Hacker News new | past | comments | ask | show | jobs | submit login
Apple: Chinese firm to operate China iCloud accounts (bbc.com)
95 points by chrystianv on Jan 10, 2018 | hide | past | favorite | 118 comments

This just reminds me of that subthread in yesterday's Facebook home device post where people were ranking tech companies. A lot of people put Apple first on respect for privacy.

It's good to have a reminder of the nature of corporations so soon after that. Tools for users to take privacy and security into their own hands need to be made accessible enough to make it truly matter.

Its like herd immunity with vaccinations: it doesn't matter that you use encryption and block trackers if all the people around you provide enough data to make inferences about the private few.

A counterpoint here: Consider American subpoenas, court order, FISA warrants and the like. Remember that FISA warrants are secret! Having the data managed by a US company has these consequences. Perhaps you trust the US government more than you trust the Chinese government... that is very reasonable, to be sure. But it makes so much more sense that your data is subject to the law in the country you reside in, rather than the laws of a foreign power.

This is not even remotely hypothetical. Making everyone's data accessible to organizations and people subject to US court orders is bad for privacy.

This kind of thing will be happening more and more, and not just China and Russia, but also the EU. So it won't just be that Chinese users can be spied upon by the Chinese government. It will also be true that it will be more difficult for the US to spy on citizens of other countries.

In some respects I'd rather have my data managed by a Chinese company than a British one.

It's exponentially more difficult for the Chinese government to wield data against me than it is for the British government, as I do not live somewhere where the Chinese government has any power over me.

It's exponentially more difficult for the Chinese government to wield data against me than it is for the British government, as I do not live somewhere where the Chinese government has any power over me.

It depends mostly on the nature of the data, and how much interest they have in you. If the data is damning enough, and they would find value in using it against you, then the Chinese government is perfectly able to hire someone to do so.

Anyone in China who is significantly wealthy is effectively involved in politics, with potentially life and death consequences. To stay under the radar, you have to stay at the level of inconsequential small fry.

Right, but if you're not in China at all, the Chinese government don't care about you.

So it's (in some respects) safer to have your data managed in a foreign country than in the country you live in, as a counterpoint to the claim that "it makes so much more sense that your data is subject to the law in the country you reside in".

Right, but if you're not in China at all, the Chinese government don't care about you.

In the vast majority of cases, yes. In an absolute sense, no.

So it's (in some respects) safer to have your data managed in a foreign country than in the country you live in, as a counterpoint to the claim that "it makes so much more sense that your data is subject to the law in the country you reside in".

There is a point to that.

> So it's (in some respects) safer to have your data managed in a foreign country than in the country you live in, as a counterpoint to the claim that "it makes so much more sense that your data is subject to the law in the country you reside in".

To clarify, I'm saying it makes sense from a legal and societal perspective, not from a personal privacy perspective.

> Right, but if you're not in China at all, the Chinese government don't care about you.

That’s ,at best, less than clear, considering the actions attributed to PLA Unit 61398.

Perhaps on an individual level it's true that moving accounts off-shore can be advantageous (although the flip side of ceding your data to a regime that isn't responsible to you in the slightest is that they have even less reason not to misuse it if it ever benefits them). But on a societal level if everyone followed this tactic we would all be worse off, especially if the foreign government is not a liberal democracy or otherwise at odds with your home country.

How privileged you are, then, not to live under the Chinese regime.

The point was that sometimes it's better to have your data managed by a foreign government. Not that the Chinese government is somehow better than any other arbitrary government. If you live in China, feel free to mentally switch "Chinese" and "British".

If that's a counterpoint, my point must have been unclear. I think we're in agreement.

I think I did not read your original comment very well.

I'm not sure Apple had any choice here. They can still be good for privacy in your country but they still have to play by the rules of the country they are operating in.

They have the choice to exit the Chinese market rather than comply with these insidious demands. The point OP is making I think is that if Apple valued privacy, then exiting the market rather than comply is the decision they would have made.

Facebook's "shadow profiles" (see e.g. https://spideroak.com/articles/facebook-shadow-profiles-a-pr... ) are a concrete example of this that should be better-known.

I'm interest what is going to happen about that starting from 25 May 2018 when the GDPR from the EU becomes enforceable.

A good thing about these data regulations is that they can not only be brought to court by private individuals, but by also by dedicated officials from the nations.

IMHO this is sending a strong signal to people like myself who mainly use an iPhone for privacy reasons. Regardless of whether or not the data is only stored encrypted at the 3rd party, their willingness to compromise in this regard is a strong indicator for their future actions and their commitment to privacy and security.

What course of action would you prefer: Willingly shut down iCloud in China or have iCloud forcefully shut down in China?

I would much prefer that the license and information from apple explicitly stated that this chinese firm will only be able store and access data from chinese accounts and there is a very secure barrier between the two. However, given this paragraph

They include a clause that both Apple and the Chinese firm will have access to all data stored on iCloud.

It makes me really worried about apples commitment to privacy.

I'd prefer that China allow its citizens to freely access the global internet.

I was going to comment that I think the question referred to what course of action /Apple/ should take, but maybe fundamentally changing superstates is not off the table when you have multinational megacorp resources.

What are you suggesting? Revolution?

And how could Apple accomplish that?

By threatening to pull manufacturing.

China adds so little value there I don’t think it would cause a blip. Then Apple would have decide somewhere else to do that with the right supply chain in place.

I think(I hope) as more people in China come online they will realize that they are missing out.

Sadly the opposite might occur. Fake news is very useful. For corporations, it acts like PR/marketing channel. For nation-states it's a great propaganda channel.

What if the Communist Party of China was actually visionaries what the Internet could do for oppressive nation-states, if properly harnessed for the good of the party?

This was the hope with the internet here in the US. Hundreds of millions of users later, the average person seems even less informed on the world around them. Access is meaningless if good information is less appealing or is made to seem less credible than propaganda.

How about a notice on iCloud reading something like "iCloud is not available in your country due to local government regulations that are in conflict with our position on personal privacy. We are sorry for the inconvenience."

Given China's history I would expect them to be very, very upset by this public criticism of their government. Especially on every iPhone.

Google did that (actually took an even stronger stance). But if competitors don't do the same, then nothing changes and you are just ceding the market to them.

To be clear, I am not advocating that companies should bow down on their principles, just that it needs to be a more coordinated effort across companies, and might need new technical solutions to evade government firewalls etc.

While I am cynical that my wishes would come true, I do respect the companies that take a moral stance against their own business interests, which includes Google in China and Apple in the US.

Pure speculation on my part, but could this be a way for Apple to segregate Chinese account data from the rest of their customers' data?

That would seem to limit the scope of what Chinese authorities can access.

To me it seems to be case — Chinese customers will use firewalled version of iCloud available only in one country.

This is exactly what this is done. Apple needs to isolate its Chinese users so that only they are affected by Chinese government regulations.

How do they define "Chinese users?" What about an American traveling or living in China?

While you're not wrong, this strikes me as the cost of doing business in China. For comparison, AWS and Azure both operate under local partners in China.

e: "strikes me as" == "is"; it's not really optional.

That cost of doing business seems to be getting more expensive all the time. At what point do we have to subsidize that cost with our own privacy and freedom?

Because the options are either do that or exit the country unfortunately.

Precisely my point, but thanks for clarifying. The subtext I guess is that in my view it's worthwhile for Apple, even if I have personal qualms about the privacy implications. Then again, I would assume this won't affect non-Chinese region Apple/iCloud users.

>> Because the options are either do that or exit the country unfortunately.

> The subtext I guess is that in my view it's worthwhile for Apple

Exiting the country might be the most worthwhile long term choice for a company. China has clearly indicated, through it's actions, that it's mainly interested in technology transfer to shore up it's domestic competitors. It's not really interested in giving foreigners a fair shot at its market.

This might not be very true for Apple (as it's really mostly a luxury smartphone maker), bit it is for a lot of the companies that would like to do business there.

I disagree.

Apple has always made clear that information stored on their iCloud service were subject accesses by a third party with the proper authority. Whether this third party is US or Chinese does not change anything.

Only the information that is resident on your phone with the Secure Enclave is tamper resistant.

I don't buy into this line of reasoning, because it inverts the relationship. Of course Apple has to hand over access to authorities if there's a lawful reason behind it, just like e.g. a private person has to oblige to a search warrant. But in this case they hand over their infrastructure to an untrusted party in order to conduct business in the first place.

Again, it's not so much about what the firm can actually do with the infrastructure (ideally, it's a black box that only the user can access with the correct key), but what compromise they're willing to make in order to conduct business. Privacy has become a selling point for Apple, and actions like these signal how serious they are about it.

Blackberry went through the same issue with the a similar outcome.

Personally, I see this as a positive development, as it signals that the company is doing what it claims to, promoting the PRC to get the same accommodation that Office 365 delivered versus giving the state the level of access it demands.

If you feel strongly or have a requirement to control your account principal, you should not be using a third party identity store.

Many countries have such limitations, not only China requires data to be stored "in the country", but also Russia. I've been in a situation, where an international product got "forked" into a daughter-company-controlled China-only product. Nothing escaped this Chinese sandbox, and nothing got into either.

Money trumps principles plain and simple. My guess is this will continue until the day Apple sales in China decline below a certain level, then they’ll be a ‘brave, principled’ decision announced that they are shutting down iCloud in China or withdrawing from the market altogether.

In Apple's case, as the Apple manufacturing base is largely Chinese, the government has considerable leverage regarding corporate decisions.

If I was Apple then, I’d start investing some of that $200 billion they have in the bank in some advanced nonchinese manufacturing. Get some balls like Elon Musk and take some risks.

Apple to FBI: No you can't get into iPhones, our users want security.

Apple to China: Here are the keys

The difference is that it’s within Apple’s rights in the US to refuse to cooperate with a warrant in the way that they did. The constitution of the United States has strong protections for individuals’ privacy from the state.

This is not the case in China.

In both cases, they are protecting user privacy to the greatest extent they can by law.

Secondly, Apple is not handing the keys to their system over to China. Instead, they are deploying a separate system for Chinese accounts to preserve the privacy and security of all other accounts. And finally, they are not compromising the Secure Enclave or any device security features.

They absolutely have the right to refuse to cooperate with the Chinese government, its called refusing to do business in China.

Who is "They"? If it is "Tim Cook", then Tim Cook has the right to be CEO and do business in China, or get fired. If you mean Apple stock holders, I'm sure they wouldn't be happy about taking a huge hit on their second or (at times) first largest market. Would you be willing to slice your retirement savings in half for this?

Google pulled out of China, so some times companies put principles before short term profit. Something Tim Cook have claimed apple also does, but apparently not in regards to China.

Google wasn't making > 25% of their money in China. I applauded Google's move when they did it back then (and I worked down the street from their Wudaokou office), but it is completely obvious why Apple, as a public company who makes a lot of money in China, can't pull out now.

Your comment just proved his point that Apple puts their Chinese profits over their user's privacy. What percentage of Google's profits would come from China had they stayed there and acquiesced to the government demands? 15%? 20%? I wonder how much profit Google has missed out on by not doing business in China.

It isn't there choice! Apple isn't a person, you have to understand that. Apple is your retirement fund or whatever investment, its a public company. Tim Cook can either say "I want us to be in China" or he can leave, because no sane board is going to let him stay and say otherwise. Blame capitalism, blame human desire for money, whatever, but don't blame the company for choosing the only option it had.

Google didn't miss out on much at all, it was clear way before they pulled out that they wouldn't be allowed to go very far in search. Also, Google only pulled out of search in China, they actually still do plenty of business in China.

Wow,I didn't think of that example. It's a pretty huge hypocrisy.

In both cases they’re complying with the laws.

The data may be stored with a Chinese company but it’s still encrypted isn’t it? They can’t read it can they?

Have a look at their recent whitepaper, most of it is not https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Third sentence from the artice: "They include a clause that both Apple and the Chinese firm will have access to all data stored on iCloud.".

If the Chinese firm couldn't read the data access would be pretty pointless me thinks.

I’d agree, but that doesn’t necessarily mean it’s not true. I could see Apple trying to keep certain data encrypted in private in exchange for other less important data being “open“.

This is assuming "you can't get into iPhones" was not a poker face while they were passing information.

I absolutely believe Apple's foray into China is a huge misstep for the Apple brand.

Imagine when all the censorship and surveillance and the actions taking with personal data start surfacing, they're going to very quickly try to get out. Apple pulling VPN apps off the App Store is just the beginning.

It may be a big market, but I think Apple shouldn't be there under the Apple name, because stuff like this shows me that it's literally a different company.

It's simply not worth the business.

Why do people in USA care about what the Chinese government does? It's not like you are willing to take care of it's citizens, but the Chinese government has a responsibility and they seem to be trading off fairness so fewer people are impoverished.

Today you, tomorrow me.

Shareholders demand growth and Apple entering China is a way for them to grow. If Cook says "fuck it, we pack our shit and leave China", the board will quickly replace him because there's simply too much money to be made in China for Apple.

Apple cares more about revenue than brand in regards to China

"At Apple, we believe privacy is a fundamental human right."[1]

Unless you live in China in which case your fundamental human rights take a back seat.

I did a Google translate on their Chinese web page:

"At Apple, we treat privacy as the fundamental right of everyone."[2]

Perhaps Google translate messed up and missed the "human rights" part from the Chinese translation, but I'm guessing it didn't.



That might be a mistake. Once Apple makes a deal with China, Russia will ask for the same deal. Russian government want to keep the data in their country too.

There is not a single Apple Store currently in Russia. All apple products are available online only. I think Russia will have 0 leverage to make apple to go thru all the troubles.

If the choice is either to comply with those governments, or loose an enourmous market, Apple will comply in both cases.

Russian market is way smaller, and the good PR they will undoubtedly get for abandoning it will offset the losses.

Apple's compliance with Beijing is morally weak but financially strong, not just for them but for Apple Developers.

A month ago, Apple noted that it has 1.8 million developers in China (and/or developers publishing to China -- not clear to me). At any rate, the Apple platform has made those developers $17 billion dollars.[1]

So China is big business for Apple developers and I assume many of those developers are US/CA/EU/AU/etc. who benefit from the platform being available in China.

[1] https://www.cnbc.com/2017/12/03/apples-tim-cook-says-develop...

When you say "moral" are they your morals or the developer's and China's morals? Does your morals accommodate theirs or is it too restrictive?

Yes, those are my own assessments.

It's possible that someone could view Apple's decision to compromise its customers privacy to remain in the Chinese market as "morally strong". I would like to hear a defense of that position if someone held it.

Apple's decision appears to be legally compliant but morality must transcend legality in my worldview. i.e. the "good men" argument per Emerson or others

They aren't the first. Microsoft/Skype had to outsource PRC Skype account's to TomTom, Azure has to outsource its PRC cloud operation to a Shanghai utility company, and so on.

If you ever needed a sign that Apple cares more about making money than their user's privacy than this is it. If Apple really respected their user's privacy than they should take a stand and lets the chips fall where they may. If this is the cost of doing business in China then perhaps Apple should rethink its strategy.

They're "good faith" is asking customers to read the Apple Terms and Conditions...

I hate to reference Orwell, but the fact that Apple convinced us all to lie by saying we'd read the T&C and now are telling us that there's "important" information in this unreadable document seems like classic Orwell.

This is probably the way it should be. Multinational corporation have subdivisions that handle local laws and customs.

ex. Facebook Germany should handle all its specific speech laws rather than trying blanket global speech to Germany or EU specific laws.

Though at that point you start losing advantages at scaling depending on implementation.

> iCloud accounts registered outside of China are not affected.

What exactly does this mean? What makes an online account registered in a geographic location? Is it determined by where the iphone is bought, the IP addresses when the registration is made, the email account used for the registration or something else?

It goes by billing address of payment method.

As of early 2018, national boundaries combined with linguistic barriers are still more powerful than the internet. Could this change with low Earth orbit satellite internet? (Given the precedents to date, I'd expect the Chinese government to jam the signals or otherwise intervene.)

Not as long as payments go through the current financial system. If you’re using a US credit card, with a US billing address, to transact with a company, then you are “US registered” regardless of where your packets are routed. Until it’s possible/mainstream to decouple identity from payment, your payment method will always be the weakest link.

Are you presuming that most of the internet will be paywalled by then?

To be fair I was speaking more about iCloud and the App Store (which is “the Internet” to many people) than I was the wider internet.

To answer your question... I hope not. But perhaps we are already there. Boiling frog etc.

I am very concerned that now Apple will make exactly same thing with Russian accounts.

This link might come handy: https://support.apple.com/en-us/HT201389

All you need is a foreign credit/debit card.

This just shows to what extent Apple is willing to bend its rules for China. They're just too dependent on China. China has upper hand here. I've a feeling that one day China might ditch Apple.

Just cleared some of my iCloud photos with faces.

Resistance is useless. WeChat, QQ, AliPay and other complied third-party online services are more than enough. As long as you are connected in the Matrix, it has you.

A correct title would be:

    Apple sold out all China iCloud accounts
I guess I understand. It is either the market or the privacy and security of their Chinese user. They chose the market so all of our retirement funds still hold their face values.

Another chance for Apple to stand up and do the right thing, and it flinched because it would rather have money than morals.

And don't give me the standard amoral shareholders whine. Apple is already on record as saying it would rather do the right thing than make money, and if investors don't like it they can go pound sand.

Now Apple's sold out a billion people.

How long until the Chinese government requires access to the Secure Enclave chips in iDevices?

Actually, once you have the iCloud accounts, you can bypass the Secure Enclave chips.

"Cloud Big Data Industrial Development Co"? Doesn't sound sketchy at all.


Don't mention Trump on this forum even if you preface what you say with disdain. You'll never go positive.

I agree that the US/EU needs to be harder on China. Its been very one sided in recent years. The real issue, I think, is their disregard for intellectual property. You bend over backwards to get into their market, then a year later a government backed firm with an identical product puts you out of business. They won't get away with that for long, believe you me.

They won't get away with that for long, believe you me

What year do you predict they will no longer get away with it?

When Chines can produce superior IPs than other nations, then they will become the true defender of IP.

If there are any Western IP-generating firms left by then I’m sure they’ll be pleased!

In Europe we need to do like in China. Or our tech industry is doomed to stay small...

Protectionism isn’t going to make your tech industry globally competitive.

No, but who cares? Tencent, Baido, etc are not globally competitive, but they are very fine.

You know what else is not going to make European tech industry globally competitive? The chronic lack of money, because it's all siphoned away by google, amazon, apple, and such. Do we need a global competition? Why?

An internal competition in a huge market is good enough. China encouraged the development of a strong internal market: and they are innovating like crazy. Europe is big enough to do the same.

China has a population of 1+ billion who are firewalled both by network access and by language.

European citizens have better English proficiency and no great firewall, hence the transaction barriers to consuming global services are easier.

I’m afraid you have to be globally competitive unless the EU wants a Great Firewall.

> hence the transaction barriers to consuming global services are easier.

It's just a political choice. It's not a fact of life. Better regulation and better taxation of capitals would "firewall" Europe as well.

As I said below, language has never been an issue. Nobody is using google because is in English. Google is well translated everywhere.

The regulation and taxes are more likely to disadvantage smaller players.

Europe’s problem with tech investment isn’t because of existing big tech players.

Maybe we're not so far from an European Great Firewall decades down the line- to stop Five Eyes spying (once the U.K. is no longer an EU member state) or from monopolistic Google privacy infringement or whatever. Economics can be determined by geopolitics.

>European citizens have better English proficiency

"better" yes, but not good enough to make American products successful unless they are translated

It's not a simple manner of translation, it has to be culturally localized. Burger King can't just sell beef burgers in India by translating their menu language.

It's a lot easier for a Western business to translate their UI to German or French, than it is to Chinese or Japanese. Input methods alone are an issue that calls for interaction UX to be designed differently.

There are no big cultural differences between European countries that I'm aware of.

I'm talking about the fact that the cultural difference between the US and Europe is smaller, so US services can be easily consumed by Europeans with just language localization.

The same is not true for China. It is easy for US firms to serve Europeans by localizing language, ergo European firms face global competition from US firms with a lower barrier.

It is more difficult for US firms to serve the Chinese market, even if you have perfect language localization. The cultural differences are larger than US<->Europe. Even before the Chinese government got protectionist, US firms had trouble competing in China.

We've seen lots of tech companies launched from the UK, Germany, and Scandinavia, but less so from other regions. Perhaps it would be better to ask what is it about say, Italy, or France's internal markets that makes tech harder to find investment for locally.

> Even before the Chinese government got protectionist, US firms had trouble competing in China.


Might be better to actually post a rebuttal.

Chinese government before being protectionist it was communist and closed: there never was a period without protectionism in China. Chinese economy has always been fully regulated, especially in the 90s. In other words, there is not much sense in your post, and it signals you don't know what you are talking about…

Either-or fallacy. The regulations before proscribed levels of ownership, joint venture requirements, and contraband goods but direct Chinese interference to limit outside interference and benefit local competition have grown a lot worse under Xi compared with Hu and Jiang. Prior to that, China had no choice but to accept FDI join ventures, so for example, that’s why you see lots of Chinese manufactured Fords, Buick’s, Audis, and Volvos driving around. Once they have mastered building quality cars, then they’ll impose quotas and other rules to try and encourage buying local companies over joint ventures.

There was a time when Western companies were flying under the radar during the first half of Hu’s term allowing JV market share to expand significantly.

China’s economy hasn’t been communist since Mao.

China is one country where the majority speaks a handful of languages (please don't attack me if this comment is ignorant, be nice)

But is it easy to get the EU countries to even agree on any of this stuff? (Genuinely asking, cuz I imagine it's insanely hard because each country has their own culture and priorities)

Look at the counterfactual, is having multiple languages stopping google to do business all over Europe? No.

Is having a different language a big deal? Also no.

It made Alibaba, Tencent pretty competitive globally.

Isn't critical information (medical, financial) required to be hosted on European soil?

Not always. Privacy Shield is one such way that we can host that information inside the US.

Seconded. Certain level of protectionism is good for business, Trump has proved that. We need to decentralize/democratize the tech industry across the globe, not concentrated in US.

EU should start providing incentives to local companies to build their own business that serve its own people, other than becoming US's satellite states.

> Trump has proved that

Could you link to some articles about this?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact