Apple transferring its iCloud service in China to a state-owned company in order to comply with Beijing’s regulations raises security concerns, but may also shed light on China’s cyber-security laws.
On Wednesday, 28 February, U.S. technology firm Apple Inc. transferred its iCloud service in China to Chinese government-owned company Guizhou-Cloud Big Data Industry Development Co, to comply with Chinese cloud services regulations.
This exposes the users of Apple iCloud accounts registered in mainland China to potential government intrusion, given that network operators such as Apple are legally required to provide ‘technical support and assistance’ and submit information to Beijing in any investigation of an iCloud user. The government can also conduct spot checks.
Accounts registered elsewhere are unaffected.
Apple’s transfer of its cloud service in China is in line with a cyber-security law enacted in June 2017. Critical information infrastructure operators – such as Apple – operating in China are required to store data collected in China within the mainland. Beijing claims this helps prevent crime and terrorism and protects the privacy of Chinese citizens.
Apple told CNN that it advocated for its iCloud service to be exempt, but was unsuccessful, leaving it with the choice of providing the service under the new law or discontinue offering it.
Other big U.S. tech companies, including Amazon and Microsoft, have also struck partnerships with Chinese companies to operate their cloud services in the country.
Apple claims that it has not created any backdoor access to allow the Chinese government easy access to its client data. Nevertheless, provisions within the law allow the Chinese authorities to conduct spot-checks on the operator, a process which could expose proprietary information. The Chinese government has a history of sponsoring or instigating industrial espionage, as noted by countries including Germany, the U.K. and U.S.
Businesses in China using Apple’s corporate cloud services or employees using Apple’s iPhone and iPad products should assess their risk profile. They should avoid sharing sensitive data over Apple’s products and services, as well as on apps sold from Apple’s online store, and consider switching to a more secure cloud platform, if required.
Foreign organisations are advised to carefully monitor how Apple implements the 2017 cyber-security law, and the government’s response. This is due to significant ambiguity over how specific terms are interpreted and how the law is put into practice. Apple has a huge market and vital manufacturing base in China and works closely with the government to ensure it complies with Chinese law.