All That Is Gold Does Not Glitter

On May 25, Apple opened its first Data Center (DC) in the province of Guizhou, southwest of China. This means that from now on, Apple "stores the personal data of its Chinese customers on computer servers run by a state-owned Chinese firm." This has been very controversial given the calls of different organizations and human rights defenders. As we will see, they report that Chinese Apple users face potential abuses and intrusions into privacy by the Chinese government. In this post, we explain why they say so and what the controversy consists of.

This Apple-China project has been underway for more than three years, as in 2017, Apple signed a $1B agreement to build its first DC. Chinese employees are the ones who physically control the computers. The Chinese government will store the digital keys used "to unlock the data stored." According to a lengthy New York Times (NYT) report, such assignments would imply that "Apple abandoned the encryption technology it used elsewhere after China would not allow it." In fact, in their report, NYT insists that "China is making Apple work for the Chinese government." Apple would be collaborating with censoring thousands of applications "including foreign news outlets, gay dating services, and encrypted messaging apps."

The same NYT report argues that it would be almost impossible to prevent the Chinese government from having "access to the emails, photos, documents, contacts, and locations of millions of Chinese residents." These signed agreements are coordinated with the Personal Information Protection Law (PIPL). PIPL regulates "the collection, storage, use, processing, transmittal, provision, and disclosure (collectively, ‘handling’) of personal information by ‘organizations and individuals’" in China.

The problem comes in determining what limits a government should have to intervene in the storage and collection of information. The Chinese government’s justification for intervening in privacy in this way is to protect itself from "growing threats such as hacking and terrorism." Yet, the implementation of these policies is highly intrusive. Human Rights Watch stated in one of their latest communiques that it was "a regressive measure that strengthens censorship, surveillance, and other controls over the Internet." But why does opening a DC in a country like China make all this intervention possible?

The heart of the matter relies on how data storage works and whether a government could access that information by having DC in its territory.

Storing digital information means saving a collection of bits and bytes. A bit is a binary digit, the minimum unit of data measurement. All cyber information is stored and transmitted in bits. Bytes are ordered sets of bits: exactly eight bits (the reason they are eight and no more or fewer bits is more historical than technical). Those bytes are the minimum unit of data processed by a computer.

When those bits and bytes, digital information, are collected and retained, we talk about data storage. For the storage process, you need a physical repository or a memory cell. Physically a memory cell is the junction of a transistor and a capacitor, but virtually it represents a bit of data. Data Center (DC) is a physical facility that stores countless memory cells, hardware designed to store those bits.

By outsourcing the DCs, companies store their data using cloud storage (CS). CS is characterized by the abstraction, pooling, and sharing of storage resources through the internet. It does not require a direct connection to the storage hardware. Thus, one company can operate from Colombia, while the hardware that stores its information remains in the United States. Because it is faster to retrieve and store data on a local CPU than over a network, companies with monetary, human, and technical resources usually have their own DC. That’s the Apple case.

Apple manages its own DC and offers users its own CS system. Their DC is called iCloud, and Apple manages its security. In this regard, Apple maintains on its privacy page that, for example, when a credit card is added or used as a payment method, "a unique Device Account Number is created, which is encrypted in a way that Apple can’t decrypt and stored in the Secure Element of your device."

Apple can manage all its users’ information on its own servers, except in China. Specifically, with the launch of its database in Guizhou, Apple asked its Chinese customers "to accept new iCloud terms and conditions that list GCBD (Guizhou-Cloud Big Data) as the service provider and Apple as ‘an additional party.’" That is, GCBD "governs your use of the iCloud product, software, services, and websites."

The primary provider is "a company owned by the provincial government," in other words, the one in charge of managing Apple users' information is the Chinese government itself. That same government "requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company’s network operations."

What is worrying is how that information will be managed. In 2016 it was announced the adoption of the Personal Information Protection Law of the People’s Republic of China (read the translation here). In the face of this type of measure, several rights advocates have spoken out against it.

Apple’s Chief Executive, Tim Cook, has repeatedly said the data is safe. In addition, the company is aware that there are rules that generate discomfort to the international community and to the company’s own interests. Still, Apple said: "we believe in engaging with governments even when we disagree." At the beginning of the negotiations with China, Apple justified the opening of that DC by saying that its construction "will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations."

When considering the economic factor that Apple’s entry into the Asian giant has represented, the reasons for its pact seem more straightforward. Following its agreement with China, the country has accounted for 15% of Apple’s revenue. That percentage translates into a bizarre figure when you consider that it is the only company in the world with a turnover higher than $2 trillion in 2020. This has made it the company with the highest revenue globally, well above Google, Microsoft, Amazon, and Facebook, who are vying for the top 5 according to Forbes.

The controversy can be summed up in Apple’s recognition that its profits have skyrocketed like never before, thanks to its entry into China. China has found Apple a great ally in "protecting" its citizens from the dangerous cyber world. While other companies see China’s requests as a translation of the old saying, "you shall not pass!" Apple interpreted it as a possibility to strengthen its finances. Only time will tell us how good the decision was.

We hope you have enjoyed this post!
At Fluid Attacks we look forward to hearing from you.
Contact us!