China's New Cybersecurity Law Tested by iPhone Information Theft
A week after China's first cybersecurity law took effect, an investigation over the alleged theft and sale of iPhone users' information looked set to test how well Apple Inc. and other foreign companies protect Chinese citizens' personal data.
Police in eastern China said they had detained 22 people, including 20 from Apple "direct sales outlets" in China and companies Apple outsources services to. Police said those detained had used Apple's internal system to illegally obtain information associated with iPhone products like phone numbers, names and Apple IDs, and then sold the information.
A statement by police in Cangnan county in Zhejiang province gave no further information on the Apple outlets involved, or details on the two other people detained. Calls to the police's news department went unanswered.
The statement said the 22, who were detained May 3, charged from 10 yuan ($1.50) to 180 yuan for each piece of information and that the total amount of money involved was over 50 million yuan.
An Apple spokeswoman in China didn't respond to a request for comment.
China has long struggled to rein in a robust black market in personal information, prompting one political activist last year to purchase and publish in a form of protest the private data of several Chinese tech CEOs, including Alibaba Group Holding Ltd. co-founder Jack Ma. The activist showed evidence of one vendor offering to sell personal information ostensibly belonging to Chinese President Xi Jinping for 1,000 yuan.
A core aim of the cybersecurity law is to better protect individuals' private data, authorities have said.
iPhone users' information is highly prized on the black market because of the belief they are more affluent. Obtaining data such as a user's Apple ID could help hackers lock iPhones remotely and then demand payment from the user to unlock it. The potential for abuse widens further if hackers gain access to a user's cloud storage.
Ahead of the June 1 implementation of the cybersecurity law, foreign technology companies expressed concern, saying they were uncertain how it would affect their operations. Specific measures to comply with the law's mandates on protection of personal information are still being worked out, according to the regulator, China's Cyberspace Administration.
Under earlier laws, companies have largely escaped punishment when employees used their access to internal computer systems to steal users' personal data, according to Liu Chunquan, an intellectual property lawyer with Shanghai-based Duan & Duan Law Firm.
That has changed under the cybersecurity law, Mr. Liu said, with companies now potentially facing fines and other punishment by regulators unless they can prove their systems weren't to blame for leaks.
"Now with this law, Apple as a company faces much greater legal risk than it would have before," he said.
A company could face fines of as much as 10 times the illegal revenue from a theft if it is found to have had inadequate protections against a leak, according to the law. In serious situations, regulators can temporarily close or revoke the business licenses of companies found in violation of the new law.
Based on information police have released so far, government authorities could now have grounds to look into potential holes in Apple's internal data management in China, said You Yunting, a partner with Shanghai-based DeBund Law Offices.
Cangnan police posted a series of photos of officers detaining and interrogating the detainees on the popular WeChat messaging app. In one image, several people are shown standing in front of a police station in handcuffs. They are accompanied by what appears to be plainclothes police, including one holding a bouquet of flowers.
Yang Jie and Josh Chin contributed to this article
(END) Dow Jones Newswires
June 07, 2017 09:53 ET (13:53 GMT)