Apple’s Compromises Made to Operate in China – Chinese Data Centers Allowed to Store Encryption Keys

Data Center Dynamics:

New report (from the NYTimes, no less) details compromises company made to operate in China

Apple’s data centers in China have few of the security and privacy precautions found in the company’s other sites, the New York Times reports.

Building a case from 17 current and former Apple employees, internal documents, new court filings, and previously known details about Apple’s Chinese operations, the publication paints a picture of a corporation that made numerous compromises to operate in its largest market.

As Apple plans to launch a data center in Guiyang this June, and another in the Inner Mongolia region soon, the facilities have come under renewed scrutiny.

It was already known that Apple was moving Chinese user data to Chinese data centers due to 2016 data sovereignty laws.

Foreign cloud and data center companies have to operate with a local partner – with Apple turning to state-owned Guizhou-Cloud Big Data Industry (GCBD) to run its data centers.

The state employees physically manage the servers at the data center, and control access to the site.

Not previously reported, but suspected, is the report’s claim that Apple abandoned the encryption technology it used elsewhere after the Chinese government blocked it.

It uses a different form of encryption, with the digital keys it uses to unlock the data stored in the same facilities. This was expressly requested by Chinese officials after Apple tried to keep the keys in the US.

After the data residency law was enforced in June 2017, Apple first resisted moving the keys, but they were shifted to China eight months later. It is not known why.

Outside of China, Apple stores the keys on hardware security modules developed by Thales. Chinese officials did not allow the device to be used, so a new one was developed by Apple to be used at the data center.

As Apple does not control the Chinese data centers, it does not have to turn data over to Chinese law enforcement, which would be illegal under US laws. Instead, Chinese authorities can ask GCBD for Apple user data.

More at Data Center Dynamics

Join now!