Written by Michael Caster, Asia Digital Programme Manager at ARTICLE 19.
Apple says it cares about privacy. The company’s human rights policy professes a ‘deep sense of responsibility to make technology for people that respects their human rights [and] empowers them with useful tools and information.’
At its June 2021 Worldwide Developers Conference, Apple unveiled a tool for Safari that will help users mask their browsing activity. In April, it let users opt out of invasive data tracking. It has publicly stood up to US government efforts to access user data and resisted FBI pressure to create a backdoor for the iPhone. At the time, in 2016, Apple’s CEO Tim Cook said such a backdoor would undermine privacy, and that ‘no reasonable person would find that acceptable.’
The company has sought to position itself as a global advocate of user privacy and promoter of free expression. But in China, where it earns a fifth of its revenue, it has done precisely what it has elsewhere called unacceptable.
It is time for Apple to reconcile these contradictions.
Apple’s China compromise
Doing business in China forces companies to make human rights concessions. This is especially true of tech companies, in part because China’s Cybersecurity Law requires them to monitor and report network activity to the government and censor information deemed politically sensitive by authorities. Tech companies operating in China must also store users’ data in the country. Such requirements undermine the rights to privacy, expression, and access to information.
In 2017, still fresh from its privacy rights stand against the FBI, Apple shockingly turned around and announced it would transfer Chinese iCloud data from servers in the US to China under state-owned Guizhou-Cloud Big Data, in compliance with the Cybersecurity Law.
In early 2018 Tim Cook told VICE News Tonight that he saw privacy as a fundamental human right and sought to reassure people that despite the hosting of data in China that the company was safeguarding the decryption keys for Chinese iCloud data.
However, soon after the data centre opened, Apple acknowledged that Chinese iCloud decryption keys would be stored in China, in the same government-owned data centre Cook would have had us believe Apple was keeping safe.
China’s Cryptography Law, which took effect in January 2020, reaffirms the state’s authority over encryption and decryption technologies, making it all but impossible for firms like Apple to secure user data from government intrusion. While the law relaxes some restrictions on foreign firms and commercial encryption services, it does so only as long as the government can maintain the decryption keys needed to access data under the Cybersecurity Law.
Effectively, according to the Carnegie Endowment for International Peace, ‘Beijing requires commercial companies maintain backdoors or key escrows to preserve government access to data for public security and intelligence gathering.’ Apple has played along in China despite calling such requirements in other countries unacceptable.
These concessions, say security experts and former Apple engineers recently interviewed by the New York Times, make it almost impossible for Apple to prevent Chinese authorities from accessing user data, from emails to location information. So much for protecting user privacy.
Even though new privacy regulations in China are admittedly a step in the right direction, they will not be a sufficient antidote to the pressure on tech companies like Apple to sacrifice user rights for market access.
Earlier this year, China unveiled the second draft of the Personal Information Protection Law, which is expected to pass at the end of the year. In some ways, the draft law introduces greater privacy protections for user data than currently exist in the US. Among its provisions, the draft places a high premium on transparency and user consent, allows for users to opt out of algorithmic-targeting, and calls for internet platforms to form independent committees to supervise how personal information is handled and regularly release social responsibility reports. These are welcome privacy protection measures.
But the draft law has loopholes, allowing for abuse by the state. While it calls on government officials to notify individuals and obtain their consent before accessing their data, it also introduces several broad and vague exceptions for when ‘laws or administrative regulations provide that secrecy shall be protected’ or where notification and obtaining consent will impede official ‘duties and responsibilities.’
Not only is it easy for officials to access Chinese iCloud data, police in theory won’t even need to notify or obtain consent from Apple or the target iCloud users to do so.
In addition to its privacy concessions, Apple has become a tool of censorship in China.
A recent report by the New York Times reveals that Apple has gone even further than previously known to comply with censorship requirements imposed on those operating in China.
To satisfy censors, Apple proactively reviews and rejects apps that deal with certain sensitive topics, such as the Tiananmen Square massacre or the Dalai Lama. At the same time, Apple hosts apps by the Xinjiang Production and Construction Corps, which is on a US sanctions list because of its involvement in crimes against humanity targeting Uyghurs. Since 2017, Apple has deleted thousands of apps from the App Store for Chinese users, including over 600 news apps. Other apps blocked in China include Signal encrypted messenger and the audio chat app Clubhouse, which had briefly provided a platform for freer expression on banned topics.
Apple even censors what Chinese users can access outside of China. If you log into the App Store with your Chinese Apple ID, whether in Paris, Bangkok, or New York, you will see the same censored content as if you were still in Beijing or Kunming.
China promotes digital sovereignty, the idea that it has an absolute right to regulate its domestic internet ecosystem. But while it expects Apple and other companies operating in China to comply with its national laws, at the same time it has increasingly expected the imposition of its repressive regulations outside its borders.
The new Data Security Law passed in June, and taking effect in September 2021, further positions China’s jurisdiction over data outside of China that ‘harm[s] the national security of [China]’ or ‘the public interest.’ This risks increasing extraterritorial requests for data access or censorship demands from China, and potentially chilling global expression. How will companies like Apple or Microsoft with significant market shares in China respond if China calls for greater cross-border censorship cooperation in their services? The recent trend doesn’t look good.
Also among the apps deleted from the App Store are circumvention tools like virtual private networks (VPNs), used to get over the Great Firewall and access the internet outside of China’s tight controls. The UN Special Rapporteur on the freedom of expression has noted that VPNs are important for the right to access or share information in part because they allow users to circumvent censorship and browse the internet anonymously.
This brings us back to Apple’s new Safari privacy feature announced in early June, designed to encrypt browsing activity as part of Apple’s professed commitments to digital rights.
Except, Apple has already said the feature will not be allowed in China—nor in Belarus, Saudi Arabia, Turkmenistan, or several other highly restrictive countries where greater tools to protect internet freedom are most needed.
Apple has become the most valuable brand in the world partly because it has capitalised on China as a market for production and sales, but at considerable compromise to its professed commitments to user rights. This needs to change.
Apple needs a human rights upgrade
The UN Guiding Principles on Business and Human Rights call on companies to address the adverse rights impacts with which they are involved, including the rights to privacy, freedom of expression, and access to information online. This is also elaborated in the Global Network Initiative’s Principles on Freedom of Expression.
Apple would have us believe that, as stated in their human rights policy, they ‘respect national law while seeking to respect the principles of internationally recognized human rights.’
If Apple is serious, the company must commit to full transparency of what principles it has conceded for market access, especially how it has handled censorship requests, handed over user data, and what efforts, if any, it has taken to resist such repressive measures. It should commission a new human rights impact assessment, and ensure all findings are made public.
It is time for Apple to reconcile the contradictions between the principles it claims to support in most of the world and what it does in China, and other authoritarian states.
Apple is not without leverage. It is politically and economically important to the Chinese government, and it should use that leverage to oppose rights abuses in which it is currently complicit.
If Apple can’t maintain its rights commitments and do business in China, perhaps it shouldn’t stay in China. At the very least, it’s time to stop pretending it cares about digital rights.
For more information
Michael Caster, Asia Digital Programme Manager, firstname.lastname@example.org.