Apple will reportedly store Russian user data locally, possibly decrypt on request

By Jeremy Horwitz

Laws in Russia have mandated since 2014 that Apple store Russian citizens’ user data within the country, but the company has apparently dodged the requirement — until now. According to a Foreign Policy report (via AppleInsider), Russia’s telecommunications and media agency Roskomnadzor has confirmed that Apple will comply with the local data storage law, which appears to have major implications for the company’s privacy initiatives.

Apple’s obligations in Russia would at least parallel ones in China, which required it turn over Chinese citizens’ iCloud data to a partially government-operated datacenter last year. In addition to processing and storing Russian citizens’ data on servers physically within Russia, Apple will apparently need to decrypt and produce user data for the country’s security services as requested.

While Apple Russia has thus far indicated in government filings that it stores basic ID data such as user names, contact information, educational history, and family members, Russia generally requires telecom providers to archive more user data — such as multimedia messages — for six months, and provide government access to that data without a court order. It’s unclear whether Apple will need to offer access to such data, as well as the wider contents of iCloud accounts, but Russia broadly defines personal data in a manner that could subject photos, videos, music, and books to inspection.

Over the past few years, Apple has taken publicly broad positions on user privacy, yet kowtowed to foreign governments where necessary to continue offering services. Last February, the company handed over Chinese citizens’ iCloud accounts and encryption keys to provincially owned Guizhou-Cloud Big Data, but promised not to compromise users’ data security or create backdoors for governments to access customer data. Within months, the Chinese government was reportedly trying to get Apple to filter out user messages referencing pornography, gambling, or counterfeit goods.

Apple has not yet responded to a request for comment from VentureBeat, nor did it respond to Foreign Policy’s “repeated requests” for comment prior to its publication.