Apple has updated its publicly available iOS security documentation to disclose that personal data associated with the company’s iCloud service is stored in cloud servers operated by Google—specifically, the Google Cloud service.
Apple didn’t specify exactly what iCloud data is stored on Google’s servers. But the new document does explain a little bit about how the data is encrypted. Here is the entire iCloud section entry that includes the Google Cloud reference from the document in question:
iCloud stores a user’s contacts, calendars, photos, documents, and more and keeps the information up to date across all of their devices, automatically. iCloud can also be used by third-party apps to store and sync documents as well as key values for app data as defined by the developer. Users set up iCloud by signing in with an Apple ID and choosing which services they would like to use. iCloud features, including My Photo Stream, iCloud Drive, and iCloud Backup, can be disabled by IT administrators via MDM configuration profiles. The service is agnostic about what is being stored and handles all file content the same way, as a collection of bytes.
Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.
S3 is part of Amazon Web Services (AWS). Previously, the document mentioned S3 and Microsoft’s Azure cloud computing service. There is no longer any reference to Azure in the document, but the language does not necessarily preclude continued use of that service. The update to the document came in January; the most recent update before then was in March of 2017.
CNBC, which first reported on this change, frames this as a win for Google Cloud, which has been trailing behind AWS and Microsoft Azure. This is also not the first time we’ve heard about this move; a CRN report cited sources claiming that Apple was exploring this option as a way to cut costs with Amazon way back in March of 2016. Apple’s documentation does not say when the use of Google Cloud actually began, though.
Along with other representatives of Apple, CEO Tim Cook has said publicly that he considers the fact that Apple’s core business model is not monetizing user data to be a value proposition in the marketplace. He was clearly trying to distinguish Apple’s platforms from those offered by Google.
These were Cook’s words at a 2015 event in Washington, as quoted by TechCrunch:
We don’t think you should ever have to trade it for a service you think is free but actually comes at a very high cost. This is especially true now that we’re storing data about our health, our finances, and our homes on our devices… We believe the customer should be in control of their own information. You might like these so-called free services, but we don’t think they’re worth having your email, your search history, and now even your family photos data mined and sold off for god-knows-what advertising purpose. And we think, some day, customers will see this for what it is.
Storage of iCloud user data on a Google service might seem to undermine this rhetoric at first glance, but it very well may not. In the document quoted above, Apple takes care to assure users that the data is encrypted and stored without any user-identifying information. So even though the data is hosted by Google, it is probably not accessible or actionable in any useful way by Google. Further, Google has a responsibility and every incentive to respect the data of its enterprise customers—especially with a deal like this, which may have been worth hundreds of millions of dollars. In any case, this shift is not about users’ data privacy; it’s about Apple getting a better deal and reducing reliance on AWS.