Recent investigations by The New York Times and The Information have highlighted how Apple handed access to Chinese users’ iCloud data to a state-owned enterprise, while its suppliers are suspected to have participated in forced labor programs in Xinjiang. The two reports, especially the NYT investigation into Apple’s data storage practices, have attracted particular attention in light of Apple’s high profile efforts to present itself as an industry leader in privacy protection. The New York Times’ Jack Nicas, Raymond Zhong, and Daisuke Wakabayashi reported on Apple’s “hard bargain” in China:
In China, Apple has ceded legal ownership of its customers’ data to Guizhou-Cloud Big Data, or GCBD, a company owned by the government of Guizhou Province, whose capital is Guiyang. Apple recently required its Chinese customers to accept new iCloud terms and conditions that list GCBD as the service provider and Apple as “an additional party.” Apple told customers the change was to “improve iCloud services in China mainland and comply with Chinese regulations.”
The terms and conditions included a new provision that does not appear in other countries: “Apple and GCBD will have access to all data that you store on this service” and can share that data “between each other under applicable law.”
[…] But the iCloud data in China is vulnerable to the Chinese government because Apple made a series of compromises to meet the authorities’ demands, according to dozens of pages of internal Apple documents on the planned design and security of the Chinese iCloud system, which were reviewed for The Times by an Apple engineer and four independent security researchers.
The documents show that GCBD employees would have physical control over the servers, while Apple employees would largely monitor the operation from outside the country. The security experts said that arrangement alone represented a threat that no engineer could solve. [Source]
In 2017, China’s cybersecurity law imposed new requirements for data localization, forcing many non-Chinese tech firms to shift their Chinese users’ data into domestic data centers. Apple complied, and its decision to store encryption keys protecting user accounts inside China was subsequently reported in 2018. The Times’ report sheds new light on the extent to which Apple has apparently ceded control of its data to its Chinese state-owned counterparts. It also includes the revelation that the Chinese government rejected specialized hardware security modules used elsewhere, forcing Apple to create different devices specifically for China.
Not only is Apple being forced to move Chinese citizens’ HSMs to China, China specifically refused to certify the Thales HSMs. This is actually pretty fascinating. pic.twitter.com/p91qEvADp9
— Matthew Green (@matthew_d_green) May 17, 2021
So Apple responded by designing and building their own HSMs, based on the Apple TV platform. Presumably these include secure processors like the T2 chip in MacBooks. But this isn’t “high end HSM” hardware. pic.twitter.com/XQY0ceENtu
— Matthew Green (@matthew_d_green) May 17, 2021
Let’s keep in mind that Apple is going to be deploying these new HSMs in a facility that they do not own or operate. They’ll be placing these inside of a cage at a state-owned cloud provider. Which means that the Chinese government will have significant physical access.
— Matthew Green (@matthew_d_green) May 17, 2021
What’s interesting about this change is that (to the best of my knowledge) your iCloud country registration can be changed by anyone who has your iCloud password.
What happens to my data if someone changes my registration to China?
— Matthew Green (@matthew_d_green) May 17, 2021
Also shown in the Times’ investigation are numerous ways in which Apple has compromised on free speech and freedom of information in order to comply with Chinese government censorship demands, even going so far as to fire an employee who broke policy by approving an app made by CCP critic and misinformation peddler Guo Wengui. Jack Nicas summarized the other key findings in a separate article for The New York Times:
Apple has created an internal bureaucracy that rejects or removes apps the company believes could run afoul of Chinese rules. Apple trains its app reviewers and uses special software to inspect apps for any mention of topics Apple has deemed off limits in China, including Tiananmen Square, the Chinese spiritual movement Falun Gong, the Dalai Lama, and independence for Tibet and Taiwan.
[…] In 2018, China’s internet regulators ordered Apple to reject an app from Guo Wengui, a Chinese billionaire who had broadcast claims of corruption inside the Communist Party. Top Apple executives then decided to add Mr. Guo to Apple’s “China sensitivities list,” which meant software would scan apps for mention of him and app reviewers would be trained to reject his apps, according to court documents.
When an app by Mr. Guo later slipped by Apple’s defenses and was published to the App Store, Chinese officials contacted Apple wanting answers. Apple’s app review chief then sent colleagues an email at 2:32 a.m. that said, “This app and any Guo Wengui app cannot be on the China store.” Apple investigated the incident and later fired the app reviewer who had approved the app.
[…] Since 2017, roughly 55,000 active apps have disappeared from Apple’s App Store in China, with most remaining available in other countries, according to a Times analysis. [Source]
1/ Apple is a gatekeeper: both sellers and consumers rely on it. Its size has a significant impact on both users and smaller service providers- apps that don't list on its Appstore will have no takers at all. Its decision has far reaching impacts.
https://t.co/TENypSTpZQ— Chung Ching Kwong (@chungchingkwong) May 18, 2021
3/ Apple is cracking down on its users fundamental freedoms and rights, not just in China. In 2021, ProtonVPN said that Apple is blocking updates, just days after the UN said that people in Myanmar should use Proton apps during a military coup.https://t.co/KSxOXXapEF
— Chung Ching Kwong (@chungchingkwong) May 18, 2021
In recent weeks, Apple has also come under fire following a separate investigation into the use of forced labor in its supply chain. The Information’s Wayne Ma reported that at least seven Chinese suppliers were suspected of using forced labor to manufacture components for Apple and over a dozen other major companies, including Amazon, Google, Microsoft, Facebook, Dell, BMW, Volkswagen, and more:
The Information and human rights groups have found seven companies supplying device components, coatings and assembly services to Apple that are linked to alleged forced labor involving Uyghurs and other oppressed minorities in China. At least five of those companies received thousands of Uyghur and other minority workers at specific factory sites or subsidiaries that did work for Apple, the investigation found.
[…] To identify the Apple suppliers that appear to be involved with forced labor, The Information and two human rights groups uncovered previously unreported public statements, photos and videos by Chinese local government offices and state-run media describing the companies’ participation in the poverty alleviation programs. Local officials tout their involvement in the labor programs because they are eager to prove to Communist Party leaders in Beijing that they are helping to meet a nationwide goal to “deradicalize” Xinjiang and lift it out of poverty. Some of the official statements and videos show that these workers received nationalist ideological training and special escorts. In at least one case, the escort was from a special police tactical unit, the equivalent of a SWAT officer.
Researchers say the government-run labor programs bear many of the hallmarks of coercive labor. The workers, who are primarily Uyghurs, are sent to factories in groups and closely monitored for the duration of their employment, which can last months or years. They don’t return home for public holidays. They are segregated from other workers, participate in patriotic activities like flag-raising ceremonies and take Mandarin language classes. [Source]
Last year, Apple was reported to be one of several U.S. multinationals lobbying to water down the Uyghur Forced Labor Prevention Act, a bill that would bar the import of goods made “in whole or in part” in Xinjiang unless companies could prove that their goods were not produced using forced labor. (This characterization was challenged by other coverage.)
Scrutiny of the gap between Apple’s word and its Chinese practices comes amid an ongoing debate about the complicity of U.S. tech companies in human rights abuses and the construction of China’s burgeoning surveillance state, an issue that has become more pressing in recent months following several other journalistic investigations. In February, The Intercept’s Mara Hvistendahl reported on Oracle’s role in supplying Chinese law enforcement with analytics software to process surveillance data, an investigation that led to her being targeted and doxxed by an Oracle executive. In November 2020, The New York Times’ Paul Mozur and Don Clark reported on the role of Nvidia and Intel hardware in Xinjiang’s vast “cloud computing centers” used to analyze the invasive surveillance data collected on the region’s residents.