Something To Hide? Apple Will Share Your iMessages With The Police

Apple promises that your iMessage conversations are safe and out of reach from anyone other than you and your friends. 

But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address, which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. 

Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” 

Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of month-long log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

The Intercept received the document about Apple’s Messages logs as part of a larger cache originating from within the Florida Department of Law Enforcement’s Electronic Surveillance Support Team, a state police agency that facilitates police data collection using controversial tools like the Stingray, along with conventional techniques like pen registers. 

The document, titled “iMessage FAQ for Law Enforcement,” is designated for “Law Enforcement Sources” and “For Official Use Only,” though it’s unclear who wrote it or for what specific audience, metadata embedded in the PDF cites an author only named “mrrodriguez.” The term “iMessages” refers to an old name for the Messages app still commonly used to refer to it.

Phone companies routinely hand over metadata about calls to law enforcement in response to pen register warrants. But it’s noteworthy that Apple is able to provide information on iMessage contacts under such warrants given that Apple and others have positioned the messaging platform as a particularly secure alternative to regular texting.

The document reads like a fairly standard overview that one might forward to a clueless parent, questions include “How does it work?” and “Does iMessage use my cellular data plan?”, until the final section, “What will I get if I serve Apple with a [pen register/tap and trace] court order for an iMessage account?”:

Apple maintains a log of phone numbers you’ve entered into Messages and potentially elsewhere on an Apple device, like the Contacts app, even if you never end up communicating with those people. The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often. An Apple spokesperson confirmed only that the logging information in the iMessage FAQ is “generally accurate,” but declined to elaborate on the record.

The fact that Apple is able and willing to help the government map the communications networks of its users doesn’t necessarily undermine the company’s posturing, and record, as a guardian of privacy, though this leaked document provides more detail about how the iMessages system can be monitored than has been volunteered in the past. Ideally, customers wouldn’t need to read documents marked “For Official Use Only” in order to know what information Apple may or may not disclose to the police. 

In a section of its website devoted to touting the privacy safeguards in its products, Apple claims that “your iMessages and FaceTime calls are your business, not ours. … Unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”

In 2013, after Apple was revealed to be among the tech companies caught up in an NSA surveillance program known as PRISM, which tapped into customer information on the central servers of nine leading Internet companies, the company released a rare statement regarding its “commitment to customer privacy,” insisting that it would be unable to share sensitive customer data even if it wanted to:

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

Questions of how much Apple could or would aid police if asked vaulted back into headlines following the mass shooting in San Bernardino last year, which left the FBI in possession of the shooter’s iPhone, which it was unable initially to decrypt. Apple balked at demands that it help crack the phone, allowing it to enjoy a reputation as not just a maker of expensive electronics, but a determined privacy advocate. 

We need more technology companies that are willing to take public, principled stands in defense of our private lives, but these same companies should follow through with technical transparency, not just statements.

Intercept

« Cyber Attacks Do More Damage Than Physical Attacks
Yahoo Secretly Scanned Emails For US Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Information Systems Security Partners (ISSP)

Information Systems Security Partners (ISSP)

ISSP is a specialized system integrator focused on the information security needs of its corporate clients and providing best in class products and services for securing organizational information.

NTIC Cyber Center

NTIC Cyber Center

NTIC Cyber Center is an organization dedicated to making the National Capital Region (Washington DC) more resilient to cyber-attacks.

Panorays

Panorays

Panorays automates third-party security lifecycle management. It is a SaaS-based platform, with no installation needed.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

Expel

Expel

Expel provide transparent managed security services, 24x7 detection, response and resilience.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Phoenix Cybersecurity

Phoenix Cybersecurity

Phoenix Cybersecurity Services and Managed Security Services help clients just like you take full advantage of leading cybersecurity technologies and industry best practices.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

Opticks Security

Opticks Security

Opticks provides fraud detection and monitoring solutions for leading brands. agencies and networks. Our relentless mission is to deliver reliable and innovative software to beat digital fraud.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

LogicGate

LogicGate

The LogicGate Risk Cloud™ is an agile GRC cloud solution that combines powerful functionality with intuitive design to enhance enterprise GRC programs.

ThreatNG Security

ThreatNG Security

ThreatNG is redefining external attack surface management (EASM) and digital risk protection with a platform of unmatched breadth, depth, and capabilities in thwarting technical and business threats.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Judy Security

Judy Security

Judy (formerly AaDya Security) provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.