In China, Apple Compromises on Censorship and Surveillance - The New York Times

image

GUIYANG, China — On the outskirts of this city in a poor, mountainous province in southwestern China, men in hard hats recently put the finishing touches on a white building a quarter-mile long with few windows and a tall surrounding wall. There was little sign of its purpose, apart from the flags of Apple and China flying out front, side by side.

Inside, Apple was preparing to store the personal data of its Chinese customers on computer servers run by a state-owned Chinese firm.

Tim Cook, Apple’s chief executive, has said the data is safe. But at the data center in Guiyang, which Apple hoped would be completed by next month, and another in the Inner Mongolia region, Apple has largely ceded control to the Chinese government.

Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers they’re meant to secure.

Internal Apple documents reviewed by The New York Times, interviews with 17 current and former Apple employees and four security experts, and new filings made in a court case in the United States last week provide rare insight into the compromises Mr. Cook has made to do business in China. They offer an extensive inside look — many aspects of which have never been reported before — at how Apple has given in to escalating demands from the Chinese authorities.

Two decades ago, as Apple’s operations chief, Mr. Cook spearheaded the company’s entrance into China, a move that helped make Apple the most valuable company in the world and made him the heir apparent to Steve Jobs. Apple now assembles nearly all of its products and earns a fifth of its revenue in the China region. But just as Mr. Cook figured out how to make China work for Apple, China is making Apple work for the Chinese government.

Mr. Cook often talks about Apple’s commitment to civil liberties and privacy. But to stay on the right side of Chinese regulators, his company has put the data of its Chinese customers at risk and has aided government censorship in the Chinese version of its App Store. After Chinese employees complained, it even dropped the “Designed by Apple in California” slogan from the backs of iPhones.

The entrance to Apple’s new data center, which the company hoped to complete next month.Keith Bradsher/The New York Times

China’s leader, Xi Jinping, is increasing his demands on Western companies, and Mr. Cook has resisted those demands on a number of occasions. But he ultimately approved the plans to store customer data on Chinese servers and to aggressively censor apps, according to interviews with current and former Apple employees.

“Apple has become a cog in the censorship machine that presents a government-controlled version of the internet,” said Nicholas Bequelin, Asia director for Amnesty International, the human rights group. “If you look at the behavior of the Chinese government, you don’t see any resistance from Apple — no history of standing up for the principles that Apple claims to be so attached to.”

While both the Trump and Biden administrations have taken a tougher line toward China, Apple’s courtship of the Chinese government shows a disconnect between politicians in Washington and America’s wealthiest company.

Mr. Cook has been on a charm offensive in China, making frequent, statesmanlike visits and meeting with top leaders. On one trip in 2019, he toured the Forbidden City, met with a start-up and posted about the trip on the Chinese social platform Weibo.

Behind the scenes, Apple has constructed a bureaucracy that has become a powerful tool in China’s vast censorship operation. It proactively censors its Chinese App Store, relying on software and employees to flag and block apps that Apple managers worry could run afoul of Chinese officials, according to interviews and court documents.

A Times analysis found that tens of thousands of apps have disappeared from Apple’s Chinese App Store over the past several years, more than previously known, including foreign news outlets, gay dating services and encrypted messaging apps. It also blocked tools for organizing pro-democracy protests and skirting internet restrictions, as well as apps about the Dalai Lama.

President Xi Jinping of China, lower left, greeting Apple’s chief executive, Tim Cook, in 2015. Mr. Cook has made frequent, statesmanlike visits to China.Associated Press

And in its data centers, Apple’s compromises have made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts and locations of millions of Chinese residents, according to the security experts and Apple engineers.

The company said in a statement that it followed the laws in China and did everything it could to keep the data of customers safe. “We have never compromised the security of our users or their data in China or anywhere we operate,” the company said.

An Apple spokesman said that the company still controlled the keys that protect the data of its Chinese customers and that Apple used its most advanced encryption technology in China — more advanced than what it used in other countries.

Apple added that it removed apps only to comply with Chinese laws. “These decisions are not always easy, and we may not agree with the laws that shape them,” the company said. “But our priority remains creating the best user experience without violating the rules we are obligated to follow.”

Mr. Cook declined an interview for this article. In public appearances, he has said that while he often disagrees with China’s laws, the world is better off with Apple in China.

“Your choice is: Do you participate? Or do you stand on the sideline and yell at how things should be?” he said at a conference in China in 2017. “My own view very strongly is: You show up and you participate. You get in the arena, because nothing ever changes from the sideline.”

No Plan B

In 2014, Apple hired Doug Guthrie, the departing dean of the George Washington University business school, to help the company navigate China, a country he had spent decades studying.

One of his first research projects was Apple’s Chinese supply chain, which involved millions of workers, thousands of plants and hundreds of suppliers. The Chinese government made that operation possible by spending billions of dollars to pave roads, recruit workers, and construct factories, power plants and employee housing.

Mr. Guthrie concluded that no other country could offer the scale, skills, infrastructure and government assistance that Apple required. Chinese workers assemble nearly every iPhone, iPad and Mac. Consumers in the region pay Apple more than $55 billion a year, by far the most of any American company in China.

“This business model only really fits and works in China,” Mr. Guthrie said in an interview. “But then you’re married to China.”

Apple hired Doug Guthrie in 2014 to help the company navigate China. At the time, the country was starting to pass laws that gave the government greater leverage over Apple.Erin Kirkland for The New York Times

The Chinese government was starting to pass laws that gave the country greater leverage over Apple, and Mr. Guthrie said he believed Mr. Xi would soon start seeking concessions. Apple, he realized, had no Plan B.

“For Chinese authorities, this is no longer about, ‘How much money are you pouring into China?’ This is about, ‘What are you giving back?’” Mr. Guthrie said.

Mr. Guthrie delivered his warning to Mr. Cook’s top deputies, including Phil Schiller, a longtime marketing chief; Eddy Cue, head of internet software and services; Lisa Jackson, the company’s government affairs chief; and Jeff Williams, its operations chief, who is widely viewed as Mr. Cook’s right-hand man.

As Mr. Guthrie was delivering his warnings, Apple set about keeping the Chinese government happy. Part of that effort was new research and development centers in China. But those R&D centers complicated Apple’s image as a California company. At a summit for its new Chinese engineers and designers, Apple showed a video that ended with a phrase that Apple had been inscribing on the backs of iPhones for years: “Designed by Apple in California.”

The Chinese employees were angered, according to Mr. Guthrie and another person in the room. If the products were designed in California, they shouted, then what were they doing in China?

“The statement was deeply offensive to them,” said Mr. Guthrie, who left Apple in 2019 to return to his home in Michigan. “They were just furious.”

The next iPhone didn’t include the phrase.

‘Golden Gate’

In November 2016, China approved a law requiring that all “personal information and important data” that is collected in China be kept in China.

It was bad news for Apple, which had staked its reputation on keeping customers’ data safe. While Apple regularly responded to court orders for access to customer data, Mr. Cook had rebuffed the F.B.I. after it demanded Apple’s help breaking into an iPhone belonging to a terrorist involved in the killing of 14 people in San Bernardino, Calif. Now the Chinese government had an even broader request.

Other companies faced a similar dilemma in China, but Apple was uniquely exposed because of its high profile and acute dependence on the country.

Apple’s iCloud service allows customers to store some of their most sensitive data — things like personal contacts, photos and emails — in the company’s data centers. The service can back up everything stored on an iPhone or Mac computer, and can reveal the current location of a user’s Apple devices. Most of that data for Chinese customers was stored on servers outside China.

Apple’s new data center in the Inner Mongolia region of China.Cnes/Airbus, via Google Earth

Apple’s China team warned Mr. Cook that China could shut down iCloud in the country if it did not comply with the new cybersecurity law. So Mr. Cook agreed to move the personal data of his Chinese customers to the servers of a Chinese state-owned company. That led to a project known inside Apple as “Golden Gate.”

Apple encrypts customers’ private data in its iCloud service. But for most of that information, Apple also has the digital keys to unlock that encryption.

The location of the keys to the data of Chinese customers was a sticking point in talks between Apple and Chinese officials, two people close to the deliberations said. Apple wanted to keep them in the United States; the Chinese officials wanted them in China.

The cybersecurity law went into effect in June 2017. In an initial agreement between Apple and Chinese officials, the location of the keys was left intentionally vague, one person said.

But eight months later, the encryption keys were headed to China. That surprised at least two Apple executives who worked on the initial negotiations and who said the move could jeopardize customers’ data. It is unclear what led to the change.

Documents reviewed by The Times do not show that the Chinese government has gained access to the data. They only indicate that Apple has made compromises that make it easier for the government to do so.

An unusual arrangement

With the keys in China, the government has two avenues to the data, security experts said: demand it — or take it without asking.

The Chinese government regularly demands data from Chinese companies, often for law-enforcement investigations. Chinese law requires the companies to comply.

U.S. law has long prohibited American companies from turning over data to Chinese law enforcement. But Apple and the Chinese government have made an unusual arrangement to get around American laws.

In China, Apple has ceded legal ownership of its customers’ data to Guizhou-Cloud Big Data, or GCBD, a company owned by the government of Guizhou Province, whose capital is Guiyang. Apple recently required its Chinese customers to accept new iCloud terms and conditions that list GCBD as the service provider and Apple as “an additional party.” Apple told customers the change was to “improve iCloud services in China mainland and comply with Chinese regulations.

The terms and conditions included a new provision that does not appear in other countries: “Apple and GCBD will have access to all data that you store on this service” and can share that data “between each other under applicable law.”

Under the new setup, Chinese authorities ask GCBD — not Apple — for Apple customers’ data, Apple said. Apple believes that gives it a legal shield from American law, according to a person who helped create the arrangement. GCBD declined to answer questions about its Apple partnership.

In the three years before China’s cybersecurity law went into effect, Apple never provided the contents of a user’s iCloud account to the Chinese authorities and challenged 42 Chinese government requests for such data, according to statistics released by the company. Apple said it challenged those requests because they were illegal under U.S. law.

In the three years after the law kicked in, Apple said it provided the contents of an undisclosed number of iCloud accounts to the government in nine cases and challenged just three government requests.

An extensive complex of apartments and town homes is being built across the street from Apple’s data center in Guiyang.Keith Bradsher/The New York Times

Apple still appears to provide far more data to U.S. law enforcement. Over that same period, from 2013 through June 2020, Apple said it turned over the contents of iCloud accounts to U.S. authorities in 10,781 separate cases.

Chinese officials say their cybersecurity law is intended to protect Chinese residents’ data from foreign governments. People close to Apple suggested that the Chinese authorities often don’t need Apple’s data, and thus demand it less often, because they already surveil their citizens in myriad other ways.

But the iCloud data in China is vulnerable to the Chinese government because Apple made a series of compromises to meet the authorities’ demands, according to dozens of pages of internal Apple documents on the planned design and security of the Chinese iCloud system, which were reviewed for The Times by an Apple engineer and four independent security researchers.

The documents show that GCBD employees would have physical control over the servers, while Apple employees would largely monitor the operation from outside the country. The security experts said that arrangement alone represented a threat that no engineer could solve.

“Chinese intelligence has physical control over your hardware — that’s basically a threat level you can’t let it get to,” said Matthew D. Green, a cryptography professor at Johns Hopkins University.

Apple said it designed the iCloud security “in such a way that only Apple has control of the encryption keys.”

The documents also show that Apple is using different encryption technology in China than elsewhere in the world, contradicting what Mr. Cook suggested in a 2018 interview.

The digital keys that can decrypt iCloud data are usually stored on specialized devices, called hardware security modules, that are made by Thales, a French technology company. But China would not approve the use of the Thales devices, according to two employees. So Apple created new devices to store the keys in China.

The documents, from early 2020, indicated that Apple had planned to base the new devices on an older version of iOS, the software underpinning iPhones, which is among the most targeted systems by hackers. Apple also planned to use low-cost hardware originally designed for the Apple TV. That alarmed the security researchers.

But Apple said that the documents included outdated information and that its Chinese data centers “feature our very latest and most sophisticated protections,” which would eventually be used in other countries.

The Chinese government must approve any encryption technology that Apple uses in China, according to two current Apple employees.

People waiting in line last year for the opening of a new Apple Store in Beijing. The company earns a fifth of its revenue in the China region.Kevin Frayer/Getty Images

“The Chinese are serial iPhone breakers,” said Ross J. Anderson, a University of Cambridge cybersecurity researcher who reviewed the documents. “I’m convinced that they will have the ability to break into the servers.”

Apple has tried to isolate the Chinese servers from the rest of its iCloud network, according to the documents. The Chinese network would be “established, managed, and monitored separately from all other networks, with no means of traversing to other networks out of country.” Two Apple engineers said the measure was to prevent security breaches in China from spreading to the rest of Apple’s data centers.

Apple said that it sequestered the Chinese data centers because they are, in effect, owned by the Chinese government, and Apple keeps all third parties disconnected from its internal network.

In Cupertino, Calif., Apple engineers have been racing to finish designs for the new Chinese iCloud. In a presentation to some engineers last year, according to slides viewed by The Times, managers made clear that the stakes were high.

“There will be immense pressure to get it done. We agreed to this timeline three years ago,” said one slide. “Important people put their reputations on the line. iCloud needs influential friends in China.”

The documents showed that Apple’s deadline to start storing data in the new Chinese data centers was June 2021.

‘China hide process’

In early 2018, Guo Wengui, an exiled Chinese billionaire, was spending much of his time in Manhattan trying to broadcast his claims of corruption inside the Communist Party. His latest effort was an iPhone app in China that delivered those claims.

Before his app even became available on iPhones, the Chinese government was trying to block it. Shortly after Mr. Guo applied to the App Store, the Cyberspace Administration of China, the government’s internet regulator, told Apple it wanted the app rejected. It was unclear how the officials knew about it.

Those events and the chain reaction they set off inside Apple were laid out in court documents last week in a wrongful-termination case against the company. The documents and interviews shine a light on a bureaucracy inside Apple designed to censor and block apps, often proactively, to appease the Chinese government.

On Feb. 4, 2018, shortly after the Chinese authorities demanded that Mr. Guo’s app be rejected, an Apple manager emailed a colleague with a question: Did Mr. Guo belong on Apple’s “China sensitivities list,” along with the likes of Falun Gong — the Chinese spiritual movement — and the Dalai Lama?

The colleague replied that Mr. Guo probably should be on the list, given that he had been spreading unverifiable defamatory stories about Chinese officials. She suggested that the question be elevated to Apple’s “executive review board,” a group of executives who decide the trickiest App Store issues, including top deputies to Mr. Cook.

Two weeks later, the board said Mr. Guo belonged on Apple’s China blacklist. Apple employees added his name to the company’s internal “Chinese App Store Removal wiki page,” according to the documents, as well as a software program that would automatically tag any apps that mentioned him.

Guo Wengui, an exiled critic of China’s government, in 2017. Apple said it had removed his iPhone app in China because it had determined it was illegal there.James Estrin/The New York Times

Six months later, Mr. Guo submitted his app again, with changes to elude Apple’s software. Trieu Pham, an app reviewer in Cupertino, was assigned the app. He didn’t find anything that violated Apple’s rules. On Aug. 2, he approved it.

Three weeks later, Trystan Kosmynka, Apple’s app review chief, sent an email to several managers at 2:32 a.m. The subject line was “Hot: Guo.” The Chinese government had spotted Mr. Guo’s new app, and Mr. Kosmynka wanted to know how it had gotten published.

“This app and any Guo Wengui app cannot be on the China store,” he wrote, according to the emails filed in the court case. “Can we put the necessary pieces in place to prevent that ASAP.”

Apple pulled the app and began investigating. A resulting report said the app was published because the “China hide process was not followed,” according to court documents. It said that Mr. Pham, the app reviewer, should have sent the app to Apple’s Chinese language specialists, who had been trained on which topics to block in the Chinese App Store, including Mr. Guo.

When Apple managers questioned Mr. Pham, he told them the app didn’t violate any policies. The managers responded that the app criticized the Chinese government, Mr. Pham said in court documents, and that this was enough for rejection.

Six months later, Apple fired Mr. Pham. In response, he sued the company, accusing it of pushing him out to appease the Chinese government.

Apple said it removed Mr. Guo’s app in China because it had determined it was illegal there. Apple said it fired Mr. Pham because of poor performance.

Mr. Guo’s media outlets have a history of peddling misinformation. The exact nature of the apps in the 2018 case was unclear, though court documents said they discussed Chinese Communist Party corruption.

Phillip Shoemaker, who ran Apple’s App Store from 2009 to 2016, said in an interview that Apple lawyers in China gave his team a list of topics that couldn’t appear in apps in the country, including Tiananmen Square and independence for Tibet and Taiwan. He said Apple’s policy was matter-of-fact: If the lawyers believed a topic was off-limits in China, then Apple would remove it there.

On Chinese iPhones, Apple forbids apps about the Dalai Lama while hosting those from the Chinese paramilitary group accused of detaining and abusing Uyghurs, an ethnic minority group in China.

The company has also helped China spread its view of the world. Chinese iPhones censor the emoji of the Taiwanese flag, and their maps suggest Taiwan is part of China. For a time, simply typing the word “Taiwan” could make an iPhone crash, according to Patrick Wardle, a former hacker at the National Security Agency.

Sometimes, Mr. Shoemaker said, he was awakened in the middle of the night with demands from the Chinese government to remove an app. If the app appeared to mention the banned topics, he would remove it, but he would send more complicated cases to senior executives, including Mr. Cue and Mr. Schiller.

Apple resisted an order from the Chinese government in 2012 to remove The Times’s apps. But five years later, it ultimately did. Mr. Cook approved the decision, according to two people with knowledge of the matter who spoke on the condition of anonymity.

Apple recently began disclosing how often governments demand that it remove apps. In the two years ending June 2020, the most recent data available, Apple said it approved 91 percent of the Chinese government’s app-takedown requests, removing 1,217 apps.

In every other country combined over that period, Apple approved 40 percent of requests, removing 253 apps. Apple said that most of the apps it removed for the Chinese government were related to gambling or pornography or were operating without a government license, such as loan services and livestreaming apps.

Yet a Times analysis of Chinese app data suggests those disclosures represent a fraction of the apps that Apple has blocked in China. Since 2017, roughly 55,000 active apps have disappeared from Apple’s App Store in China, according to a Times analysis of data compiled by Sensor Tower, an app data firm. Most of those apps have remained available in other countries.

Number of apps that disappeared from the iOS App Store in China by month through February 2021

Note: Includes apps that were active at their time of removal (i.e. were updated less than a year before leaving the Chinese iOS store) and have not returned as of March 11, 2021.

Source: SensorTower

The New York Times

More than 35,000 of those apps were games, which in China must get approval from regulators. The remaining 20,000 cut across a wide range of categories. Apps that mapped users’ runs, edited selfies or taught sexual positions were removed. So were apps that allowed users to message privately, share documents and browse websites the Chinese government had blocked. More than 600 news apps also disappeared.

Apple disputed those figures, saying that some developers remove their own apps from China. Apple said that since 2017, it had taken down 70 news apps in response to Chinese government demands.

The discrepancy between Apple’s disclosures and the Times analysis is in part because Apple is removing apps before China’s internet censors even complain. Apple does not disclose such takedowns in its statistics.

Mr. Shoemaker said he and his team rationalized removing apps by framing them as simply enforcing a country’s laws. Similar steps were taken in places like Saudi Arabia and Russia, he said. “At the same time, we didn’t want to get hauled up in front of the Senate to talk about why we’re quote ‘censoring apps in China,’” he said. “It was a tightrope we had to walk.”

Raymond Zhong reported from Guiyang. Keith Bradsher contributed reporting from Guiyang.