I remember seeing this comment (paraphrased) when ADP was announced:
"We'll know for sure if it becomes available in China. If it works in China, it's clearly cooked."
Well... it's going to be available in China, it looks like. However, some consideration of the ground situation perhaps should be considered. Potential reasons why the CCP is willing to permit it:
- China doesn't really need a warrant, or a good legal reason, to go and arrest someone they don't like. If they don't like what you are doing, they have no problem showing up and seizing your devices physically... and using the $5 Wrench attack (or just, a really long time in jail if you don't give up the PIN) to get around it.
- Another possibility, "he had it enabled, therefore he's more likely a criminal." Even if he's just an innocent person, it's a useful thing to blame.
- Remember also that iCloud is handled by Chinese data center companies... so anyone enabling it might actually just be a useful flag to the CCP that this person thinks they are interesting, and so increase surveillance elsewhere.
- The CCP doesn't really care what people individually think, but how they influence others - so, if he has nasty thoughts but keeps them to only to himself (and thus doesn't come up on surveillance), so what?
- And to add to all those potential reasons, so what if iCloud is E2E when when the CCP can scan all their WeChat messages and SMS texts? The odds of a "criminal" doing illegal stuff in iCloud alone isn't high. Besides, if he shares anything with anyone, it becomes non-E2E.
- The CCP can hardly keep track of all their party members - as of 2022, 96 million people were members. Perhaps the ability to get some of their disparate members on E2E-encrypted cloud storage outweighs the risk. If it prevents even one national embarrassment...
That's just my thoughts though on why the CCP may tolerate it. I don't know though for certain, obviously.
China owns and runs all of the compute under iCloud in China. In other words, the E2EE keys are stored on their own hardware. Not hard to imagine they can access the keys at will.
Supposedly, the keys are stored in HSMs (Hardware Security Modules) that are physically designed to have the keys be impossible to extract to plaintext, and also to erase said key upon demand.
If China were to retain those keys, they would need to first physically attack the HSM in question (not impossible but generally very tricky)... or configure their HSMs to never actually delete keys. Both aren't impossible. However, as far as I know, Apple's E2EE encryption creates new keys, that have never touched servers, for newly uploaded material (though I could be incorrect on that point). If so, even if China had some way to retain key material, it would only unlock material uploaded before ADP was enabled.
EDIT: Apple states:
"Second, the device initiates the removal of the available-after-authentication service keys from Apple data centers. As these keys are protected by iCloud HSMs, this deletion is immediate, permanent, and irrevocable. After the keys are deleted, Apple can no longer access any of the data protected by the user’s service keys. At this time, the device begins an asynchronous key rotation operation, which creates a new service key for each service whose key was previously available to Apple servers. If the key rotation fails, due to network interruption or any other error, the device retries the key rotation until it’s successful.
After the service key rotation is successful, new data written to the service can’t be decrypted with the old service key. It’s protected with the new key which is controlled solely by the user’s trusted devices, and was never available to Apple."
Also, if you disable ADP:
"The device uploads both the original service keys, generated before Advanced Data Protection had been turned on, and the new service keys that were generated after the user turned on the feature."
"We'll know for sure if it becomes available in China. If it works in China, it's clearly cooked."
Well... it's going to be available in China, it looks like. However, some consideration of the ground situation perhaps should be considered. Potential reasons why the CCP is willing to permit it:
- China doesn't really need a warrant, or a good legal reason, to go and arrest someone they don't like. If they don't like what you are doing, they have no problem showing up and seizing your devices physically... and using the $5 Wrench attack (or just, a really long time in jail if you don't give up the PIN) to get around it.
- Another possibility, "he had it enabled, therefore he's more likely a criminal." Even if he's just an innocent person, it's a useful thing to blame.
- Remember also that iCloud is handled by Chinese data center companies... so anyone enabling it might actually just be a useful flag to the CCP that this person thinks they are interesting, and so increase surveillance elsewhere.
- The CCP doesn't really care what people individually think, but how they influence others - so, if he has nasty thoughts but keeps them to only to himself (and thus doesn't come up on surveillance), so what?
- And to add to all those potential reasons, so what if iCloud is E2E when when the CCP can scan all their WeChat messages and SMS texts? The odds of a "criminal" doing illegal stuff in iCloud alone isn't high. Besides, if he shares anything with anyone, it becomes non-E2E.
- The CCP can hardly keep track of all their party members - as of 2022, 96 million people were members. Perhaps the ability to get some of their disparate members on E2E-encrypted cloud storage outweighs the risk. If it prevents even one national embarrassment...
That's just my thoughts though on why the CCP may tolerate it. I don't know though for certain, obviously.