
Chinese authorities detain Apple employees suspected of selling customer data - IsaakTech
https://www.hongkongfp.com/2017/06/08/china-uncovers-massive-underground-network-apple-employees-selling-customers-personal-data/
======
Darthy
Apple does not allow your iOS iCloud data to be encrypted in a manner where
Apple cannot access it. As is alluded to in this article.

Privacy advocates and privacy caring IT specialists have repeatedly asked
Apple to offer such an option, but so far Apple has decided that regular
people would turn such an option on, forget their password, then ask Apple for
help and would be unhappy with their brand experience if Apple could not help
them out.

If Apple would implement such an option where Apple could not access your
data, shenanigans like the ones outlined in the article could not happen. It
would also allow people who feel the state will misuse their info use iCloud
for the first time.

There could be something good that comes out of this. These bad news could
pressure Apple into finally offering an optional iCloud service where only you
can see your data.

Answers to likely responses: "just use a different cloud service": on iOS, for
cloud backups, there are no alternatives: it's iCloud or nothing.

~~~
IBM
Given the way iCloud security works I'm not sure iCloud was breached at all
[1]. Other reports seem to indicate that it was employees at Apple stores and
third party resellers who had access to names, phone numbers and Apple IDs
[2]. Presumably they would try to phish them later on.

[1]
[https://youtu.be/BLGFriOKz6U?t=32m35s](https://youtu.be/BLGFriOKz6U?t=32m35s)

[2] [http://www.foxbusiness.com/features/2017/06/07/chinas-new-
cy...](http://www.foxbusiness.com/features/2017/06/07/chinas-new-
cybersecurity-law-tested-by-iphone-information-theft.html)

~~~
sitharus
Given that with 2FA enabled Apple can't even reset your password (which has
caught the tech press out before
[https://thenextweb.com/apple/2014/12/08/lost-apple-id-
learnt...](https://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-
way-careful-two-factor-authentication/#.tnw_RBRG7wAB)) I agree that iCloud
itself is unlikely the source.

It's probably a marketing or support database that contains basic data.
Annoying but not a serious breach.

------
HappyTypist
Can confirm. I've had someone contact me on snapchat and show me screenshots
of Apple's internal tools and offer to run queries for $$$. He was willing
turn off 2FA, change the email, and reset the password (thus, giving me
access) for $$$$.

He told me that he texts a friend who calls and pretends to be the customer in
question, and texts him all the verification questions he has to ask as part
of SOP.

Many AppleCare employees work from home, so I can see it is difficult to track
and stop this sort of thing.

~~~
nilved
Did you report that?

~~~
HappyTypist
I emailed security@apple.com and never received a response.

Generally, when I need to get the attention of big tech corporations I talk to
a friend who works there. Unfortunately, I don't really know anyone who works
at Apple.

~~~
simulator_aapl
You don't have any contact details in your profile; check mine and send me any
details you can. I'll ping the appropriate people.

~~~
bobsam
Also, we need your ss# and your keys

~~~
simulator_aapl
If HappyTypist isn't comfortable emailing my @apple.com email address they can
file a bug at [https://bugreport.apple.com](https://bugreport.apple.com) and
email me the bug # instead.

Assuming this story is true, I would personally like to catch the person
responsible.

------
zouhair
So now after forcing Microsoft to have a Chinese version of Windows 10 without
spyware, Blizzard forced to show the Overwatch loot boxes odds and this, we
are living in a World where China, "Great Firewall" China is now the biggest
advocate of users privacy.

What is happening?

~~~
dis-sys
oh, they can just quit the Chinese market by following what google did almost
10 years ago. look at google's share price & revenues, surely you don't need
the Chinese market to be successful.

fb is another good example.

~~~
LeifCarrotson
Apple is huge in China. I agree that Apple doesn't need China to be
successful, but that's a lot of money left on the table: for what purpose? For
principles? For the subset of your customers who are concerned about privacy?

------
nerdponx
This is always the argument that makes my friends and family call be paranoid
in data privacy discussions: "Even if the company has good intentions when
they collect your data, there's no telling who else might end up with access
to it in the future."

Obviously this is bad overall, but at least now I can point to a specific
example of this happening.

~~~
laumars
The example I previously used was this old case:

Google Engineer Allegedly Fired For Accessing Private User Information To
Stalk Teens

Source: [http://www.businessinsider.com/google-engineer-stalked-
teens...](http://www.businessinsider.com/google-engineer-stalked-teens-spied-
on-chats-2010-9?IR=T)

~~~
awinter-py
and microsoft accessed a hotmail account to investigate a leak
[https://arstechnica.com/tech-policy/2014/03/microsoft-
will-n...](https://arstechnica.com/tech-policy/2014/03/microsoft-will-no-
longer-look-through-your-hotmail-to-investigate-leaks/).

One perspective is that every company gets to screw this up once and then has
to get serious about privacy.

But it's possible _this is happening all the time_ , victims don't know their
saas vendor was complicit in releasing their information. If the companies
ever catch the perps, they're quietly fired in exchange for a non-disclosure
agreement that serves the interests of all parties (except the consumer).

------
chatmasta
> Reporters successfully obtained a trove of material on one colleague —
> including flight history, hotel checkouts and property holdings — in
> exchange for a payment of 700 yuan (US$100).

So it's not just email addresses / metadata from iCloud. This implies that 1)
at least some iCloud data is stored unencrypted at rest, and 2) employees can
query this data using internal tools.

This seems pretty bad.

~~~
azurelogic
This does not necessarily imply that the data is unencrypted at rest. The
query tool or the query backend could handle decryption seamlessly. S3 offers
similar encryption at rest that is invisible to authorized requesters. If the
story was that someone raided an Apple data center, stole hard drives, and
leaked customer data, then we would have reason to assume that.

~~~
chatmasta
I assumed "encrypted at rest" to mean encrypted with the user's passcode,
meaning it could only be decrypted from a properly authorized user session,
not some internal apple tool.

~~~
andai
> Privacy advocates and privacy caring IT specialists have repeatedly asked
> Apple to offer such an option, but so far Apple has decided that regular
> people would turn such an option on, forget their password, then ask Apple
> for help and would be unhappy with their brand experience if Apple could not
> help them out.

From Darthy's comment 30 minutes ago
[https://news.ycombinator.com/item?id=14513803](https://news.ycombinator.com/item?id=14513803)

------
carlmcqueen
Hoping comments can resist the urge to turn this into an apple bashing thread.

Having someone purposefully steal your data from the inside doesn't mean you
don't care about privacy.

They likely won't reveal anything but I'm curious how they could get the info
out of Apple systems. Most companies of Apple's size lock down work stations
to the point of slowing down workers efficiency to keep customer data safe.
Especially with their over seas operations.

~~~
cm2187
Hum. No one is giving some slack to a bank for having rogue employees. Part of
the job of being a large organisation is ensuring your employees do not
misbehave. In this case at the very least ensure they have minimum access to
users data.

~~~
falcolas
Or setting up the technology so nobody at apple can even _access_ the
unencrypted data. Much more effective than policies that you expect people to
follow.

I work at a fairly security conscious company, and the only data I can't
access is that encrypted at the consumer's end.

------
dep_b
This being the Chinese government it could also mean they try to discredit a
strong foreign platform that is really hard to control in terms of privacy and
security. No doubt Apple is giving all governments headaches not only the US.

If people believe they still can be hacked or tracked while using Apple
equipment less people might be tempted to use it.

Not telling the sale of data didn't ever happen. I think if it's true that
Apple should one up their security even more.

------
canuckintime
Is Apple storing everyone's data in China / do these 'bad apples' in China
have access to every iCloud customers or is it just a local Chinese concern?

~~~
Jtsummers
Per the article, it's not clear at this point which user (Chinese or non-
Chinese or both) they were able to obtain.

------
yonkshi
Apple's focus on privacy has always been a splinter in the eye of Chinese
authorities.

I strongly believe that this is an excuse Chinese authorities had been looking
for that will use to pressure Apple in China at the same time create the
illusion to the general public to not trust Apple.

I find it especially suspecious that the Chinese media put so much emphasis
the privacy concern of this event and in modern Chinese culture, privacy is
much less regarded as compared to western countries.

Anyone remember the propaganda while Google was being driven out of China?
Straight up false info about Google were broadcasted on CCTV-1, the prime time
national channel. A lot of my friends in China became very patriotic and
viewed Google as some sort of evil corporation trying to undermine Chinese
culture.

~~~
paradite
> Apple's focus on privacy has always been a splinter in the eye of Chinese
> authorities.

So was UK authorities, US authorities, and lots of other authorities, there is
no need to single out China in this case.

> I strongly believe that this is an excuse Chinese authorities had been
> looking for that will use to pressure Apple in China at the same time create
> the illusion to the general public to not trust Apple.

Yes, it could be the excuse for Chinese authorities, but this case could have
happened anywhere else in the world given the way Apple stores information,
and similar incidents have happened before for other companies like mentioned
in other comments. So I don't see a strong evidence that this particular
incident is related to some ulterior motive of Chinese government.

> I find it especially suspecious that the Chinese media put so much emphasis
> the privacy concern of this event and in modern Chinese culture, privacy is
> much less regarded as compared to western countries.

The entire incident _is_ about privacy issues, what else do you expect the
media to talk about? New iPhone colors?

> Anyone remember the propaganda while Google was being driven out of China?
> Straight up false info about Google were broadcasted on CCTV-1, the prime
> time national channel. A lot of my friends in China became very patriotic
> and viewed Google as some sort of evil corporation trying to undermine
> Chinese culture.

As far as I remember, Google did not want to comply with Chinese regulations
on censorship, so it was not allowed to operate in China, simple as that. I
don't think people had that bad of an impression about Google, more like they
felt bad losing a good search engine or simple just don't really care.

~~~
yonkshi
I suppose time will tell :)

------
fiatpandas
>The suspects, who worked in direct marketing and outsourcing for Apple in
China [...]

Uh, would they be given unrestricted access to user data? Or does every Apple
employee have access to this data and are left to exercise restraint?

And what about Apples claim that data is encrypted at rest?

------
kelukelugames
Don't all large companies have auto auditing of access to customer data?

~~~
CaptSpify
lol

Sorry, but having worked for 3 large companies (not apple, or Google, or any
in the same field), the auditing is purely just for show. They claim it
publicly, but very little is actually done to ensure the safety of that data.
When I started as an entry-level tech at 2 of them, I was given direct access
after just a couple of days.

I'm sure there are plenty that _do_ treat their customer data securely, but in
my limited experience, that's not many of them.

------
801699
i have seen hn commenters praise apple for "taking a stand on privacy". but
how can anyone believe that when they _collect_ so much personal data about
the people who purchase their hardware? the old apple did not do this.

1\. collecting data on users for months and years after purchase, 2. storing
it electronically on remote computers, 3. some connected to the internet. yes,
this surely points to a company is concerned about user privacy.

if something goes wrong can you sue apple?

we should expect every hardware vendor from laptop mfrs to the rpi foundation
to be silently collecting data from their customers long after the merchandise
is purchased. they need to do this, because...

wtf?

1\. collecting data on consumers and 2. storing it online.

#1 is incompatible with a pro-consumer stance on user privacy.

#2 is a guarantee that others besides the company are going to get that data,
whether the consumer is told about the breach or not.

------
bitmapbrother
I find it odd that a company that touts user privacy (an immediate pivot when
their iAds venture failed spectacularly) and security would have their user
data so easily stolen. There is absolutely no way these corrupt Apple
employees should have even had access to this type of sensitive information.

------
__warlord__
I see a lot of people defending Apple but I wonder how would they react if
this was Microsoft.

~~~
cm2187
I wonder how they would react if it was Goldman Sachs...

------
sordidasset
Where is it being sold? I wanna check if I or family members have been made.

------
diegoprzl
This is why I use Android without GApps.

You have to trust the company, the employees, its security, the goverment..
Better to think of everything you upload as already posted in pastebin. It's
relatively accurate.

------
jug
Suddenly potential workings behind celebrity nude photo exposure scandals, the
most recent one just a month/weeks back, becomes more clear. Of course, brute
forcing, weak passwords, or phishing, may still have happened, but this sure
sounds convenient and perhaps not even expensive for hackers sharing the cost.
It also sounds troubling with government staff exposure and all.

~~~
JoelTheSuperior
In fairness I don't think this was necessary for the celebrity leaks. With a
celebrity, with much of their lives being public knowledge I can imagine it
was probably easy enough to guess their security questions.

------
jcrei
Oh snap. And Apple has been touting itself as the champion of privacy in
comparison with Google, Facebook and Microsoft... This doesn't look good for
them

~~~
Jtsummers
It's not Apple's policy to sell information. This is employees engaging in
criminal behavior. Still not good for Apple, but it's correctable (firing and
pressing charges as appropriate; institute stronger internal policies on both
hiring and information access). Facebook and Google can't stop selling our
information without going out of business (or a major pivot).

~~~
skybrian
Google doesn't sell the information either. (You can buy ads, though.)

