[travisp]

Apple has not handed over the iCloud keys and has testified in the US under penalty of perjury that they have not done this and not made an exception for China. Repeating this is dangerous because it’ll cause people to take different (probably less safe and private) actions based on incorrect information.

[cynix]

> has testified in the US under penalty of perjury that they have not done this

Craig Federighi testified that he’s not aware of them doing it. That doesn’t preclude the possibility that it has been done by someone else in the company without his knowledge.

[travisp]

The possibility that someone in the company is secretly (how!?) providing the Chinese government access to the encryption keys is a wildly different claim. There is no evidence that Apple has done it, and an important executive has testified that they have not, and they've publicly stated they haven't, even if you want to speculate that it has happened.

[bduerst]

It's not a secret. Apple even made a statement to reuters at the start of the migration process where they tried to get iCloud as an exception but failed - "“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,”

In early 2018, Apple forced their users to opt-in to migrating iCloud encryption keys and data to Chinese data centers:

https://www.reuters.com/article/us-china-apple-icloud-insigh...

Chinese government nationalized the data centers six months later, gaining access to all the encryption keys and user iCloud data at rest. Apple complied:

https://mashable.com/article/china-government-apple-icloud-d...

[travisp]

No, they still don't have access to the encryption keys, as reported after those articles you post:

"Encryption for us is the same in every country in the world...We worked with a Chinese company to provide iCloud, but the keys [...] are ours...I wouldn't get caught up in 'where's the location of it,' I mean we have servers located in many different countries in the world. They're not easier to get data from being in one country versus the next...The key question is how does the encryption process work, and who owns the keys — if anyone. In most cases for us, you and the receiver [of a message] own the keys." - Tim Cook

(https://www.businessinsider.com/tim-cook-apple-encrypts-data...)

Apple is specifically stating that they have retained control over the encryption keys.

[bduerst]

Nothing in that quote backs up your statement.

Tim Cook is describing how encryption works - he is not saying that the Chinese government doesn't have access to the data at rest with the iCloud encryption keys. Amnesty International [1] sums it up:

>“By handing over its China iCloud service to a local company without sufficient safeguards, the Chinese authorities now have potentially unfettered access to all Apple’s Chinese customers’ iCloud data. Apple knows it, yet has not warned its customers in China of the risks.”

They raised this issue three full months before the Chinese government went ahead and nationalized all of the Apple user data and encryption keys.

[1] https://www.amnesty.org/en/latest/news/2018/03/apple-privacy...

[travisp]

I agree there are reasons to be concerned overall, but Tim Cook is very clearly stating in this interview, which happened after the nationalization, that 1) China doesn’t have access to the encryption keys themselves and 2) for much of the data (like messages) not even Apple has the keys, 3) China is not able to access the data any more easily than any other country.

If you are targeted by the CCP, then yes, they can make a “legal” request for the data of an individual that Apple is able the decrypt (which isn’t all of it), but they aren’t able to apply mass surveillance to the iCloud data.

[chance_state]

Yes, they have.

https://support.apple.com/en-us/HT208351

Can you link to a source showing that Apple didn't turn over control of iCloud in China to the CCP?

[travisp]

That link does not show that they've given control over encryption to the CCP. Apple is on record stating that they have not done this.

"Encryption for us is the same in every country in the world...We worked with a Chinese company to provide iCloud, but the keys [...] are ours...I wouldn't get caught up in 'where's the location of it,' I mean we have servers located in many different countries in the world. They're not easier to get data from being in one country versus the next...The key question is how does the encryption process work, and who owns the keys — if anyone. In most cases for us, you and the receiver [of a message] own the keys." - Tim Cook

(https://www.businessinsider.com/tim-cook-apple-encrypts-data...)

[chance_state]

Very interesting; thanks for sharing.

[skrowl]

https://money.cnn.com/2018/01/10/technology/apple-china-iclo...

Not only has Apple given the iCloud keys to the kingdom to China, iCloud is actually run by the state in China

[travisp]

The article is misleading. Apple has not given the iCloud encryption keys to the Chinese government. As far as I'm aware, there is currently no evidence that the Chinese government is any more capable of accessing iCloud data than any other government.

From a later article from the same source, Apple states: "Apple has not created nor were we requested to create any backdoors and Apple will continue to retain control over the encryption keys to iCloud data"

https://money.cnn.com/2018/02/28/technology/apple-icloud-dat...

I'm not saying it's not concerning, and China can still request a particular users data, but let's be accurate.

[lern_too_spel]

From the iCloud user agreement in China:

"You understand and agree that Apple and GCBD [emphasis added] will have access to all data that you store on this service."

https://www.apple.com/legal/internet-services/icloud/en/gcbd...

GCBD, a state-owned company, certainly gives the Chinese government the ability to see all iCloud data. It is technically true that if the Chinese government sends a data request to Apple, Apple can try to push back within the legal system, but why would they send a data request to Apple when they can get unfettered access from GCBD?

As far as who controls the keys for decrypting iCloud data at rest, I cannot believe that Chinese iCloud data would be sent encrypted to Apple's servers outside of China to be encrypted for rest with Apple-controlled keys and sent back to GCBD servers for storage and then sent to Apple's servers outside of China for decryption after verifying it is a user authorized request and back encrypted for the user when the user requests the data (and the same for all operations on the data like indexing). The keys absolutely must exist in China under GCBD's control.