All That Is Gold Does Not Glitter
On May 25,
Apple opened its first Data Center (DC)
in the province of Guizhou, southwest of China.
This means that from now on, Apple
“stores the personal data of its Chinese customers
on computer servers run by a state-owned Chinese firm.”
This has been very controversial given the calls
of different organizations and human rights defenders.
As we will see,
they report that Chinese Apple users face potential abuses
and intrusions into privacy by the Chinese government.
In this post,
we explain why they say so and what the controversy consists of.
Hey China, think different!
This Apple-China project
has been underway for more than three years,
as in 2017, Apple signed a $1B
agreement to build its first DC.
Chinese employees are the ones who
physically control
the computers.
The Chinese government will store the digital keys used
“to unlock the data stored.”
According to a lengthy
New York Times (NYT) report,
such assignments would imply that
“Apple abandoned the encryption technology
it used elsewhere after China would not allow it.”
In fact, in their report,
NYT insists that “China is making Apple work for the Chinese government.”
Apple would be collaborating with censoring thousands of applications
“including foreign news outlets,
gay dating services, and encrypted messaging apps.”
What is the matter?
The same NYT report argues that it would be almost impossible to prevent the
Chinese government from having
“access to the emails, photos, documents, contacts,
and locations of millions of Chinese residents.”
These signed agreements are coordinated with the
Personal Information Protection Law
(PIPL).
PIPL regulates
“the collection, storage, use, processing, transmittal, provision,
and disclosure (collectively, ‘handling’)
of personal information by ‘organizations and individuals’” in China.
The problem comes in determining
what limits a government should have
to intervene in the storage and collection of information.
The Chinese government’s justification
for intervening in privacy in this way
is to protect itself from
“growing threats such as hacking and terrorism.”
Yet, the implementation of these policies
is highly intrusive.
Human Rights Watch stated
in one of their latest communiqués that it was
“a regressive measure that strengthens censorship,
surveillance, and other controls over the Internet.”
But why does opening a DC
in a country like China make all this intervention possible?
The heart of the matter relies on how data storage works
and whether a government could access
that information by having DC in its territory.
Data storage: bits and bytes
Storing digital information means saving a collection of bits and bytes.
A bit is a binary digit,
the minimum unit of data measurement.
All cyber information is stored and transmitted in bits.
Bytes
are ordered sets of bits: exactly eight bits
(the reason they are eight and no more
or fewer bits is more historical than technical).
Those bytes are the minimum unit of data processed by a computer.
When those bits and bytes, digital information, are collected and retained,
we talk about data storage.
For the storage process, you need a physical repository or a
memory cell.
Physically a memory cell is the junction of a transistor and a capacitor,
but virtually it represents a bit of data.
Data Center (DC)
is a physical facility that stores countless memory cells,
hardware designed to store those bits.
Any company could have its own DC.
However, managing and verifying good maintenance
of that equipment is often cumbersome.
This is why it is common for that service to be outsourced.
Thus, DCs are usually managed by specialized companies.
iCloud
By outsourcing the DCs,
companies store their data using cloud storage (CS).
CS is characterized by
the abstraction, pooling, and sharing of storage resources through the internet.
It does not require a direct connection to the storage hardware.
Thus, one company can operate from Colombia,
while the hardware that stores its information remains in the United States.
Because it is faster to
retrieve and store data on a local CPU than over a network,
companies with monetary, human,
and technical resources usually have their own DC.
That’s the Apple case.
Apple manages its own DC and offers users its own CS system.
Their DC is called iCloud, and Apple manages its security.
In this regard, Apple maintains on its
privacy page
that, for example, when a credit card is added or used as a payment method,
“a unique Device Account Number is created,
which is encrypted in a way that
Apple can’t decrypt and stored in the Secure Element of your device.”
Guizhou-Cloud Big Data
Apple can manage all its users’ information on its own servers,
except in China. Specifically, with the launch of its database in Guizhou,
Apple asked
its Chinese customers
“to accept new iCloud terms and conditions that
list GCBD (Guizhou-Cloud Big Data)
as the service provider and Apple as ‘an additional party.’”
That is, GCBD “governs your use of the iCloud
product, software, services, and websites.”
The primary provider is
“a company owned by the provincial government,”
in other words, the one in charge of managing Apple users’
information is the Chinese government itself.
That same government
“requires
network operators to store select data within China and allows Chinese
authorities to conduct spot-checks on a company’s network
operations.”
Privacy risk and Apple response
What is worrying is how that information will be managed.
In 2016 it was announced the adoption of the
Personal Information Protection Law of the People’s Republic of China
(read the
translation here).
In the face of this type of measure,
several rights advocates have spoken out against it.
Apple’s Chief Executive, Tim Cook,
has repeatedly said the
data is safe.
In addition, the company is aware that there are rules
that generate discomfort to the international community
and to the company’s own interests.
Still,
Apple said:
“we believe in engaging with governments even when we disagree.”
At the beginning of the negotiations with China,
Apple
justified the opening of that DC
by saying that its construction
“will allow us to improve
the speed and reliability of our products
and services while also complying with newly passed regulations.”
Figure 2. Source: The New York
Times
When considering the economic factor that Apple’s entry
into the Asian giant has represented,
the reasons for its pact seem more straightforward.
Following its agreement with China,
the country has accounted for
15% of Apple’s revenue.
That percentage translates into a bizarre figure when you consider
that it is the only company in the world with a turnover higher
than $2 trillion in 2020.
This has made it the company with the highest revenue globally,
well above Google, Microsoft, Amazon, and Facebook,
who are vying for the top 5
according to Forbes.
The controversy can be summed up
in Apple’s recognition that its profits have skyrocketed like never
before, thanks to its entry into China.
China has found Apple a great ally in “protecting”
its citizens from the dangerous cyber world.
While other companies see China’s requests
as a translation of the old saying, “you shall not pass!”
Apple interpreted it as a possibility to strengthen its finances.
Only time will tell us how good the decision was.
We hope you have enjoyed this post!
At Fluid Attacks we look forward to hearing from you.
Contact us!
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Zárate. Read the original post at: https://fluidattacks.com/blog/apple-data-center-china/
