Legal and Technical Implications of Chinese iCloud Operations

April 10th, 2018 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «General», «Industry News», «Security», «Tips & Tricks»

On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.

The Fear of China

Even if the change only affects iCloud accounts registered in mainland China, there is no lack of publications bashing apple for complying with Chinese laws. Below are just a few stories from the top of the news feed.

Journalists express their concerns regarding the potential violation of Chinese users human rights. “In the past, if Chinese authorities wanted to access [Chinese] Apple’s user data, they had to go through an international legal process and comply with U.S. laws on user rights, according to Ronald Deibert, director of the University of Toronto’s Citizen Lab, which studies the intersection of digital policy and human rights. “They will no longer have to do so if iCloud and cryptographic keys are located in China’s jurisdiction,” he told CNNMoney.” [CNN]

Apparently, there are real fears of Chinese government enforcing Chinese (and not U.S.) laws to Chinese citizens. Are these fears substantiated? We spent a fair amount of time gathering legal information and trying to access information about the actual iCloud servers and the physical location of encryption keys. While the technical part was quite complicated, we were able to come to certain conclusions.

Exploring Chinese iCloud Accounts

The first thing you need to explore the specifics of a Chinese iCloud account is creating a Chinese iCloud account. This turned to be surprisingly difficult for someone not being physically present in China. Once you create a new Apple ID online at Apple.com, what you get is a so-called “web only” account. At this time, it is not yet pinned to any particular country, and is governed by “common” Apple’s T&C.

In order to tie an Apple account to a certain country, you would need to either create an account from an Apple device (iPhone, iPad, iPod Touch or Mac) or use an Apple device to sign in to an existing “web-only” account.  This is where the IP address comes into play. Only if you select China as a country during the initial account setup, and only if you make the first login from a Chinese IP address, will the account become “Chinese”.

Once the account is tied to China, you receive a message that the data will be stored at GDBD, and the iCloud T&C will be different from those of a non-Chinese account; more on that later.

Once we have a Chinese Apple ID set up and running, we could proceed to analyzing the location of iCloud data and, most importantly, the location of encryption keys.

iCloud is a highly diversified storage system employing servers run by Amazon, Google and Microsoft among others. iCloud services use sophisticated routing and load balancing, which makes it impossible to trace the real IP address of the physical computer that stores the data and encryption keys.

However, we can still compare responses we receive when querying Apple servers for international accounts with responses received when querying computers serving Chinese accounts. For all accounts we used before (that is, in all countries except China), all data links pointed to Google servers (e.g. content-storage-download.googleapis.com). For our new “Chinese” account, we noticed the following links to data chunks:

hkhkg-edge-002.icloud-content.com

While the IP address of the link above resolves to Apple’s US office in Cupertino, the company uses third-party cloud storage facilities, according to Apple itself:

Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.

(Note that it says that the data is stored elsewhere, while the keys are stored by Apple.)

Unfortunately, we were unable to trace any further.

As to the encryption keys (and metadata), we found no meaningful differences between Chinese and international accounts. The last traceable point routes to (where XX is a number):

pXX-content.icloud.com

All IP addresses also resolve to Cupertino. However, we are unable to traverse Apple’s internal routing, and thus we could not determine the actual (physical) IP address of the computer that keeps the keys. As a result, we cannot use it for tracking location.

If you need more technical details on iCloud security, you can start with iCloud Security Overview on Apple web site. No great details are there, though. The publication describes the encryption algorithms and marketing ploy (We take security seriously, otherwise known as We didn’t take it seriously enough).

Strictly speaking, iCloud security is sufficient. (By the way, Apple offers a $50,000 bounty for Unauthorized access to iCloud account data on Apple servers.) One thing we are not comfortable with is is the fact that the encryption keys are stored along with the data. Okay, the previous statement is not technically 100% correct; the keys are in fact stored at a different physical location. However, anyone accessing the encrypted data using the proper credentials will also have access to the keys. If you are curious how the data is stored, you are welcome to browse through our presentations from the many security conferences. We were the first to make this discovery, e.g. Cracking and Analyzing Apple iCloud Protocols published back in 2013.

Chinese iCloud Accounts: Analyzing Apple’s Terms and Conditions

Let us compare the Terms and Conditions of Apple services in China and in the U.S.

Chinese T&C: https://www.apple.com/legal/internet-services/icloud/en/gcbd-terms.html
U.S. T&C:  https://www.apple.com/legal/internet-services/icloud/en/terms.html

Directly comparing the two documents, one can easily spot notable differences. For example, Chinese T&C start with the following:

GCBD is the provider of the Service in the Mainland of China, which permits you to utilize certain Internet services, including storing your personal content […]. When iCloud is enabled, your content will be automatically sent to and stored by GCBD, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers.

Next, pay attention to V. Content and Your Conduct | E. Access to Your Account and Content:

You understand and agree that Apple and GCBD will have access to all data that you store on this service, including the right to share, exchange and disclose all user data, including Content, to and between each other under applicable law.

This is where the real differences begin. Apple’s international T&C contain no such statement, not even about Apple! Is this conspiracy? In reality, Apple has physical access to iCloud data, and it serves the data to law enforcement when presented a legal warrant. This is made possible by the fact that Apple encrypts iCloud data with cryptographic keys that are retained by Apple and stored on Apple servers, according to both iCloud security overview and our own findings. We know this for sure since we performed a comprehensive analysis of iCloud data protection and built a tool for downloading (and decrypting!) data from iCloud accounts.

And finally, VII. Termination | A. Voluntary Termination by You:

To terminate your Account and delete your Apple ID, contact GCBD Support at Electronic Information Industry Park of Gui An New Area, Guizhou province, P.R. China

International T&C is again different:

To terminate your Account and delete your Apple ID, contact Apple Support at https://support.apple.com/contact.

We would also recommend you to read Apple’s Legal Process Guidelines for Government & Law Enforcement — they are different for US and the rest of the world:

https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf
https://images.apple.com/legal/privacy/law-enforcement-guidelines-outside-us.pdf

The most interesting part (this time not technical) is Information Available from Apple, especially the iCloud part. The non-US version also includes the following statement:

All requests from government and law enforcement agencies outside of the United States for content stored in our data centers in the United States, with the exception of emergency circumstances (defined above in Emergency Requests), must comply with the United States Electronic Communications Privacy Act (ECPA). A request under a Mutual Legal Assistance Treaty or Agreement with the United States is in compliance with ECPA. Apple Inc. will provide subscriber content, as it exists in the subscriber’s account, only in response to such legally valid process.

Another good (though a bit confusing) reading is Apple Differential Privacy Technical Overview. My favorite part is:

The Apple differential privacy implementation incorporates the concept of a perdonation privacy budget (quantified by the parameter epsilon), and sets a strict limit on the number of contributions from a user in order to preserve their privacy. The reason is that the slightly-biased noise used in differential privacy tends to average out over a large numbers of contributions.

Let us know if you understand what that actually means!

Conclusion

Apple is doing everything it can to comply with the new Chinese regulations. The Chinese government already performed an exemplary execution, completely banning Google services in mainland China. As a result, Google is not just losing humongous amounts of money, but got the big headache of incompatible Android smartphones devoid of Google certification and Google services. Obviously, Apple won’t go the way of Google. First VPN apps, then iCloud encryption keys. What’s next in line?