
When one travels to China, is the iCloud data entirely compromised? - 29_29
I&#x27;m looking for someone that works at Apple iCloud that can speak authoritatively. When one travels to China, is the iCloud data entirely compromised by Chinese access? For example is it all synched?
======
Despegar
Apple has already publicly said in court filings, and under threat of perjury,
that they don't make any exceptions for China.

From Apple's filing [1]:

>Finally, the government attempts to disclaim the obvious international
implications of its demand, asserting that any pressure to hand over the same
software to foreign agents “flows from [Apple’s] decision to do business in
foreign countries . . . .” Opp. 26. Contrary to the government’s misleading
statistics (Opp. 26), which had to do with lawful process and did not compel
the creation of software that undermines the security of its users, Apple has
never built a back door of any kind into iOS, or otherwise made data stored on
the iPhone or in iCloud more technically accessible to any country’s
government. See Dkt. 16-28 [Apple Inc., Privacy, Gov’t Info. Requests];
Federighi Decl. ¶¶ 6–7. The government is wrong in asserting that Apple made
“special accommodations” for China (Opp. 26), as Apple uses the same security
protocols everywhere in the world and follows the same standards for
responding to law enforcement requests. See Federighi Decl. ¶ 5.

and a declaration from Craig Federighi personally [2]:

>Apple uses the same security protocols everywhere in the world.

>Apple has never made user data, whether stored on the iPhone or in iCloud,
more technologically accessible to any country's government. We believe any
such access is too dangerous to allow. Apple has also not provided any
government with its proprietary iOS source code. While governmental agencies
in various countries, including the United States, perform regulatory reviews
of new iPhone releases, all that Apple provides in those circumstances is an
unmodified iPhone device.

>It is my understanding that Apple has never worked with any government agency
from any country to create a "backdoor" in any of our products and services.

>I declare under penalty of perjury under the laws of the United States of
America that the foregoing is true and correct.

When China wants something from iCloud they do it the same way that law
enforcement does it everywhere in the world, which is through Apple.

[1] [https://assets.documentcloud.org/documents/2762131/C-D-
Cal-1...](https://assets.documentcloud.org/documents/2762131/C-D-
Cal-16-Cm-00010-Dckt-000177-000-Filed-2016.pdf)

[2] [https://www.documentcloud.org/documents/2762118-Federighi-
De...](https://www.documentcloud.org/documents/2762118-Federighi-Decl-
Executed.html#document/p1)

~~~
cynix
> _It is my understanding that_ Apple has never worked with any government
> agency from any country to create a "backdoor" in any of our products and
> services.

So Craig's declaration is not that they haven't created any backdoors for
governments, just that he doesn't know of any.

~~~
lern_too_spel
Craig's declaration might have been true in 2016 when he made it. It
definitely has not been true since 2018.
[https://www.amnesty.org/en/latest/news/2018/02/5-things-
you-...](https://www.amnesty.org/en/latest/news/2018/02/5-things-you-need-to-
know-about-apple-in-china/)

~~~
Despegar
Replying to this just for anyone else that reads this later:

Tim Cook confirmed this was still the case in this 2018 interview with Vice.

[https://www.youtube.com/watch?v=VD1cP8SK3Q0&feature=youtu.be...](https://www.youtube.com/watch?v=VD1cP8SK3Q0&feature=youtu.be&t=244)

~~~
vatueil
Transcript of relevant section:

[https://youtu.be/VD1cP8SK3Q0?t=244](https://youtu.be/VD1cP8SK3Q0?t=244)

> VICE News: _In terms of privacy as a human right, does that apply to how you
> do business in China?_

> Apple CEO Tim Cook: _It absolutely does. Encryption for us is the same in
> every country in the world. We don 't design encryption for, you know, for
> the US and do it differently everywhere else. It's the same. And so to send
> a message in China, it's encrypted. I can't produce the content. I can't
> produce it in the United States either. If you lock your phone in China, I
> can't open it._

> _The thing in China that some people have confused is certain countries, and
> China 's one of them, has a requirement that data from local citizens has to
> be kept in China. We worked with a Chinese company to provide iCloud. But
> the keys, which are- which is the "key" so to speak, pardon the pun, are
> ours._

> VICE: _But haven 't they moved to China, meaning it's much easier for the
> Chinese government to get to them?_

> Cook: _No, I wouldn 't- I wouldn't get caught up in the, uh, "where's the
> location" of it. I mean, we have servers located in many different countries
> in the world. It's- they're not easier to get data, uh, from being in one
> country versus the next. The key question is, how does the encryption
> process work, and who owns the keys if anyone. In most cases for us, you and
> the receiver own the keys._

VICE interviews are not held under penalty of perjury, of course, but we may
give Apple's CEO the benefit of the doubt.

As Mr. Cook acknowledges, Apple did make significant changes to iCloud data
storage for Chinese users, though he suggests in "most cases" users have
control over encrypted data. The encryption angle was addressed in the article
from Amnesty International as well.

Since the changes to iCloud for Chinese users in 2018 postdate the court
filings in 2016, it does seem reasonable to feel less confidence in previous
assurances with regards to China. They are not as ironclad as "threat of
perjury" might suggest, at least.

~~~
Despegar
Anyone that's expecting Apple to annually refresh their statements about this
under oath to not be considered compromised is probably acting in bad faith.

The first time was good enough for anyone that actually wants to know if Apple
had to make compromises to be in China. The answer is no and the reason why is
obvious, Apple has some leverage in being a major employer and a highly
visible American company operating in China.

Apple's press statements as well as that on-the-record interview with the CEO
are perfectly consistent with the court filings.

>Originally, iCloud data was stored on Apple-controlled servers, with the
Cupertino company holding the encryption keys. Apple announced a year ago that
this would change to comply with new laws in China, and that data for Chinese
iCloud accounts would be moved to a server run by Guizhou-Cloud Big Data
(GCBD), a company owned by the provincial government.

>However, I have spoken to Apple today, who confirmed that it still holds the
encryption keys, and states categorically that they have not been made
available to either GCBD or China Telecom.

[https://9to5mac.com/2018/07/18/chinese-icloud-data-china-
tel...](https://9to5mac.com/2018/07/18/chinese-icloud-data-china-telecom/)

And the use of mutliple zero day exploits to target the Uyghurs basically
confirms that China doesn't have direct, backdoor access to Apple products.

~~~
vatueil
Doesn't it also paint an incomplete picture to present Apple's reassurances as
backed by penalty of perjury when the most significant developments took place
long after those statements in question? The fact that the iCloud China
controversy happened years after those court filings was not disclosed in the
original comment.

The concerns expressed by human rights groups such as Amnesty International
are nothing so blatant as a direct backdoor, but the erosion of layers of
protection that extend beyond technical measures. As the previously cited
report notes:

[https://www.amnesty.org/en/latest/news/2018/02/5-things-
you-...](https://www.amnesty.org/en/latest/news/2018/02/5-things-you-need-to-
know-about-apple-in-china/)

> Apple says it has control over encryption keys and that it won't allow
> backdoors. Won't that protect users in China?

> _It all depends on the circumstances under which the company will allow GCBD
> – and the Chinese authorities – access to intelligible decrypted data on
> iCloud users. When users accept [the terms of service for iCloud in
> China]([https://www.apple.com/legal/internet-
> services/icloud/en/gcbd...](https://www.apple.com/legal/internet-
> services/icloud/en/gcbd-terms.html)), they agree to allow their information
> and content to be turned over to law enforcement “if legally required to do
> so”. Significantly, _from now on Apple will store the encryption keys for
> Chinese users in China, not in the US – making it all but inevitable that
> the company will be forced to hand over decrypted data so long as the
> request complies with Chinese law _._

> _Given that many provisions of Chinese law offer inadequate protection to
> privacy, freedom of expression and other rights, simply checking whether
> government information requests comply with Chinese law doesn’t address
> whether complying with the request might contribute to human rights
> violations. Apple hasn’t confirmed whether or how it will assess whether
> government information requests might violate users’ human rights. We won 't
> really know how Apple will respond until it's put to the test, and
> unfortunately that’s probably just a matter of time._

> _As for “backdoors”, or technical measures that would allow law enforcement
> or other government agencies to access unencrypted user data without having
> to ask for it, Apple’s commitment to prevent their use is admirable. But the
> commitment is meaningless if law enforcement can get the companies to
> decrypt user information simply by saying that it is for a criminal
> investigation._

------
Spooky23
For Chinese users, iCloud is operated by Cloud Big Data Industrial Development
Co., Ltd.

My understanding is that Chinese users in mainland China have a different set
of product terms that are vague or silent about certain privacy features or
what the the Chinese partner does.

If you are a foreigner, you use the Apple owned service.

What I don’t know is where you connection terminates. With Microsoft,
depending on the type of cloud, Office 365 TLS connections terminate at a
local Microsoft point of presence. So you are in clear text outside of your
jurisdiction for a limited period of time. (Not sure about China, but I’ve
verified for other countries.)

Bottom line, if I had information of interest to Chinese interests, I wouldn’t
expose an account with that data there or would get real paid advice about how
to do it.

~~~
29_29
Thanks for the response, it would be great if this is the case but is this
actually true? I'd like to read this from Apple, or an apple spokes person.

