AirDrop was a powerful tool for activists during 2022’s A4 protests, as people across China took to the streets to speak out against the government’s handling of the pandemic. With so many iPhones in the crowd, organizers realized they could use AirDrop to push protest material to large groups without leaving a digital record of the message.
It was an optimistic moment for tech, reminiscent of Twitter in the Arab Spring — until Apple shut it down. At the height of protests, Apple placed heavy restrictions on AirDrop use in China, particularly on messages received from outside a user’s contacts. Apple’s never given a clear answer as to why, but it’s pretty clear the company didn’t want a system built for file transfers playing a role in a geopolitical upheaval.
Now, there’s a new reason to be nervous about that initial rush of AirDrops. On January 9, Beijing’s judicial bureau announced it was using a new method to find citizens who send illegal content over AirDrop, and had already used the system to identify multiple suspects.
The exploit “will deepen disaffected people’s doubts about their ability to express dissent … No place is safe.”
As Johns Hopkins cryptographer Matt Green tells it, researchers had found a way around that system as early as 2019, reported it to Apple, and published their findings two years later. As Green makes clear, there’s a way to build this system that avoids the bug, but it’s processor-intensive and Apple hasn’t implemented it. This meant the vulnerability stayed open for years, to the point that it can be exploited by local authorities. Apple is usually very good about encryption — the iMessage architecture is basically a Sistine Chapel for security nerds — so there’s a bit of head-scratching about why this bug stayed open so long. But ultimately, AirDrop isn’t a secure product like iMessage, and it was never meant to stand up to this kind of police pressure.
When I spoke to Eric Liu, an editor at the China Digital Times, he described the exploit as a symbolic victory for Chinese authorities, but still a victory. “AirDrop was not used very much in protests at the time, as protests were rare, but it provided the possibility of resistance and thus aroused extreme fear among the authorities,” Liu told me. He believes the new bug “will deepen disaffected people’s doubts about their ability to express dissent … No place is safe.”
The bug may also have real consequences for the fragile peace between Apple and the Chinese government. Apple made $72 billion in sales in China last year, and until recently, Chinese factories were producing 90% of Apple products. That required all manner of backstage diplomacy from Tim Cook, but as long as Apple was committed to China and China was committed to exporting electronics, it was worth it for both sides.
Now, both halves of that bargain are starting to crack. All last year, U.S. lawmakers talked to Apple about decoupling from China — sometimes as a warning about geopolitical trends and other times as an outright threat. Apple has mostly complied, championing new Foxconn sites outside of China, most notably in India and Vietnam.
So far, the Chinese government has mostly pushed back against the “decoupling” narrative broadly, but there have been some pushes against Apple, too. In September, the government ordered its staff to avoid iPhones for official business — a tit-for-tat response to the U.S. ban against Huawei and ZTE.
The fact that a municipal bureau would publicly announce it was exploiting Apple systems is more evidence that the relationship is growing chilly. It’s not unprecedented — Apple has its own complicated relationship with U.S. law enforcement — but amid the ongoing pressure, it’s surely embarrassing to have the attack made public. Even worse, it forces Apple into exactly the kind of side-taking it had tried to avoid during the protests.
It sends an uncomfortable message to Cupertino: At some point, Beijing may no longer be interested in making things easy for Apple.
This essay was originally published in our Exporter newsletter. You can subscribe here.
