys have thus far been stored in the United States.

Because of that U.S. location, governments looking to gain access to a Chinese iCloud account had to navigate the twists and turns of the U.S. legal system to be granted access — but no more, now that the keys are being stored in China.

Now, it seems, due to a cybersecurity law that took effect last year, the Chinese legal system holds sway, and the government need only to go through the home system to get Apple to give access to those accounts.

Said Apple in a statement, the laws are such that services provided on the mainland to citizens have to be offered by Chinese firms.

The tech juggernaut said that “while we advocated against iCloud being subject to these laws, we were ultimately unsuccessful.” Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers. Additionally, Apple said it was better to continue the service under the new laws than opt to offer a bad user experience.

Human rights advocates raised some alarms on Wednesday.

Amnesty International said in a statement that “changes being made to iCloud are the latest indication that China’s repressive legal environment is making it difficult for Apple to uphold its commitments to user privacy and security.”

Thus a debate, written in the (i)cloud: Comply or cede the market — and, in this case, the Chinese market is, of course, an attractive one based on sheer user numbers. The company gets roughly 20 percent of its sales from China.

Apple will control the encryption keys, said the company, as Reuters noted, and not the Chinese firm with which it’s partnering. And while Apple said it would respond to “valid” legal actions taken in China, the police can also issue and act on warrants and do not need to get court approval.

Thus far, according to data given over by the company, from mid-2013 through mid-2017, said Reuters, it gave no customer account content to authorities, spanning 176 requests. By way of marked contrast, the company gave data related to 2,366 out of 8,475 requests from the government.

Yet all of that took place before the new laws took effect.

It remains to be seen whether the firm that holds the (proverbial and technological) keys can indeed control the outcome of the great iCloud debate.