I’m pretty concerned about what Apple is doing in China, but there’s no evidence at all that Apple is escrowing end-to-end encryption keys to the government. There’s also no evidence that the Chinese government is using Apple’s non-E2E keys (held in Apple hardware in a cage at a Chinese hosting provider) for mass surveillance. I’m not saying that it’s impossible: I’m saying if you could come up with that evidence, either through reverse-engineering or a verifiable leak from Apple, it would be the biggest story in tech. You would be famous and (if you knew the right hedge fund) probably very rich.
That Apple operates iCloud in every single country except China, where GCBD (AIPO Cloud (Guizhou) Technology Co. Ltd) operates iCloud, think I makes pretty clear what's going on.
That’s separate from iMessage, which is end to end.
Apple used to be able to access iMessages through iCloud backups. They changed their system worldwide, now they can’t. So presumably GCBD also lost access to iMessages in iCloud backups.
Apple can still read ~100% of all iMessages in real-time because iCloud Backup (non e2ee by default) serves as a key escrow backdoor in the e2ee of iMessage. It is thus legitimate to state that iMessage is not e2ee as in practice each iMessage is also encrypted to a key held by Apple (in addition to the endpoints).
Even if you turn it (e2ee iCloud Backup) on, it's ineffective, as both parties to a conversation must have turned it on for the conversation to be private.
The optional iCloud feature called "Advanced Data Protection" is currently an opt-in. It comes with a significant drawback for typical pop and mom users --> If you lost you password and recovery key it's game over you loose everything. So I guess it's sensible to keep this as an opt-in until users are better educated about this drawback.
What will be quite significant is wether or not this feature will be available for chinese users.
It make sense from a technical POV to block ADP feature in poorly democratic countries that might request it like China and maybe tomorrow the UK.
PS : Once a significant % of users activated ADP it could be a good UX improvement to display a warning to mixed ADP status conversation that the conversation is not fully e2e encrypted. However this might be premature right now otherwise early adopters of ADP would be flooded by such warning.
There’s some confusion here, iMessage is end to end encrypted by default. That in no way protects the information on each users device.
If iCloud is enabled, then by default it gets unencrypted copies of these messages from the device unless “advanced data protection” is also enabled which ensures iMessage is encrypted but means losing your password also loses access to these backups. However, disabling iCloud sidesteps this issue and honestly if you want that kind of privacy then disabling iCloud is probably a good idea.
So if one users uses ADP and the other user disables iCloud then the conversion is protected.
If you scrolled down in the link provided above, it mentions with BOTH Standard and Advanced data protection messages are end to end encrypted, it’s just with advanced data protection the encryption key also ends up being encrypted too, but I’m positive even this has changed recently. You can try looking at logs when you turn on messages in iCloud and see that your messages are encrypted.
So lots of confusion in this thread, my advice for Apple would be make it very very clear to users that your data is safe. I mean they are threatening to back out of UK, so it’s against their core principles and also probably very technically expensive to undo they end to end encrypted system.
Actually there is a third option, don't back-up your iMessage to iCloud in the first place. In this configuration you need to transfer your content from device to device using a local backup if you intend to keep your messages.
You the have the same level of privacy (if not higher) than with ADP. But with the same drawback, if your recipient does backup to iCloud without ADP then messages can be intercept by apple at rest on your recipient iCloud backup.
Incidentally ADP mainly target users that didn't trusted iCloud backup for the lack of e2e encryption at rest.
More prosaically it's probably because turning it on means it's easier to lose access to your data if you lose devices/keys. Apple can't help you if they don't have the keys. It's not a bad marketing position.
They don’t want their data leaving their country? Doesn't GermanyAlso have some privacy laws that require data on Germans to stay within Germany? Isn’t this just an extension of that in a way?
> You would be famous and (if you knew the right hedge fund) probably very rich.
Famous, sure.
Rich? Perhaps… but I suspect that annoying a superpower will mean that, like Snowden, one would be somewhat restricted in ability to make use of any such wealth or fame.
Regarding the financial impact, what's the trade if they find out China is different? Shorting Apple? I don't think that would be a consequence. Nobody cares that China intercepts everything, we just don't want to live there or in a regime like it.
There was a rumor about separate HSMs for device personalization in China, and this would be verifiable by determining whether the Chinese HSMs could verify cryptograms produced by derived keys from a US device,
against Apple's personalizaiton endpoints in china. I don't know the protocol off hand, but there is a short list of ways to do it. If Apple uses different root secrets in China from the rest of the world, what further evidence would you need?
Apple has claimed that they don’t allow China to intercept communications using these keys. They’ve said on the record to the WSJ that they don’t do any combination of these things, and they left very little wiggle room in their denials (Google Apple China encryption keys WSJ). If you could show that they were compromising security for the Chinese government but not making any allowances for the FBI, and that their executives were lying about it, it would be a massive political scandal. There would almost certainly be congressional hearings, simply because any one of {Apple, China, tech executives caught lying, tech executives secretly collaborating with foreign governments} is by itself an opportunity for Congresspeople to get their face on TV and this would cover all the bases. Following this there would be huge US government pressure for Apple to (at minimum) cease collaborating with China to surveil its people, or else to offer the same capability to the US government. Potentially Apple’s entire business in China could be jeopardized if it was predicated on secret collaboration, not to mention their whole supply chain would be even more at risk. In the long run Apple might maneuver out of the situation somehow, but in the short run it would certainly affect them very badly.
>Apple has claimed that they don’t allow China to intercept communications using these keys. They’ve said on the record to the WSJ that they don’t do any combination of these things, and they left very little wiggle room in their denials
There's wiggle room in what you wrote: "Apple doesn't allow China to intercept communications, China just does it on their own" for example is a way to parse that sentence.
That would be a bigger scandal. If Apple's communication protection protocols could be subverted in flight (i.e., not via endpoint compromises) without Apple's consent or active participation, that would imply that the protocols themselves were just for show.
Chinese national security law includes a gag order for such assistance requests.
Apple can say they don’t allow it, because their local partner company is the one actually doing it. And the local partner would say they don’t allow it, because Chinese law (and the Party) requires them to keep all national security assistance secret.
US executives can be compelled to testify truthfully under oath. There is no "Chinese law compels me to keep this secret" defense to perjury charges in the US. If credible evidence emerges, Apple executives will eventually be forced to admit whatever they know. The only viable strategy here is to have a broken system and plausible "not know" it's being exploited, but that's a very fragile approach (technically risky, vulnerable to whistleblowers) and it only works once.
> Following this there would be huge US government pressure for Apple to (at minimum) cease collaborating with China to surveil its people, or else to offer the same capability to the US government.
Congress knows this would only kneecap one of their largest companies (with no fallback option at present). There is no iPhone without China.
Apple can and does already provide surveillance of this type domestically to FBI/DHS/et al. Approximately all iMessages are readable by Apple and extension by the USG in real-time, with or without a warrant.
