In 2010, Apple’s iOS update included a feature that was little noticed outside the Tibetan plateau in Central Asia and a few communities in neighboring India.
The operating system had become the first mobile platform to support the Tibetan language, and soon Apple products became very popular among Tibetan speakers.
“For a long time iPhones were the only phone that Tibetans wanted to buy,” says Lobsang Gyatso Sither, digital security programs manager with the Tibet Action Institute, an NGO based in Dharamsala, India which monitors, trains, and informs Tibetans around the world about digital security risks. Google wouldn’t officially add this feature for Android devices for another seven years.
Privacy through iPhones
The appeal of iPhones wasn’t only down to their language facilities. Tibet is outside China’s Great Firewall, the vast internet filtering infrastructure which heavily censors content locals can access. Most foreign news sites and web content from Tibet’s Government-in-Exile in India are blocked. Thus, for Tibetans, Apple products came with another big advantage. The devices had access to Apple’s App Store, which offered virtual private network (VPN) apps and secure messaging apps like Signal. This meant that Tibetans could use their iPhones to get access to information blocked by the Great Firewall, such as updates from the Dalai Lama, who fled his homeland in 1959 due to increased repression from the occupying Chinese forces, or independent Tibetan language news outlets such as Voice of Tibet.
In fact, Apple devices have long been popular not only among Tibetans, but also other ethnic minorities, journalists, activists, and human rights lawyers for many reasons, but a key one is that these devices had strong privacy and data protections.
In comparison, the main alternatives – cheaper Android devices made by local manufacturers like Huawei, Xiaomi, and OnePlus – can only download apps though local platforms such as Tencent MyApp, Baidu Mobile and Alibaba’s Wandoujia, because since Google withdrew from the country back in 2010, its search engine and app store have also been blocked by China’s Great Firewall. Such local app stores only carry apps that have been approved by the powerful Cyberspace Administration of China (CAC) – meaning there is little to no ability for users to download foreign news, VPNs, or other secure apps.
These days, however, Apple is starting to look a lot like its Chinese counterparts.
In August 2017, the government implemented a new cybersecurity law, which mandated companies to host user data in the country in partnership with local companies, and also regulated VPN and messaging apps.
Since then, Apple has been quick to comply, compromising its Chinese users’ privacy with little protest and, perhaps more worrying, without properly notifying them. Minorities, and in particular ethnic Tibetans and Muslim Uyghurs, are facing the brunt of this due to the fact that having any illegal or suspicious content on their devices puts them at risk of being jailed, or sent to one of a growing number of reeducation or concentration camps.
Apple targets VPNs in China
The first shift in what Apple offered its Chinese users took place in mid 2017, when itsuddenly removed more than 60 VPN apps from its China App Store, including those from popular services like ExpressVPN, StarVPN, and VyprVPN, all of whom were not registered in China. Suddenly, accessing content beyond the Great Firewall became significantly more difficult. Developers were only sent a short notification saying that their app was removed because “it includes content that is illegal in China.” Only after the removals received significant media attention did Apple release a statement saying that it was complying with local laws.
Developers were surprised by the move. “Unfortunately, Apple did not directly answer our letter asking them to account for VyprVPN’s removal from their app store in China,” says Yasmin Mounajed, marketing director at Golden Frog, VyprVPN’s parent company.
Today, the 100 most downloaded VPN apps on the US App Store are all unavailable on the China App Store. “The Chinese market has always been highly censored and our removal from Apple’s app store is simply one of the ongoing challenges we have faced while providing a VPN service in China,” says Mounajed.
Apple has been quick to comply with China’s cybersecurity laws, compromising users’ privacy with little protest
App removals are especially harmful for iOS users because users cannot easily install apps from non-official sources. This is a security measure and one that is warranted, as Android users, especially in China, are often victims of fake apps from third-party sources that infect their devices or share data with questionable partners. But this also means that when the VPN apps were removed, it became nearly impossible to install them through other means. The only VPN apps left on the App Store were ones registered with the Chinese government – which almost certainly meant that user data was shared.
“When you don’t allow phones to download apps, you’re doing the job of the Chinese government,” says Gyatso.
A privacy double standard
While this censoring of apps received significant attention among China watchers and Asia privacy experts, it got little coverage in the US, where Apple was taking advantage of the controversy around Facebook’s role in the Cambridge Analytica data-harvesting scandal to promote itself as a tech company that cared about user privacy.
For global tech and human rights advocates, this positioning reeked of hypocrisy.
As Apple ramped up its privacy-first rhetoric in the US and Europe, in China, it was conspicuously silent. Even as CEO Tim Cook called for a US data privacy law in line with Europe’s GDPR, Apple was making quiet, regular moves to ensure its data policies met the Chinese government’s requirements.
The most worrying of these moves took place in early 2018, when Apple announced that it would be hosting its Chinese users’ iCloud accounts in a new local data center, so that it could comply with data localization regulations. This meant that all user data would be accessible by a company called Guizhou-Cloud Big Data (GCBD), whose terms of service stated:
If you understand and agree, Apple and GCBD have the right to access your data stored on its servers. This includes permission sharing, exchange, and disclosure of all user data (including content) according to the application of the law.
GCBD is a state-owned company and its terms of service likely means the government can readily access data. For users, these details were buried deep in Apple’s regular terms of service update, one that more than 99.9 percent of users agreed to, most likely not even realizing that they were allowing the state broad access to their data.
Cook has said that “encryption for us is the same in every country in the world” and that Apple holds the decryption keys for its Chinese users’ iCloud data, defending the company’s actions in the country. But if iCloud keys are accessible by GCBD, the encryption itself does not matter, as the government can request access to the keys – and user data – with far greater ease than if it had to go through the US legal system, which would be the case for US-based iCloud accounts.
“[Our] major concern is that the data center for Apple China now is technically not controlled by Apple,” said a spokesperson from Open Mic, a Washington D.C.-based non-profit that works to foster greater corporate accountability at technology companies. “The servers storing Chinese iCloud data belong to [GCBD], and the encryption keys have also reportedly been transferred to China in compliance with the Cybersecurity Law.”
Online data could fuel arrests
A critical issue is that Chinese iCloud data, newly accessible by the government, could be used to make politically-fueled arrests.
Back in 2005, the journalist Shi Tao was arrested and it was only months later that it was determined his arrest was partly due to the internet company Yahoo providing the Chinese government access to Shi’s emails, enabling them to discover leaked information and sentence him to 10 years in jail.
This failure of Yahoo to protect its users’ privacy from a government was a wake up call for global tech companies. Few had processes in place to handle government requests for information. Relying on courts to properly vet warrants or other data requests was problematic enough in democratic countries with independent judiciaries. In China the lines between party, state, and the legal system are blurred, with the ruling Communist party having significant power over outcomes. The conviction rate in trials is 99.9 percent and few ever go free, even if the charges are politically motivated.
Shi’s case showed just how unprepared tech companies were to deal with the challenges of operating behind the Great Firewall – and what’s more, the backlash from foreign media over Yahoo’s role in a journalist’s arrest has driven down transparency from Chinese authorities regarding how data gathered from digital sources is used to arrest or jail people.
“[I speculate] that ever since the Shi Tao case, the government is pretty reluctant to put evidence that they find through surveillance [and] data gained through companies…in indictments or court verdicts,” says William Nee, a business human rights analyst at Amnesty International in Hong Kong.
Charlie Smith, the co-founder of GreatFire.org, a non-profit organization that monitors the status of websites censored by the Great Firewall, concurs. “Cloud companies will keep quiet like Apple keeps quiet. There may be many cases of people getting prosecuted because of the complicit actions of a cloud company, but that information would likely not come out in a trial,” he says. After all, a lack of visibility on its activities in China is good for Apple and its image as a privacy-minded company; it may also conceivably not even know when GCBD gives the state access to iCloud data.
Even as CEO Tim Cook called for a US data privacy law, in China, Apple was ensuring its data policies met the Chinese government’s requirements.
There are ways for users to protect their privacy, but only if they are proactive and have access to networks overseas. Chen Guangcheng, a Chinese civil rights activists now living in exile in the US, said that Chinese Apple users who care about privacy have registered their accounts abroad, so that their account data would not be synced with GCBD, stored instead on servers outside China. Tibet Action Institute, too, is recommending that its followers do the same as well.
No government requests denied
Could Apple do more to protect its users’ privacy in China? The key defense the company has used is that has no choice if it wants to operate in the country, and that discontinuing its services would impact Chinese users’ privacy even more negatively. And, as nearly all Apple products are manufactured in China, even a small push-back could put its entire supply chain at risk.
“Apple bears some blame for getting into this position in the first place, but when it built its Chinese supply chain, it wasn’t the major data and content gatekeeper it is now: cloud sync was not a standard feature, and the centralized App Store didn’t exist,” says Samuel Wade, deputy editor at China Digital Times. “I just don’t think Apple is in a position to refuse. There’s no limit to the havoc Chinese authorities could wreak on it.”
But one area where Apple has been lacking is its transparency about what actions it has taken in order to satisfy Chinese authorities. In fact, many have wondered if Apple has been totally honest about how it has molded its services for Chinese users, and in the past two years, people have noticed more than just VPN apps missing from the China App Store. For example, news apps, like the New York Times Chinese app, are no longer available.
The only VPN apps left on the App Store are ones registered with the Chinese government – which almost certainly means that user data would be shared.
So GreatFire.org, which also provides tools to deal with censorship in China, joined with Tibet Action Institute and the Tibetan Computer Emergency Readiness Team (TIBCERT) to investigate censorship around apps that contained content about Tibet. In preliminary findings released in June 2019, they found that 29 out of 119 apps analyzed had been removed for including even the very mention of the Dalai Lama or sharing news about Tibet or Tibetan culture.
A few weeks after GreatFire and Tibet Action released their findings, Apple released its latest transparency report, for the second half of 2018. For the first time, it listed the number of app removal requests. Of the 634 requests, 517 were from China. But dig deeper and there are not many details on what this actually entails, or even how these requests were received.
“The data [Apple] provides on the scale of requests from China is welcome and striking, [but] it’s not accompanied by the kind of specifics that would let us make much sense of it,” says Wade. For example, it is unclear what the guidelines for removals are, or whether it was Apple or developers that removed the apps. It does show, however, that in 2018, Apple did not refuse a single request from the Chinese government.
Not so transparent report
Apple’s figures don’t match up with the findings of GreatFire’s AppleCensorship tool, which allows users anywhere in the world to determine if their app is being blocked in China as compared to their home country. This tool documented that over 1000 apps are unavailable in China, with many, as the Tibet report also shows, that are not “gambling or pornography.” Apple’s report also does not disclose how many times the Chinese government accesses iCloud data or what the process is for determining if data requests are legal under Chinese law, though it did state that the Chinese government made just 689 requests to access information about Apple devices. There is no way to be sure what data Apple or GCDB have shared, or could share, with the Chinese government.
This is par for the course for the company.
“Apple is rarely transparent about anything,” says Wade, speaking on the company’s actions in China. “It’s volunteered very little on these issues in China, and given little substantial response to third-party findings beyond formulaic appeals to the authority of local laws.”
Of the 634 requests to remove apps from the App Store in the second half of 2018, 517 were from China.
Furthermore, Apple is not a member of the Global Network Initiative (GNI), a non-governmental organization with the dual goals of preventing internet censorship by authoritarian governments and protecting the internet privacy rights of individuals. GNI counts as members Facebook, Google, and Microsoft – which is the only of these companies to operate in China – and gives companies a framework to incorporate, in a private setting, human rights concerns into their business practices.
According to Rebecca MacKinnon, the director of Ranking Digital Rights, Apple seems to lack even basic due diligence and human rights risk assessment processes.
“[Compliance with Chinese law] is not an adequate defense because there are different ways to interpret what it means to follow the law,” says MacKinnon. “Because Apple doesn’t engage in things like the GNI, whether they subject decisions about products in China to any due diligence … is just a black box.”
The lack of transparency means that privacy-minded users are forced to assume the worst – that all their iCloud data is potentially accessible by the state and that all VPN and messaging apps available on the App Store could be equally insecure.
In 2018, Apple did not refuse a single app removal request from the Chinese government.
Minority groups at especial risk
Under Chinese law, having or sharing illegal content on your phone or personal device alone is enough to land you in jail. The definition of “illegal” varies greatly, especially for China’s ethnic minorities. A photo of the Dalai Lama on his phone was enough to get a Tibetan monk arrested and jailed in 2016. More recently, ethnic Uyghurs have been sent to concentration camps that exist outside the Chinese legal system for having religious content on their phones, downloading WhatsApp, or even communicating with someone living in a Muslim country. Because there’s no legal process in these instances and little visibility on authorities’ actions, it’s possible that digital evidence, perhaps from Apple’s shared iCloud servers, is one reason that some Uyghurs are in jail.
If evidence emerges that any Uyghur, Tibetan, or Chinese dissident is in jail or a concentration camp due to content that the government was able to access through iCloud, Apple should be partially to blame.
“[Apple] will be responsible if someone in China is arrested or convicted because of data stored on iCloud,” says Chen. “We should expect more in terms of its moral foundation and have higher demands on Apple.”
Censorship trending beyond China
Meanwhile, Apple continues to appease the Chinese authorities, far beyond the bare minimum. Tim Cook was the most prominent US executive to attend China’s World Internet Conference in 2017, which is part of a far broader plan by the emerging power to redefine cyber policies globally. It calls for cyber sovereignty, in which each country controls data and content within its own borders. Not surprisingly, as Chinese influence and investment grows, Chinese-style censorship, data control, and web blocking are on the rise in emerging markets across the world.
For example, Zimbabwe is embarking on a mass facial recognition project with China’s Cloudwalk Technology that could enable greater government surveillance of dissidents in a country with a bleak human rights record. Ecuador now has a comprehensive mass surveillance system set up by state-owned China National Electronics Import and Export Corporation. Other countries, such as Iran, are expanding censorship of digital content, and there is evidence that China may have played a role.
Apple’s lack of transparency means that privacy-minded users are forced to assume the worst – that all their iCloud data is potentially accessible by the state
Some countries are following China’s legal framework as a tool to increase control of data flows within their borders. According to the Information Technology and Innovation Foundation, several countries in Asia are in various stages of increasing the state’s ability to monitor and control private data.
The most egregious example is Vietnam’s cybersecurity law, which went into effect at the start of this year. It has entire passages which look like they were translated, copied, and pasted from the Chinese law, mandating data localization and making it easier for governments to access data. Earlier this summer, Vietnamese Information Minister Nguyen Manh Hung called on the country to develop its own versions of Google and Facebook. His goal could be to reverse-engineer the model from across his country’s northern border, where Chinese blocking of foreign platforms allowed local alternatives – WeChat, Baidu, Weibo – to flourish, giving the state access to massive quantities of private data about its citizens. And Vietnamese authorities would probably expect Apple to act in Vietnam as it has in China.
“When Apple stops pushing back against countries like China, saying there is a local law, then what about all these different countries where these kind of laws are going to be implemented?” says Gyatso. “How can you take a step away and say we’re only going to do this for this country and not that country?”
Domino effect on privacy
Many digital rights activists believe that Apple’s failure to stand up for users in China could impact users everywhere as China’s authoritarian model of internet control spreads across the world.
“When companies [like Apple] decide to operate in China, on China’s terms, just for the sake of the massive market, then other countries might replicate what China is doing, and then it becomes very hard for the company to push back, because they’ve already capitulated in China,” says Nee.
Other tech companies, already under pressure from governments and law enforcement citing national security, could also face a tougher stance on providing access to user data.
Apple is the largest technology company in the world by revenue and market capitalization, and also one of the most recognizable brands. The actions of a company this large, and which sells products all around the world, has an impact far beyond its bottom line. It sets industry standards and its recent moves in China could be the example that leads companies towards weaker privacy protections for users not only in China, but around the world.
“It makes it harder for other companies to push back,” says Nee.
For Tibetans, the joy that came across the plateau in 2010 has long faded, and many now can only use highly censored and insecure Chinese apps like WeChat to communicate and access information.
It’s a dramatic shift. Here, Apple was once so beloved that there were stories claiming that when former CEO Steve Jobs passed away in 2011, Tibetans conducted prayer rites for him because of the impact he had on their community.
Tim Cook’s legacy will be far different, as the man who allowed the Chinese government to change what Apple could give, taking away what little digital freedom Tibetans, Uyghurs, and others in China once had.