Let’s begin at the end – because news stories generally should start off with the most recent information. Speaking under oath to the US Congress, Apple’s general counsel Bruce Sewell said: “I want to be very clear on this. We have not provided source code to the Chinese government.”
It’s a strange thing to have to say. But the rumours have been swirling for a while. So I tried to track them down to their source. It turns out to be much stranger than you’d think.
Beginning with the briefs
A month ago, when Apple was fighting off the FBI’s demand that it unlock an iPhone 5C used by one of the San Bernadino killers, the US government seemed to suggest that Apple had already helped out the Chinese government.
In a sworn affidavit, Craig Federighi, Apple’s SVP of software engineering, flat-out denied it: “Apple uses the same security protocols everywhere in the world. Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country’s government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code.”
In its “Reply Brief in Support of Apple’s Motion to Vacate” (relating to Apple’s legal tussle with the FBI over the creation of ‘GovtOS’ to hack into the iPhone 5C used by one of the San Bernadino shooters), on pages 20 and 21 Apple says:
“Finally, the government attempts to disclaim the obvious international implications of its demand, asserting that any pressure to hand over the same software to foreign agents ‘flows from [Apple’s] decision to do business in foreign countries…’. Contrary to the government’s misleading statistics, which had to do with lawful process and did not compel the creation of software that undermines the security of its users, Apple has never built a back door of any kind into iOS, or otherwise made data stored on the iPhone or in iCloud more technically accessible to any country’s government.
The government is wrong in asserting that Apple made ‘special accommodations’ for China, as Apple uses the same security protocols everyone in the world and follows the same standards for responding to law enforcement requests.”
At that point Apple’s brief cross-refers to Federighi’s sworn statement – which means if it’s untrue then he’s perjuring himself, and liable to imprisonment.
Why does this matter? Because there are quite a few people who are completely convinced that Apple has given the Chinese government access – at least for code review, perhaps for more – to the iOS source code. And the US government repeated that claim in its docket, apparently leaning on various claims about Apple made in the media, rather than supplying something a bit more, well, robust.
I think I’ve tracked down the basis for this meme. As with a lot of modern journalism, it starts with a pretty wild claim, and then it gets repeated – but nobody bothers to actually check the original.
Cutting into Quartz
As far as I can ascertain, the first time an English-language site (or indeed any site) suggested that Apple had provided source code to China’s government was in a January 23, 2015 article in Quartz, headlined “Apple is reportedly giving the Chinese government access to devices for ‘security checks’“.
That’s a pretty straightforward headline on an article which Quartz’s Asia correspondent Heather Timmons, an experienced journalist, wrote, following up on a tweet the day before from the state-run People’s Daily in China:
— People’s Daily,China (@PDChina) January 22, 2015
OK, but what are “security checks”? Tim Cook was quoted in the story with a preemptive denial:
“There were rumors that Apple built back doors in its devices, and let third parties have data and access those devices, but that was never true and that we would never do that in the future either,” Cook reportedly said.”
Why “reportedly” said? Because the quote is a translation from a story in the Chinese-language Beijing News, which said that Lu Wei, the director of the National Internet Information Office, met in early December (2014) with Cook, who “said China will cooperate with network security assessment of Apple products”.
The article continues (via Google Translate): “China is also willing to open to Apple and other technology giants, but only if the iPhone, iPad and Mac products must ensure information security and privacy of users, while maintaining national security.”
It then has the Cook quote about back doors, to which Lu Wei responded [in translation] “You said not, your new products to make our network security officer for evaluation. We need to draw conclusions, so that consumers must be assured.” Cook said Apple will fully cooperate with the Network Security Assessment China [of] Apple products, to ensure that the user can feel safe and secure during use of the product… which means that Apple is willing to accept China became the first official review of network security company.”
The Bing translation is pretty much identical, except that it uses “reliable” rather than secure. The tone is the same: no mention of source code. (Better translations welcomed.)
Timmons clearly wondered what a security check entails, and noted that Apple didn’t provide any information when contacted, and sought some outside opinions. But then things go a bit askew. Timmons continues:
“But analysts said the most likely interpretation is that the company is giving Beijing access to its operating system source code in return for being able to continue to do business in China”
Now that’s a pretty big claim to anyone who knows what source code is. So, which analysts? The first seems to be ‘Percy Alpha’, “a pseudonymous founder of the anti-censorship group Greatfire.org”, which monitors connectivity and censorship topics around China’s “Great Firewall”.
‘Percy Alpha’ is quoted as saying:
“Handing over source code [would] mean that the Chinese government would know exactly how an Apple software works.”
Well, yes, it would. But there’s no evidence provided that “Percy Alpha” knows that is what happened. However, the story mentions “analysts”. Who else says Apple handed over the source code? The next quoted is Ben Cavender or China Market Research Group in Shanghai, saying that
if that is in fact what has been agreed, it’s a landmark deal, and Apple has not generally provided such information to other governments.
Clearly, Cavender doesn’t know if it has or not; my reading of the structure of the story is that Cavender was presented with the ‘Percy Alpha’ quote and asked to comment on it. Which leaves us with “Percy Alpha”. What, exactly, did he know?
Bear that question in mind, but put it to one side for a moment while we watch this “source code” story spread. (This isn’t, by the way, a criticism of Timmons; she asked people questions, and reported what they said. It’s notable too that the person who wrote the headline on the piece didn’t go with the “source code” element; instead, they went for the “access to devices” angle.)
On the same day, an article in iDigitalTimes on the same day references the first Quartz article – though it talks to someone different, at Quarks Labs [unrelated to Quartz, the news outlet] who says “Apple giving access to the source code of their product? Never!” (The quotes from the person at Quarks Labs are actually worth reading. One wonders what might have happened if they’d been in Timmons’s contacts book.)
Even so, the idea had begun running.
Next up, in terms of size, was Engadget, also on the same day, with an article saying “Apple lets China examine iOS code to assuage spying fears”. The basis for the claim? “According to the Beijing News, Chinese officials met with the [Apple] CEO in December to reach a deal which will allow the State Council Information Office to check for backdoors.” It’s the same Beijing News link, but there’s absolutely no supporting evidence – either in the story or the translation – to support the “source code” claim. And yet there it was.
The San Bernadino shootings in December, and the subsequent resistance by Apple to the FBI’s demands to hack into one of the shooters’ phones, brought this claim back to life again.
Among those who revived it was one of Quartz’s own writers in a February 17, 2016 piece headlined “Apple is openly defying US security orders, but in China it takes a very different approach”. “If Apple had indeed agreed to a Beijing security audit, it could have shared vital information with the Chinese government, such as its operating system’s source code, that could indirectly help government agents discover vulnerabilities on their own,” the writer observed.
The basis of the “source code” claim? The original Quartz story, the writer told me.
Not all outlets regurgitated the claim. A New York Times story on February 21 this year noted that “Apple sees value in its stand to protect security” and pointed out that
In China, for example, Apple — like any other foreign company selling smartphones — hands over devices for import checks by Chinese regulators. Apple also maintains server computers in China, but Apple has previously said that Beijing cannot view the data and that the keys to the servers are not stored in China. In practice and according to Chinese law, Beijing typically has access to any data stored in China.
No mention of source code. But Lawfare, a legal blog founded by a team including former advisers to Barack Obama, thought there should have been – so they created it. “Some reports have speculated that while Apple defies the US government it has no problem acquiescing to Beijing’s security demands”, including backdoors, said a piece on February 22. Which “reports”? That Quartz piece. In fact Lawfare, and others, have leant on that original article so many times it seemed worth swimming back upriver to the source.
No firewall, no smoke?
So we return to that earlier question: what exactly did ‘Percy Alpha’ know about Apple’s negotiation with China? I got in touch with Greatfire.org. ‘Percy’ has left, I was told by ‘Charlie Smith’ (another pseudonymous staffer, I’m guessing). Did he know where the “source code” suggestion had come from?
“Are we really the source of this Apple speculation on China?” he answered. “I know that we give Apple a hard time, but are we the only voices who are doing so? I have been looking over the Justice Department filings and have seen Apple’s response saying that there are three sources of information coming from three different newspapers – in your opinion, are we the source for that information in all three publications?”
Yes, I responded, ‘Percy Alpha’ at Greatfire really does seem to be the source.
“I don’t have the smoking gun, and Percy did not either when he gave that quote to Quartz,” said Charlie. The source code quote was “guesswork/speculation”, he said.
OK, but was it informed speculation based on contacts inside the “security review” teams, or people or companies that had gone through it, I asked?
“I would imagine that only a small number of people know exactly what the security review entails – the folks at CAC [Cyberspace Administration of China] and the reps from the companies that have gone through the process,” replied Charlie. “But, yes, I guess I have to agree that this is pure speculation on our part.”
Pure speculation. This didn’t stop Charlie making exactly the same “source code handover” claim in February 2015 to the Washington Post.
That’s because he thinks he’s right. “I believe that they would have had to do that [share the source code] because the authorities had concerns about certain things which would require that they look at the code. If you review the legislation (unofficial translation) it is also clear that an audit would not just be a rudimentary check.”
The translation doesn’t mention an audit, and it’s not obvious where Apple’s phones and the iOS source code would fit into the “Network Information Security” clauses there. More to the point: it’s a big allegation to make based on no direct evidence.
Source code reality
To be clear: source code audits do happen, in China and elsewhere. Notably, in 2012 the Chinese telecoms company Huawei submitted its router source code for review by the UK’s security agencies and the Australian government. (The US’s National Security Agency also targeted that source code for hacking, according to documents released by Edward Snowden.) The topic of Huawei and source code turns out to be a sensitive one, at least for Cisco, which accused Huawei of stealing code back in a lawsuit in 2003-4.
IBM is also reported to have let the Chinese government review “some product source code” in a secure room “without the ability to remove it from a room”, according to the Wall Street Journal in October 2015 – which quoted, at second hand, one of IBM’s own senior vice-presidents speaking in China. The WSJ noted that Microsoft said it had shared some Windows source code with the Chinese government. But Apple’s name is notably absent, either there or in a February 2015 story in the WSJ about US companies’ reluctance to share source code with China.
And of course the Chinese government can easily review the Android source code – famously, it’s open to anyone.
Even the US tries it. In March, Zack Whittaker at ZDNet reported that the US government has attempted to use the Foreign Intelligence Surveillance Act (FISA) to obtain source code from tech companies in numerous lawsuits. (It’s notable that IBM’s statement to Whittaker leaves lots of wiggle room: “the company does not provide ‘software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.'” Which leaves other purposes open.) Many of the companies contacted didn’t comment. We have Federighi’s response for Apple from the court docket.
And how do you get at Apple’s source code? It’s very tightly locked away, according to evidence provided at the Apple-Samsung trial in 2012:
Apple source code is provided the highest level of protection and security within Apple. Physical access to the iOS source code is limited to select groups of authorized Apple employees, with access being provided only to portions of cod on a need-to-know basis. Acess is limited to employees directly involved in software development, management, and security. The employees with such access must be approved by management as authorized employees, their accounts must be specifically granted access.
So what access does Apple give in China? There’s a clue in Federighi’s affidavit: right after the part about not allowing access to source code, Federighi states: “While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.” (Emphasis added.)
So in the end, it might come down to simply that: an iPhone for testing.
Critics of Apple – who are plentiful, and include Charlie at Greatfire – say that there’s wiggle room in Federighi’s statement. Regulatory agencies aren’t security agencies, points out Greatfire’s Charlie. To say “Apple has also not provided any government with its proprietary iOS source code” doesn’t rule out showing a government some part of its source code.
In that, he’s right: if you want, you can always find some formula of words that hasn’t been ruled out which might cover some way of interpreting a situation where someone sees some source code. It’s an endless corridor where every door just leads to another. All we have is Apple’s, and Federighi’s, and Sewell’s, denial. Those will satisfy some. They won’t satisfy others.
But it would be good if those claiming Apple has shown – or otherwise shared – its source code with foreign governments could put up some proof of it happening. The reality is that, despite my best efforts, I’ve found nothing solidly founded in anything published; only two denials, by two senior Apple people, on the record, under oath. Ranged against them: one pseudonymous staffer at a Chinese monitoring site.
At a time when the issue of access to Apple’s source code is one of the hottest topics in the technology/legal world, solid proof rather than unfounded speculation seems like the least we should demand from our discourse on the subject.