I would urge you to read up on the Chinese cryptography law [1] which took effect on the 1st of this year. Essentially all companies foreign or not must provide unencrypted access to data to the Chinese government and must do so in secrecy. Prior to this, companies were being compelled to give up their data anyways but this just makes things easier.
By the way, the source below is an official Chinese government media source.
I've just read the article you linked[1], as well as several others [2][3][4] and cannot find any information about this:
>all companies foreign or not must provide unencrypted access to data to the Chinese government and must do so in secrecy
either plainly stated or implied.
Can you provide a source for this claim? I don't doubt that this may occur, but I'd like to speak with _my own_ managers about my china & encryption concerns in an informed way.
Do you have any evidence that Apple rearchitected their system to have access to private keys that it doesn’t have access to anywhere, to have access to give it to China?
> It is the latest development in a pattern of Apple acquiescing to Beijing’s demands. Last July, Apple deleted VPN apps from the App Store that let mainland Chinese internet users evade censorship. Apple’s lawyers have also added a clause in the Chinese terms of service that states both Apple and GCBD may access all user data. Apple has not responded to requests for comment.
> Meanwhile, Chinese laws do not protect internet users’ privacy from government intrusion. In 2015, China passed a National Security Law, which included a provision to give police the authority to demand companies let them bypass encryption or other security tools to access personal data. The National People’s Congress was not available to comment.
Well, after actually reading the Reuter’s article that the verge citation is based on...
Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys. But Chinese customers will notice some differences from the start: their iCloud accounts will now be co-branded with the name of the local partner, a first for Apple.
> And even though Chinese iPhones will retain the security features that can make it all but impossible for anyone, even Apple, to get access to the phone itself, that will not apply to the iCloud accounts. Any information in the iCloud account could be accessible to Chinese authorities who can present Apple with a legal order.
> Apple said it will only respond to valid legal requests in China, but China’s domestic legal process is very different than that in the U.S., lacking anything quite like an American “warrant” reviewed by an independent court, Chinese legal experts said. Court approval isn’t required under Chinese law and police can issue and execute warrants.
Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys. But Chinese customers will notice some differences from the start: their iCloud accounts will now be co-branded with the name of the local partner, a first for Apple.
> That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
U.S. courts are highly unlikely to order Apple to release iCloud data to Chinese officials. Any cases would be public and attract international media attention. For Chinese iCloud users, that makes all the difference.
How many countries have laws that state user data must not be in foreign data centers?
Every company in the US has to comply when it’s ordered by the court to give up user data. The US justice system is not exactly a shining light on the hill when it comes to needing a high bar to give investigators search warrants. All someone has to do is say “terrorism”, “drugs” or “protect the children” and courts will fall over backwards.
Also from the same article:
Until now, Apple appears to have handed over very little data about Chinese users. From mid-2013 to mid-2017, Apple said it did not give customer account content to Chinese authorities, despite having received 176 requests, according to transparency reports published by the company. By contrast, Apple has given the United States customer account content in response to 2,366 out of 8,475 government requests.
You have much more faith in the US justice system than I do.
> Until now, Apple appears to have handed over very little data about Chinese users. From mid-2013 to mid-2017, Apple said it did not give customer account content to Chinese authorities, despite having received 176 requests, according to transparency reports published by the company.
By moving iCloud data and keys to China, the amount of data Apple handed to Chinese authorities on Chinese iCloud users went from zero to a nonzero amount. Therefore, Apple degraded the security and privacy of Chinese iCloud users by making the switch to Chinese servers.
Due process is much more frequently ignored in China than in the United States, but that fact isn't even necessary to establish that Apple's switch to Chinese servers negatively affected Chinese iCloud users. The above is sufficient.
You need to brush up on your Cryptography 101 course before arguing with people about how asymmetric encryption keys work. There is nowhere that states that only one entity can have "control" of the keys. If you don't understand that, then I can see why you're so confused about this whole situation.
No. How the technology works is irrelevant when the end result is that the government wants the data.
If your boss asks you to build a machine that produces a widget, does he really care what your code looks like? Probably not. In the same vein, Apple can figure out whatever solution they want, whether it involves conventional use of encryption keys or not, to provide a system where the Chinese government can get access to their users' data.
By the way, the source below is an official Chinese government media source.
[1] http://www.xinhuanet.com/english/2019-10/26/c_138505655.htm