Russia fines Apple and Zoom for failure to prove domestic data storage A Moscow court has ordered Apple and Zoom to pay fines for refusing to store Russian citizens' data locally. Apple received a penalty of nearly $34,000 on Tuesday while Zoom and a third company called Ookla, which is behind internet access performance tool Speedtest, were fined nearly $17,000 each. Russian regulator …
Full wipe would be malicious intent, even though it would be a hell of a way to go out with a bang.
More like: you have 30 days to (find a way to) back up your iCloud storage locally before it goes away for good. Tough titties if you don’t have the know how to do this. Complaints? Please direct them to the ministry of justice.
Or they could set up an iCloud zone in a Russian DC. Good luck doing that with the current sanctions in place though…
The legislation requiring this (all storage and processing of Russian Federation citizens' data to be conducted on Russian Federation territory) has been in place for several years, but until now has essentially been ignored as it's not been enforced. It's interesting that it is at last, given the political situation. Nevertheless all those businesses that ignored it to date have essentially been operating on borrowed time.
I wonder how e.g. Apple is supposed to know whether any one iphone in Russia is owned by a Russian citizen or not. Does the user have to declare themselves? If so, will all Russian iphone users comply? If they don't, who is at fault? If it's not by user declaration, what scheme could Apple use to infer an owner's citizenship, so they can store data appropriately? Would such a scheme be reliable or foolproof? What if some non-Russian - perhaps a long-term resident non-Russian - accidentally be caught and end up with their data stored locally against their wishes?
I don't see anything wrong in principle with a country demanding that citizen's personal data is not exported, in fact I generally tend to agree with the idea, especially as a default assumption, and especially when relating to specifically interaction-with-government data. But how does it work when the "citizen of" is not obvious - or even deliberately obscured - from the data holder? Especially when that holder is essentially a random foreign company with no obvious need to know the citizenship status of the person using the device they sold.
I wonder how e.g. Apple is supposed to know whether any one iphone in Russia is owned by a Russian citizen or not. Does the user have to declare themselves?
That isn't really the issue. Pretty much every country's telecommunications acts have licensing provisions for devices connected to public networks. So in the UK, you'd need a licence to operate a public switch (ok, router), and the devices that connect to it. Despite potential tax revenues, UK government hasn't gotten as far as creating a 'Phone Licence' to go with it's TVs. So the public can connect devices to the public network 'self-licenced', and regulators reserve the right to restrict some stuff, eg SIM trees.
So inside Russia it's simple. You need a Russian Telecomms licence, which comes with the usual range of requirements, technical and political, ie including stuff like lawful intercept provisions. So local compliance would be if a device is connecting to a Russian network, ISP or mobile network.
It gets more complicated when there's roaming. Operators (and Apple) would still know where the device is, but if the Russian phone is inside say, Washington, then US telecomms legislation would apply. Which also complicates processing a little. So a roaming phone would need some non-Russian processing, but practically that's mostly a billing issue. So theoretically what you mostly need to know is the IMEI/IMSI and who to bill.
Situation's also easy for most data slurpers given they all seem determined to extract the last bit of personal information from their customers devices, which includes all the geolocation stuff needed to know where the phone is, and which legislation applies.
Quote from the article: "A Moscow court has ordered Apple and Zoom to pay fines for refusing to store Russian citizens' data locally".
Given that statement, the citizenship of the phone owner needing to be known by Apple would seem to be an issue. Or are you saying the phone-sim's country of origin is a proxy for citizenship?
(btw I'm not saying the other points you raise are not relevant. But note that as reported, *citizenship* is absolutely also relevant)
Given that statement, the citizenship of the phone owner needing to be known by Apple would seem to be an issue. Or are you saying the phone-sim's country of origin is a proxy for citizenship?
Errmm.. Yes! Ish. I think it's a combination of political and practical. Apple would know where the phone is, where it was sold, and given it's data slurping proclivities, probably citizenship. Just 'confirm your identity' by sending them a copy of your passport. FaceMelta tried this, and seemed a bit put out when I asked them how they could confirm my passport details.
Then there's the legal stuff. So if I were a Russian in Little Odessa, that being in the US (pending future expansion), I'd be obligated to obey US law. So would licensed operators, so mebbe I'm roaming via Verizon, so they'd have to obey US lawful intercept legislation etc. I suspect any kind of special treatment or ring-fencing Russian's data whilst inside the US would require some kind of reciprocity and treaty.. Which I suspect would be unlikely at this time.
So IANAL, but have been involved a few times in telecomms licencing, including Russia. For territorial stuff, most countries follow the same principles, ie they want someone or something local/in their jurisdiction that can be punished. Also kinda why being a statutory company director carries some risks, ie countries want people/assets that can be punished if necessary by their own courts.
Some of it can also be outside of normal telecomms legislation. So you'd need to comply with legislation to get a device registered and roaming outside your home country. Other services like browsing, email, social media etc obviously depend on their own servers, that can be located anywhere and are currently far less regulated. Give or take GDPR etc. So they'd be settings as part of the user/device profile, and Russia seems to be trying to insist those settings point data at servers in Russia.
But Apple's defence seems pretty weak, ie..
"Within the framework of the structure of Apple, many legal entities have been created.
<shrug> And? Russia's kinda telling Apple that they really need to create a legal entity inside Russia to service it's citizens. Which given current sanctions, Apple probably can't do. But if normal service resumes, Russia could still insist, and if Apple refuses, it could just de-authorise and ban any Apple devices inside Russian territory. Which sanctions have kinda done anyway.
But basically in the absence of any formal IMEI/IMSI nationality data, you'd have to work with what you've got, and operators would know where the devices were originally sold/registered based on SIM and phone details. Eventually I guess if governments decide on an internationally agreed 'E-Passport' standard, that could be added to device profiles.. But would also open a huge privacy can of worms. Which is also happening, eg stuff like 'Covid passports' providing an official way for data slurpers to link users to data.
"citizenship of the phone owner needing to be known by Apple [...or...] the phone-sim's country of origin is a proxy for citizenship"
The legislation itself is extremely vague, to the extent that for quite some time it was interpreted in the 'west' to mean that mirroring of relevant personal data processed elsewhere to servers in the RF territory was sufficient. It's yet another example of loose aspirational legislation with reasonable intent, but that doesn't take account of practicalities (like some aspects of the GDPR).
It's a quote from the *article* (which is what was said in the comment that you replied to), even if not one from the judge.
Nevertheless, since you are right that the article could be misleading, perhaps one of our Russian commentards might clarify whether or not citizenship is relevant, since they will presumably be able to read something closer to the actual judgement.
FWIW, a google translate of the second para of the linked-to Tass article reads as follows:
"The court ruled to find Apple Inc guilty under part 8 of article 13.11 of the Code of Administrative Offenses of the Russian Federation ("Failure to fulfill the obligation stipulated by the legislation of the Russian Federation to ensure the recording, systematization, accumulation, storage or extraction of personal data of citizens of the Russian Federation using databases located on the territory of Russia") and imposed a penalty in the form of a fine in the amount of 2 million rubles," the decision, which was read out by judge Timur Vakhrameev, says.
> how e.g. Apple is supposed to know whether any one iphone in Russia is owned by a Russian citizen or not.
Phone bought with card from Russian bank, geolocation in Russia, connected cell tower in Russia = you're in Russia.
Idk why you think citizenship is an issue, it isn't. GDPR doesn't suddenly not apply because you happen to be a Yank living in Europe, this Russian law will be the same.
Apple - "Remote brick all iPhones within the borders of The Russian Federation". <LOL> Well, it'd guarantee some good sales of phones once the sanctions get lifted, although they would probably just replace them with Chinese Android phones. I'm guessing that Apple, Zoom, and Ookla really don't give a flying ****. I hope the Russian people appreciate the lengths that their great leader, Pootin, has gone to to drag them kicking and screaming back to the 1950s.
...coz I bet those "Chinese Android phones" all store your personal data on Russian servers. Oh yes...
I'm a bit conflicted, though, since it seems perfectly reasonable to me that a Russian citizen's personal data should be store in a place that is subject to the jurisdiction of a Russian court -- that being far and away the court that said citizen has the easiest recourse to. You wanna be a multi-national company? Learn how to make your business work legally in multiple nations.
The law is increasingly becoming a standard around the world. The fines are laughable. The timing is certainly a response to sanctions.
But I was amused by Apple's filing:
"Within the framework of the structure of Apple, many legal entities have been created. The processing of personal data is not engaged in Apple Inc, but Apple Distribution International Ltd, this is indicated in all explanations for users of Apple products," an Apple representative reportedly said in court.
Essentially, "You're suing us wrong."
It looks like Apple is at least pretending to be taking this seriously. Did you know that iPhone chips run at 2,500 MHz and TSMC has stopped shipping any chips over 25MHz to Russia?
I wonder if they have a competition between their junior lawyers who can send the most underhanded reply to Russia. Sending the address of a bank in Cupertino together with a map would be a nice move.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
