如何看待“iCloud中国账户密钥将存储在中国”
笔者按:
这又是一篇蹭热点的文章,但这篇文章又感觉很有写的必要。因为和上一篇文章【美国Cloud Act法案到底说了什么】非常相关,路透社2月24日报道的《苹果将iCloud密钥转存至中国,引发人权方面的担忧》(Apple moves to store iCloud keys in China, raising human rights fears)中涉及了执法跨境调取数据的问题。而这也是美国最高法院即将开庭审理的微软和FBI一案的核心事项。路透社的报道暂时还没有中文译文,但是鼓励大家看一下英文全文【附后】。
正文开始:
苹果公司上月宣布在中国的 iCloud 云服务将转由中国贵州的“云上贵州”公司负责营运后,中外媒体就有一轮密集报道。2月24日,路透社的上述报道又“启动”了新的一轮热议。这次焦点主要是iCloud密钥的存储方式。在路透社报道中,iCloud密钥(通过该密钥就能访问用户iCloud账户的大部分内容)从未在美国之外的地方存储。这次将中国用户的iCloud密钥转存至国内,是破天荒头一遭。
苹果公司和“云上贵州”同为数据控制者
事实上,当苹果公司决定和“云上贵州”共同向中国用户提供iCloud服务时,在中国存储iCloud密钥是必然的一个步骤。
先看中国以外的世界其他地方,苹果公司都是独营iCloud,因此苹果公司是单独的数据控制者(data controller)。在苹果最新版的《iOS Security, iOS 11》(January 2018)的第53页中,苹果给出了如下的说明:
第二段中苹果提到了其使用了第三方云存储服务,例如S3和谷歌云。但存储于第三方云的内容不包括“任何用户可识别信息”,仅仅是一堆第三方无法读取的加密文件。苹果会将用户文件的元数据(file's metadata)和用于加密用户数据内容的密钥(keys)存储在iCloud账户中。此时,第三方云存储提供者显然是数据处理者(data processor)而已,而苹果是唯一的数据控制者。
但是由于中国云服务业务关于外资准入的监管要求,特别是工信部2016年年底征求意见的《关于规范云服务市场经营行为的通知(征求意见稿)》明确要求:
云服务经营者与有关单位开展技术合作,应向电信管理机构书面报告云服务合作事项。合作过程中不得存在以下行为:
(一)以任何形式向合作者变相租借、转让电信业务经营许可证,以及为合作者非法运营提供资源、场地、设施等条件;
(二)由合作者直接与用户签订合同;
(三)仅使用合作者的商标和品牌向用户提供服务;
(四)违法向合作者提供用户个人信息和网络数据;
(五)违反法律法规规定的其他行为。
因此,只能由“云上贵州”和中国用户签订iCloud的条款与条件。该法律文件中第二段明确说明:“您在使用ICLOUD产品、软件、服务和网站(合称“本服务”)时受到您与云上贵州大数据产业发展有限公司(“云上贵州”)之间的本法律协议的管辖。”(见下图)
因此,云上贵州应当被视为中国用户数据的控制者,或者至少和苹果一道被视为中国用户数据的共同控制者(joint controllers)。【关于此点,见协议中一句很别扭的话:“凡提及云上贵州之处,在苹果公司提供支持的范围内,应视为提及云上贵州和苹果公司”】但支持的范围有多大,包括什么?不得而知。
正是因为云上贵州和苹果的法律角色,才有了该协议中饱受争议的一句新增条款:“您理解并同意,苹果公司和云上贵州有权访问您在此服务中存储的所有数据,包括根据适用法律向对方和在彼此之间共享、交换和披露所有用户数据(包括内容)的权利。”
我想,这样的合作安排和法律角色,也是苹果将密钥转存至中国的重要原因之一。虽然对上述合作安排苹果很不愿意(“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,”),但是为了中国市场,苹果已经做了这样的选择。
密钥仍然由苹果控制
根据路透社的报道,云上贵州似乎还不是一个和苹果法律地位平等的数据控制者,特别是在密钥的控制和管理方面。
首先,密钥就算移存至中国,仍然由苹果公司单独管理(Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys.)。
其次,由苹果公司(而非云上贵州)单独接收、处理中国执法部门调取用户数据的法律文件。(Any information in the iCloud account could be accessible to Chinese authorities who can present Apple with a legal order.)
再次,苹果公司还会对其接收到的调取数据请求,反映在其透明度报告中,且苹果不会对“批量的数据请求”作出响应。(Apple said requests for data from the
new Chinese data centre will be reflected in its transparency reports
and that it won’t respond to “bulk” data requests.)
由于从公开渠道无法得知就iCloud服务云上贵州和苹果的合作模式以及具体分工,因此本节分析就此打住。下面转而讨论密钥转存中国后对“跨境执法调取数据”的影响。
对跨境执法调取数据的影响
啰啰嗦嗦,终于进入写本文的初衷。路透社的报道特别强调了一点:由于密钥将存储在中国,中国权力机关将不再需要通过美国法院来寻求iCloud用户的信息,而是能够利用自己的法律系统来要求苹果交出中国用户的iCloud数据。(That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users)
原先为什么要通过美国法院?因为所有的iCloud密钥都存在美国,只有美国法院能够强迫总部在美国的苹果公司交出iCloud密钥。也就是说,不仅是中国,世界上其他国家政府需要调取用户iCloud内的内容,都需要美国法院的首肯。在路透社的报道中,失去了美国法赋予的两大保护:法院的独立性和法院颁发搜查令的高标准,iCloud内容数据能够轻易地被中国执法部门查阅,将引起人权方面的担忧。
或许美国法确实对调取用户内容数据给了更高的保护标准,但一个不容忽视的问题是,仅仅是因为使用了苹果的产品,中国用户之间的通信就应该一下子受美国法的“管辖”?
好人还没问题,如果是两个公民为在中国境内实施犯罪开展的通信内容或存储的其他数据,因为使用了美国或是日本或是韩国公司的产品,获取这些内容就需要符合美国或者日本或是韩国法律所规定的标准?显然,这有失公允。
事实上,这不单单是中国执法机关面临的问题。2017年5月,英国副国家安全顾问Paddy McGuinness在美国参议院司法委员会上作证(testify)指出:以往,位于英国境内的个人密谋在英国境内实施恐怖主义犯罪,英国警方能够方便地监听(intercept)他们之间的通信内容(例如电话、短信)。
但由于美国互联网公司在英国市场的绝对优势地位,这些恐怖主义分子越来越多地使用美国公司提供的通信产品和服务,例如从2013年5月起,英国政府处理的十来起恐怖主义案件都涉及美国公司的产品。对于英国政府提出的获取通信内容的要求,不少美国公司明确表示只能通过双边司法协助程序。
以协助调取内容数据为例,美国的司法协助流程如下:一国向美国发送司法协助请求,由美国司法部统一接收并审核;审核通过后,司法部发往检察官办公室(U.S. Attorney’s office),检察官办公室需要从适格管辖区的法官处申请搜查令,然后由检察官送达搜查令并获得相应数据;检察官办公室和司法部前后审核数据后,再送达提出请求的外国政府。美国法官仅会在外国政府提交的搜查事由满足美国国内下达搜查令的门槛,而非根据外国法律本身来判断搜查令是否应当下达。
也就是说,本地人实施的本地犯罪,以往英国警方通过国内法律程序就能实施监听,现在因为用了美国公司的产品,却转而需要符合美国法律规定的监听或搜查的“门槛”,还征得美国检察官和法官的同意才能调取犯罪分子之间的通信内容,这还不算其中涉及的人力成本和“遥遥无期”的等待。【据美国学者研究,外国向美国政府提交法律协助请求,平均的处理时间要耗时10个月。】
正是在这个背景下,才有了Cloud Act草案中提出的允许“适格外国政府”(qualifying foreign governments)向美国境内的数据控制者直接发出调取数据的命令。当然,前提是符合一系列的门槛。【见美国Cloud Act法案到底说了什么】
那通过中国的法律程序来要求苹果提供中国用户的iCloud账户内容数据是否正当?
首先,中国不可能成为Cloud Act中的“适格外国政府”(qualifying foreign governments)。因此,中国和美国之间还是只能走双边司法协助路径或者警务合作。在路透社的报道中,苹果自己表示,从2013年年中到2017年年中,虽然收到了来自中国有关部门的176项调取数据请求,该公司一次也没有向中国监管机构提供用户账户内容。相比之下,苹果对来自美国政府的8475项请求中的2366项作出了回应,提供了美国用户账户内容。(From mid-2013 to mid-2017, Apple said it did not give customer account content to Chinese authorities, despite having received 176 requests, according to transparency reports published by the company. By contrast, Apple has given the United States customer account content in response to 2,366 out of 8,475 government requests.)可见跨境执法调取数据何其困难。
其次,转移至中国数据中心的用户基本上全部为位于中国境内的中国公民。按照我自己的亲身经历,要将Apple ID地域转换为中国境外,要么注册时的ip地址是境外的,要么能提供外国的信用卡和支付方式。在中国的外国人可以轻易地通过后者将自己的Apple ID更换为境外。因此,这两个方式基本上确保了“云上贵州”只是服务“本地人”。那咱们本地人接受本地法律的管辖,很正常。
当然,上述所有讨论的前提是,中国执法机关调取数据要符合中国法律的规定。这也是笔者的真诚期望。在这个前提下,因本地执法向苹果调取中国用户的iCloud账户中的数据时,中国政府已经不用像其他国家政府那样,首先征得美国的首肯。
码了这些字,其实就想说一句话:暂时抛开我国云市场准入政策不说,如果国际司法协助程序还不改革的话,要求数据本地化以方便执法调查、侦查就可能越来越普遍。中外莫不如是。
附:路透社报道全文
Apple moves to store iCloud keys in China, raising human rights fears
Stephen Nellis, Cate Cadell
February 24, 2018
SAN FRANCISCO/BEIJING (Reuters) - When Apple Inc (AAPL.O) begins hosting Chinese users’ iCloud accounts in a new Chinese data centre at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.
That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.
Now, according to
Apple, for the first time the company will store the keys for Chinese
iCloud accounts in China itself. That means Chinese authorities will no
longer have to use the U.S. courts to seek information on iCloud users
and can instead use their own legal system to ask Apple to hand over
iCloud data for Chinese users, legal experts said.
Human rights activists say they fear the authorities could use that power to track down dissidents, citing cases from more than a decade ago in which Yahoo Inc handed over user data that led to arrests and prison sentences for two democracy advocates. Jing Zhao, a human rights activist and Apple shareholder, said he could envisage worse human rights issues arising from Apple handing over iCloud data than occurred in the Yahoo case.
In a statement, Apple said it had to comply with recently introduced Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China. It said that while the company’s values don’t change in different parts of the world, it is subject to each country’s laws.
“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.
As a result, Apple has established a data centre for Chinese users in a contractual arrangement with state-owned firm Guizhou - Cloud Big Data Industry Co Ltd. The firm was set up and funded by the provincial government in the relatively poor southwestern Chinese province of Guizhou in 2014. The Guizhou company has close ties to the Chinese government and the Chinese Communist Party.
The Apple decision highlights a difficult reality for many U.S. technology companies operating in China. If they don’t accept demands to partner with Chinese companies and store data in China then they risk losing access to the lucrative Chinese market, despite fears about trade secret theft and the rights of Chinese customers.
BROAD POWERS
Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys. But Chinese customers will notice some differences from the start: their iCloud accounts will now be co-branded with the name of the local partner, a first for Apple.
And even though Chinese iPhones will retain the security features that can make it all but impossible for anyone, even Apple, to get access to the phone itself, that will not apply to the iCloud accounts. Any information in the iCloud account could be accessible to Chinese authorities who can present Apple with a legal order.
Apple said it will only respond to valid legal requests in China, but China’s domestic legal process is very different than that in the U.S., lacking anything quite like an American “warrant” reviewed by an independent court, Chinese legal experts said. Court approval isn’t required under Chinese law and police can issue and execute warrants.
“Even very early in a criminal investigation, police have broad powers to collect evidence,” said Jeremy Daum, an attorney and research fellow at Yale Law School’s Paul Tsai China Center in Beijing. “(They are) authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”
Guizhou - Cloud Big Data and China’s cyber and industry regulators did not immediately respond to requests for comment. The Guizhou provincial government said it had no specific comment.
There are few penalties for breaking what rules do exist around obtaining warrants in China. And while China does have data privacy laws, there are broad exceptions when authorities investigate criminal acts, which can include undermining communist values, “picking quarrels” online, or even using a virtual private network to browse the Internet privately.
Apple says the cryptographic keys stored in China will be specific to the data of Chinese customers, meaning Chinese authorities can’t ask Apple to use them to decrypt data in other countries like the United States.
Privacy lawyers say the changes represent a big downgrade in protections for Chinese customers.
“The U.S. standard, when it’s a warrant and when it’s properly executed, is the most privacy-protecting standard,” said Camille Fischer of the Electronic Frontier Foundation.
Apple has given its Chinese users notifications about the Feb. 28 switch over to the Chinese data centre in the form of emailed warnings and so-called push alerts, reminding users that they can choose to opt out of iCloud and store information solely on their device. The change only affects users who set China as their country on Apple devices and doesn’t affect users who select Hong Kong, Macau or Taiwan.
Apple doesn’t require an iCloud account to set up and use an iPhone. But if the user enables iCloud during set up, the default settings on the iPhone will automatically create an iCloud back-up. Apple declined to comment on whether it would change its default settings to make iCloud an opt-in service, rather than opt-out, for Chinese users.
Apple said it will not switch customers’ accounts to the Chinese data centre until they agree to new terms of service and that more than 99.9 percent of current users have already done so.
Until now, Apple appears to have handed over very little data about Chinese users. From mid-2013 to mid-2017, Apple said it did not give customer account content to Chinese authorities, despite having received 176 requests, according to transparency reports published by the company. By contrast, Apple has given the United States customer account content in response to 2,366 out of 8,475 government requests.
Those figures are from before the Chinese cyber security laws took effect and also don’t include special national security requests in which U.S. officials might have requested data about Chinese nationals. Apple, along with other companies, is prevented by law from disclosing the targets of those requests.
Apple said requests for data from the new Chinese data centre will be reflected in its transparency reports and that it won’t respond to “bulk” data requests.
Human rights activists say they are also concerned about such a close relationship with a state-controlled entity like Guizhou-Cloud Big Data.
Sharon Hom, executive director of Human Rights in China, said the Chinese Communist Party could also pressure Apple through a committee of members it will have within the company. These committees have been pushing for more influence over decision making within foreign-invested companies in the past couple of years.
(This version of the story corrects paragraph 7 to read “contractual arrangement” instead of “joint venture”; corrects paragraph 21 to show that Apple does not require an iCloud account to set up an iPhone)