Apple iCloud Data in China is Being Stored By a State-Run Telco

Six months ago Apple caused controversy by announcing its intentions to move Chinese users' iCloud keys out of the US and into China, in order to comply with Chinese law. From a report: Now, that data, which includes emails, text messages and pictures, is being looked after by government-owned mobile operator China Telecom. And users and human rights activists alike have big concerns. The move has unsurprisingly been praised by state media, with Chinese consumers being told they can now expect faster speeds and greater connectivity. But as comments on Weibo (China's equivalent of Twitter) reveal, users have major privacy worries, claiming the government -- known for its extreme citizen surveillance methods -- will now be able to check personal data whenever it wishes.

Everything in China is a JV with the state

[kriston]

Don't we all now know that every non-domestic company in China is a joint venture with the state?

Re:Everything in China is a JV with the state

[ShanghaiBill]

China requires a member of the Party and the government to be on every corporate board.

This is only true for public companies. Most Chinese corps have no such requirement. My spouse is a director on the board of a Shanghai based private corporation, and they have no board members from the government, and no party member, although my spouse is an ex-member, who lost her membership when she became a US citizen.

Also, being a "member of the party" does not imply any loyalty or ideology. Most members joined to advance their careers. The application process is fairly rigorous, but there are still tens of millions of members.

In America, we have many political parties (although only two with real power), so you can join the one that is most aligned with your beliefs and interests. In China, there is only one party, so it encompasses every possible ideology. Some members are hardcore Marxists, others are free market libertarians, along with everything in between.

Re:

[Obfuscant]

In China, there is only one party, so it encompasses every possible ideology.

That's like saying if there were only one model of car, everyone would like that model of car.

While the PEOPLE who join the party for non-political purposes may have any number of philosophical ideals, the party itself does not. It does not "encompass" every ideology, but it may barely tolerate members who do.

That's the problem. How far do they go in tolerating them?

Re:

[giggleloop]

Far better to have two models of car. Then the drivers don't need to care about their own car, they just have to hate everyone driving the other model.

Re:

[Obfuscant]

There are many more than two models of cars. The only reason you rarely see anything but those two is because there aren't enough people buying the others to create a significant presence.

This system is infinitely better than a one-car system where you must drive that model and if you complain about it you go to prison. Note that you are quite free to complain because you think there are only two models here and yet you have no fear of being abducted in the middle of the night and taken to political prison

Re:

[ShanghaiBill]

That's like saying if there were only one model of car, everyone would like that model of car.

No. It's like saying if there were only one model of car, everyone would drive it, whether they like it or not.

Re:

[Obfuscant]

No. It's like saying if there were only one model of car, everyone would drive it, whether they like it or not.

The PARTY does not change because people joining it believe something else. The PARTY is not driven by the people, it is driven by the leaders of the party. The Chinese Communist Party is not a democracy, nor is it egalitarian. E.g., if a Falung Gong believer joined the Chinese Communist Party, the Chinese Communist Party would not encompass Falung Gong, it would still try to eliminate it, and would kick him out as fast as he is identified. This is clearly NOT a party that encompasses a wide range of memb

Re:

[crimson tsunami]

Now, perhaps you are confused because in the US the political parties ARE member-driven in large part, because the parties are seeking VOTES from those members -- which provides a great deal of democracy in the direction the party goes.

Hillary...

Re:

[ShanghaiBill]

the party itself does not. It does not "encompass" every ideology

Have you ever been to China? There are HUGE differences in how different regions are governed. Shanghai, which is more prosperous than much of Europe, is governed very differently than Harbin (China's Detroit).

but it may barely tolerate members who do.

Bo Xilai was dismissed from the communist party for advocating ... communism.

Re:

[Obfuscant]

There are HUGE differences in how different regions are governed.

There is a big difference between how regions are governed and the communist party encompassing all ideologies.

Bo Xilai was dismissed from the communist party for advocating ... communism.

Proving my point for me. They did not tolerate his version of communism so they threw him out. Tell me again how the communist party encompasses all ideologies. Ask Bo if he thinks his ideology was "encompassed".

Re:

[buravirgil]

That's like saying if there were only one model of car,...

Slashdot would have less than zero analogies?
 

Re:

[cfalcon]

> In China, there is only one party, so it encompasses every possible ideology. Some members are hardcore Marxists, others are free market libertarians, along with everything in between

So the selling point is that a libertarian has to join the communist party? Super duper...

Re:

[ShanghaiBill]

So the selling point is that a libertarian has to join the communist party?

No. No one "has" to join the CCP. The vast majority do not.

Re:

[Obfuscant]

No. No one "has" to join the CCP. The vast majority do not.

Why would a libertarian not join a party that encompasses his ideology? Unless, of course, the party actually doesn't.

Now, the only way I know that one party can encompass contradicting ideologies is if the ideologies aren't important to the party. It's like a US political party encompassing people who have blond hair as well as redheads and brunettes. Hair color is not important. But to say that the Chinese Communist Party would find the principles of libertarianism to be unimportant in its role as the o

Next up

[ruddk]

How long before we see:”US customers had their iCloud data stored in China by mistake” :D

Re:

[110010001000]

Exactly. As RMS said: the only way to secure data is not to collect it in the first place.

Re: Next up

[saloomy]

My understanding with apple's ecosystem, especially around messages and account details, is that the company doesn't hold the decryption keys. Each device creates a public/private key pair, the private keys are stored on device, the public keys are in an API you draw from to send a message to each of the recicioente devices. The downside to this form of communication is each outbound message has to be encrypted and transmitted multiple times (matching the device count of the recipient).

Therefore, it doesn't matter who has the data, as long as the government hasn't secretly cracked the form of encryption Apple uses, and they really never receive the private keys, which would otherwise be subject to subpoena.

Re:

[110010001000]

The problem with that is: you don't know. The system is closed to you. They could have open access to anyone who pays for it (or government). Maybe it can be decrypted. Maybe it can be decrypted in the future when flaws are discovered. The best idea is not to collect it in the first place.

Re: Next up

[saloomy]

I agree that would be the best idea, if data security was your end goal. But that is not the end goal. The end goal is to provide a service that has to work even when your phone is off. They need to store/forward those messages. Any semi-competant techie will tell you the same thing. So, given as to how they need to store your messages to deliver to your devices that come online later, they have IMHO come up with a pretty clever solution: iOS Security [apple.com]. This states the level of encryption, the storing of private keys, and the methods and processes.

Can this be cracked in the future? Yes. Should you then just destroy all services that require online storage of sensitive data? No. You implement the best techniques you know how, and improve when life teaches you.

Re:

[110010001000]

No the end goal is provide a service so they can sell the data they are sucking in when they store your information. You are so naive. They aren't providing these cloud services for free for no reason!

Re: Next up

[bursch-X]

Apple is providing services and tools to sell their hardware. If you haven't noticed, that's their main business. They don't need to make any money on their messages platform as l long as it keeps users tied to their platform and makes new users buy and enjoy their hardware. It's a marketing tool to sell Apple devices, not to sell ads, you tool.

Re: Next up

[Bing Tsher E]

It's marketing hype to sell gadgets with a huge markup, sukkas. Apple doesn't care about your privacy any more than Microsoft or Oracle do.

Re:

[ShanghaiBill]

The problem with that is: you don't know.

Do you believe that corporations are run by greedy bastards? If yes, then most likely your data is safe. If Apple was secretly collecting the keys and passing them on to the government, many people, both at Apple and in the government, would know about it. This knowledge would eventually leak. It would be a HUGE PR disaster for Apple, and cost them billions and billions in lost customers and lawsuits.

Re:

[omfglearntoplay]

Do you also believe that at least one techie at Apple could have backdoored/stolen/worked with a foreign government secretly? Just how many Chinese born workers are at Apple, by the way? Now maybe Apple has so many layers of checks this wouldn't happen for a long time. Or maybe not, I don't know.

Reality is, I'm not sure there is anybody to trust over Apple with phone data. I hope they aren't screwing everybody over. And you are right, it would be a PR nightmare if they were and got caught.

Re:

[DogDude]

How did you come about this "understanding"? My understanding is that Apple sells all of your data to anybody and everybody. As per their privacy policy [apple.com]:
Apple shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. Th

Re:

[saloomy]

You are incorrect sir. The data they specify is stuff like your shipping address (which they need if you buy something like a picture book). To learn about Messages security: read from the horses mouth: iOS Security [apple.com].

Re:

[110010001000]

How do you know this? You are taking their word for it. You can't be that naive.

Re:

[saloomy]

You can stand up a device and wire-shark it. In fact many in the security industry probe solutions like this all the time to try and make a name for themselves. If/when someone finds something untrue, they publish it to become famous, collect bounties, and become expert consultants at ridiculously high rates. Also, this is a document sighted in many court cases and if Apple lied about it, it would ruin their business and expose them to untold levels of liability. Plus, you can look into their financials and

Re:

[110010001000]

You can't wireshark encrypted communications. Plus you have no idea what they are doing on the server side. Ridiculous.

"Besides, do you run NO software that isn't open source and you haven't read through the source?"

Correct. I don't. You shouldn't either. I trust Open Source much more than I trust Apple. You should too.

Re: Next up

[Bing Tsher E]

The firmware in your keyboard is open source? The firmware in the multiple processors in your hard drive is all open source? The firmware in all your wi-fi devices and interfaces is all open source?

Re:

[tsa]

And you checked all of that for errors and back doors? If so, where do you find the time to earn a living?

Nope.

[DogDude]

Also from the privacy policy:

we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, device identifiers, IP address, location information and credit card information.

Re:

[saloomy]

Show me where it says private messages again? Or Device Keys for that matter?

Re:

[110010001000]

The point is YOU DON'T KNOW.

"we may collect a variety of information"

They could be doing anything.

Re:

[saloomy]

You do know. Its right there in their security document. If you don't believe them, wireshark or reverse it and prove otherwise.

Its a shitty argument to say "I dont believe them, just because it sounds wrong to me."

Re:

[dgatwood]

My understanding with apple's ecosystem, especially around messages and account details, is that the company doesn't hold the decryption keys. Each device creates a public/private key pair, the private keys are stored on device, the public keys are in an API you draw from to send a message to each of the recicioente devices. The downside to this form of communication is each outbound message has to be encrypted and transmitted multiple times (matching the device count of the recipient).

Therefore, it doesn't matter who has the data, as long as the government hasn't secretly cracked the form of encryption Apple uses, and they really never receive the private keys, which would otherwise be subject to subpoena.

That depends on whether "the data" includes the set of authorized keys. Otherwise, it could matter a great deal, at least for future communication.

Re:

[AHuxley]

That would make a PRISM hard. PRISM was not hard and no police are now calling for the ban on the use of an entire brand of devices.
Security forces are happy. Police are happy. The beard is selling without questions by governments.
Also consider how many governments around the world do that "subject to subpoena." part.
To be allowed in the brand has to assure that nations security services that the product is subpoena supporting.

Re:

[SeaFox]

How long before we see:”US customers had their iCloud data stored in China by mistake” :D

Uh, that already happened [newsweek.com].

Re:

[ayesnymous]

Maybe better there than on servers NSA can access?

Well?

[DontBeAMoran]

What did you expect? This is China.

Imagine companies had all their servers somewhere in Europe instead of the U.S.A. It's easy to imagine that the FBI, CIA, NSA and other three-letters-agencies would demand companies to have servers in the U.S.A. "for the security of its citizens".

Same thing here, different point of view.

Re:

[the_B0fh]

That has nothing to do with the government copying and monitoring all your traffic. *peeks over at that yellow room door*

Just like the USA ...

[PPH]

... threw a hissy-fit when e-mail stored overseas wasn't made available to law enforcement.

China, welcome to the club.

Re:

[PPH]

You aint on CompuServe no more.

That's Compu-Serv.

Re:

[Desler]

So what you're saying is Apple is no different than pretty much all corporations? How insightful!

iMistake

[Rick Schumann]

So in other words if you have an iPhone in China, whether anyone can beat the unlock password out of you or not is a moot point because the State already has all your data in it's posession?

Re:

[Arkham]

So in other words if you have an iPhone in China, whether anyone can beat the unlock password out of you or not is a moot point because the State already has all your data in it's posession?

They have the data, but it's encrypted by the phone. Unless they somehow learned to crack modern encryption, then they cannot look at the data.

I guess it's possible that in China they've added another encryption key to the mix, but I doubt it.

Re:

[Rick Schumann]

Do you really think the Chinese government would stand for being locked out of anything within it's borders? They've either made a hush-hush deal with Apple to 'allow' them to operate in China under those conditions, or they've cracked it already. Or maybe they just do beat the shit out of anyone whose iPhone they want unlocked, beat them daily, threaten their families, and so on, until they get what they want, not like it's a stretch of the imagination in their case.

Re:

[Obfuscant]

Unless they somehow learned to crack modern encryption, then they cannot look at the data.

I seem to recall a recent case where the US government wanted Apple to decrypt someone's iPhone for them so it could be used in a court of law as evidence, and Apple (and every other smart person) laughed at them for even thinking it could be done. Absolutely impossible.

And then someone in Israel came and did it.

I also seem to recall being told how secure "modern encryption" was, and now I cannot even use those forms of encryption because they aren't secure.

I guess it's possible that in China they've added another encryption key to the mix, but I doubt it.

Of course they haven't. And of course Apple wi

Important - Govts control Market Access

[sasparillascott]

This is a warning on why its foolish to count on for profit companies to guard your privacy (or anything else that might be "profitable"). Governments always control market access and in the end, if they are bad, they will make the tech in the country bad as well.

Hard to believe, but given an unexpected turn of events and the election of a tyrant as a President, throw in a compliant legislature and this kind of collusion could be forced in the U.S.. Current President isn't interested in this so we, t

Re: Important - Govts control Market Access

[bursch-X]

Heartbleed 2.5 years undetected gaping security hole, Shellshock 25 years... Security by obscurity is just as unreliable as open-source, more eyes only makes bugs shallow, if those eyes are competent and actually looking [enterprise...planet.com]

Re: NSA is pissed

[Bing Tsher E]

We have 911 in the US and the one time I had to call it (the field behind our house was burning) the operator was pretty fumbly and borderline incompetent. Which is actually a little reassuring. Snap-action government might seem like a good thing but we all, uniformly, have to die sometime, and compromising how you get to live doesn't change that.

Why the faux outrage?!

[DatbeDank]

Sorry, but you'd have to be a dumb ass to assume anything in China is private!

Just like assuming digital assistants aren't passing your recorded conversations to the NSA.

You do business in China, don't assume you have any privacy for trade secrets or even thought crime.

The idiocy of people astounds me.

Big whoop

[ArchieBunker]

Data stored in "the cloud" can be read by whoever runs the cloud, Fucking shocked.

I believe they don't have enough keys

[izzo nizzo]

I don't think the iCloud keys mentioned are enough to fully decrypt the messages.

After all, our iMessage data can't be decrypted by Apple even though they presumably store the equivalent keys to what has been transferred. It's a multi-key encryption technique.

In order to access iMessage data, or anything else locked to the phone, you'd still have to either spoof the biometrics (Touch ID or Face ID) or go in through GrayKey.

China may one day get access to those messages, but they haven't got it yet

If Apple encrypted the data

[ayesnymous]

it wouldn't matter where the data was stored.