Apple's data centers in China have few of the security and privacy precautions found in the company's other sites, the New York Times reports.
Building a case from 17 current and former Apple employees, internal documents, new court filings, and previously known details about Apple's Chinese operations, the publication paints a picture of a corporation that made numerous compromises to operate in its largest market.
As Apple plans to launch a data center in Guiyang this June, and another in the Inner Mongolia region soon, the facilities have come under renewed scrutiny.
It was already known that Apple was moving Chinese user data to Chinese data centers due to 2016 data sovereignty laws.
Foreign cloud and data center companies have to operate with a local partner - with Apple turning to state-owned Guizhou-Cloud Big Data Industry (GCBD) to run its data centers.
The state employees physically manage the servers at the data center, and control access to the site.
Not previously reported, but suspected, is the report's claim that Apple abandoned the encryption technology it used elsewhere after the Chinese government blocked it.
It uses a different form of encryption, with the digital keys it uses to unlock the data stored in the same facilities. This was expressly requested by Chinese officials after Apple tried to keep the keys in the US.
After the data residency law was enforced in June 2017, Apple first resisted moving the keys, but they were shifted to China eight months later. It is not known why.
Outside of China, Apple stores the keys on hardware security modules developed by Thales. Chinese officials did not allow the device to be used, so a new one was developed by Apple to be used at the data center.
As Apple does not control the Chinese data centers, it does not have to turn data over to Chinese law enforcement, which would be illegal under US laws. Instead, Chinese authorities can ask GCBD for Apple user data.
“Chinese intelligence has physical control over your hardware — that’s basically a threat level you can’t let it get to,” Matthew D. Green, a cryptography professor at Johns Hopkins University, told the New York Times.
Apple countered the report, claiming in a statement: "We retain control of the encryption keys for our users’ data, and every new data center we build affords us the opportunity to use Apple’s most cutting-edge hardware and security technologies to protect those keys."
The Chinese government must approve any encryption technology that Apple uses in China.
"iCloud needs influential friends in China," an internal Apple report said.
Cloud providers like Amazon Web Services, IBM, and Microsoft Azure have made similar partnerships in China, leaving facilities to be controlled by local companies - usually with state ties. But Apple critics noted that the company has pitched itself as an outspoken defender of privacy, and lambasted rivals for their lack of control over user data - at least in the West.