The Devil is in the Details
Apple has agreed that the encryption keys for iCloud user accounts for Chinese persons will be stored in China, as Reuters reported today.
If you aren’t familiar with Chinese law and the situation around this, this may seem relatively innocuous: a company is doing business in a country, and complying with that country’s local laws. What’s significant about this is that it represents a major change in how legal process works.
Under most countries’ laws, people have some kind of rights around their own information. The government has the right to demand such information subject to things like subpoenas and warrants; those have to be signed by judges, and the recipient of one of them can immediately go to the judge and contest them, as well as contest the use of any evidence derived later based on evidence collected illegally. That is, there’s legal process between governments and people’s data — and companies which deal in user data fight this process aggressively, because their users’ trust ultimately depends on it.
To deal with multiple countries’ legal systems, most companies host the most critical data in some rule-of-law state (i.e., a country where similar laws apply), and so both the laws of the country asking for the information and the laws of the country hosting the information can potentially act as legal barriers to releasing the data. This is a kind of legal “defense-in-depth” which largely prevents governments from just seizing any data they want, singly or en masse.
We Do Things Differently Here
China, however, is one of the countries which works under a fundamentally different system, in a few key ways.
(1) The basic principle of Chinese privacy law is that the underlying owner of all information about people (and the underlying owner of everything else, really) is the state. So while some laws come out similarly — e.g., laws about identity theft and so on involve misusing information to harm people — other laws are very different. The recent Cybersecurity Law, for example, says that nobody can export information about Chinese persons without the permission of the government — that is, all user data is presumptively property of the state and is subject to export controls. More importantly, as the owner of this information, the state has a nearly-unlimited right of access to it.
Closely related to this is the Chinese government’s perspective on the Internet itself. Essentially, it views the Internet as an extension of ordinary public space: and if you aren’t allowed to publish a book without being held accountable for what you said, why should you be allowed to publish something on the Internet without being held accountable?
(2) What does “nearly-unlimited” mean? One aspect is warrants; in most countries, warrants and the like have to be signed by an independent magistrate, and are subject to an entire review system. Under Chinese law, there are several legal signing authorities for a search warrant, including not only a broad range of government officials, but any two police officers. Furthermore, there isn’t a concept of a priori judicial review; you can’t go to a judge and demand that a subpoena for information be quashed when you receive it. Instead, you need to comply on the spot, and you can file any complaints you like later.
(3) As for the matter of filing complaints: the phrase “law” doesn’t really mean the same thing that it does in places like the US or EU. Officials of the State and the Party have tremendous legal leeway; “filing a complaint” is ultimately more of a social process than a legal one, trying to convince a more senior person to take your side. This is generally something that happens only if you have a very big bank of personal credit with them.
(4) Similar things apply to bulk requests for data, or things like continuous monitoring. You won’t get two cops showing up and asking you for a permanent continuous monitoring system on all user data which alerts them when someone does something potentially “antisocial;” you’ll get a senior government minister having a friend of his (who is probably on the board of your Chinese joint venture partner, which owns 51% of the company as required by law) suggest that such a project would increase social harmony.
They are very polite about these things, but the silk glove is around a mailed fist.
(5) The Chinese government’s view of who is under its jurisdiction may not quite align with other people’s view. They have a tendency to view Chinese nationals living anywhere, and those people’s children who are simply of Chinese heritage, as also being under their natural jurisdiction. This system doesn’t give them direct access to those people’s information… but making Chinese business economically material to Apple does give them Apple’s complete and undivided attention¹ when demanding that this information be handed over, as well.
(6) One persistent open question in this field is the extent to which the Chinese public is aware of the extent of government monitoring of cyberspace, and the extent to which people already modify their behavior to take this into account. It’s very hard to figure this out, because you can’t just go out and survey people about it. (The surveyors, and anyone foolish enough to talk to them, would very quickly end up in prison; you do not talk about government surveillance. To discuss such unpleasant necessities impugns the state, and so damages social cohesion.) Chinese people living outside of China, who are more willing to talk about it, tend to also be very nonrepresentative of the population as a whole; very few peasants-turned-factory-workers end up living in California.
I strongly suspect that public understanding of the extent of monitoring is actually quite limited — the mental model of the Internet required to understand how everything you do on your phone (even if you’re alone at home) is going through servers all over the country, and what a monitoring system is like, requires a level of familiarity with the technology that you only get if you either work on it, or are part of a persistent public discourse about it, something which rather specifically hasn’t existed.
So it’s very likely, but very hard to know for certain, that the people most affected by this will not be aware and able to modify their behavior appropriately.
The Domino Effect: Beyond China
Other governments are watching this. You may have noticed that a number of Western governments’ commitment to the rule of law has become a wee bit more conditional in the past few decades. If more countries demand the same, then the cross-linked system of legal protections which is right now the main defense in depth against arbitrary legal demands suddenly falls apart: instead, data has to be stored in-country (“data location requirements,” as the EU tends to put it, “to ensure that we can appropriately protect our citizens’ privacy”) and is entirely subject to that government’s legal procedure — or lack thereof.
Those who remember the PRISM revelations and who were horribly shocked² to discover what US signals intelligence is up to should consider their own countries’ signals intelligence services. While the NSA is especially good at their job, I can tell you that the DGSE, GCHQ, BND, Unit 8200, SVR, and so on and so forth are no slouches either. Intelligence services tend to have views of the natural rights of access to information which are fairly similar across countries, and Chinese intelligence is in this respect no outlier.
Today, companies fight off requests by governments (and they do fight these, much harder than the public ever suspects!) to hand over data, provide them with wiretaps, or simply give them carte blanche access to everything by relying on layers of intertwined legal systems, each with precedents and norms of their own. Governments have been fighting these hard, and the demand that companies store all data about citizens and nationals in-country — or more to the point, subject to unilateral legal demands from that government, however that government chooses to define a “legal demand” — have been steadily increasing over the years. Companies have mostly been able to fight these off, both because they’re technically extremely difficult (and would require fundamental redesigns of the underlying systems, a good 5–10 years of work at best), and because they’re terrible for their users — but a high-profile concession like Apple’s undermines this.
All of which is to say: this sort of decision puts Chinese people who are using Apple products in danger today, but it may put far more people around the world in danger tomorrow.
¹ As in: “Q: What do you get when you have two small, fuzzy, green balls in your hand?” “A: Kermit the Frog’s complete and undivided attention.”
² As in: “I am shocked, shocked, to see that gambling is going on here.”