How and When Apple Discloses Your Data to Law Enforcement / by Matt Washchuk

Given the tremendous amount of press Apple’s feud with the FBI is receiving, I thought it would be helpful to explain what user data and information Apple makes available to law enforcement and how law enforcement can acquire this information. In the first part of this article, I simply provide factual information that Apple outlines in its Legal Process Guidelines from Sept. 25, 2015. I break the information into three parts: how law enforcement requests information, what data from physical iOS devices is available, and what data stored on Apple’s servers is available (including iCloud and non-iCloud data). After providing the factual information, I also provide some analysis and and recommendations on how to keep your data safe on iOS devices. 

I’ve thought carefully about this topic and have decided not to significantly address Apple’s participation in any of NSA’s secretive programs, including PRISM. There is ample evidence from the press that Apple has participated, and I recommend people read Bill Blunden’s article on Apple’s relationship with the U.S. government (as well as all the articles he cites) if you want to know more. My general belief is there is little you can do to protect yourself from NSA data collection, unless you never connect your iOS device to WiFi or cellular networks. (Feel free to consider email from a provider like protonmail.ch or voice and text services from Silent Circle as enhancing privacy, however.) Although unclear, it appears the FBI and local law enforcement do not generally have access to NSA data, and therefore, there is significant value in reviewing how those types of agencies can access your data from Apple. With that in mind, let’s begin.

Requests for Information

  • Officially, requests for information go through subpoenas@apple.com (Legal Process Guidelines, p. 3), which is part of Apple’s Privacy and Law Enforcement Compliance Group. Only law enforcement personnel can use this email for subpoenaing information.
  • In addition to subpoenaing information, law enforcement can ask Apple to preserve existing information about an Apple ID account. Apple will preserve the information for 90 days, and upon request, for an additional 90 days (for a total of 180 days). This is compliant with 18 U.S.C. § 2703(f) statutory requirements. (p. 4-5)
  • However, if the request for information is an emergency, Apple, at its discretion, may disclose requested information without a search warrant. These types of requests go through exigent@apple.com. (p. 5)
  • If a law enforcement agency wants Apple to delete a a customer’s Apple ID account, the agency must provide a warrant or court order requiring the deletion. (p. 5)
  • Apple will tell its customers that a law enforcement agency is requesting information about their accounts, unless such a disclosure is prohibited by law, court order, or if Apple believes disclosure creates a risk of injury or death to identified individuals. (p. 5) This is generally true for delaying disclosure in emergency circumstances, as well. (p. 6)
  • Apple can provide law enforcement with information related to Apple Retail and Online Store transactions, iTunes Store transactions, use of gift cards, interactions with AppleCare and other customer support, as well unverified contact information linked to particular devices (p. 6-7).

Data on iOS devices

  • Apple will not extract data that resides on a passcode-locked iOS device if the device is running iOS 8.0 or later. Apple would need to have the passcode in order to retrieve the data. (p. 9)
  • If the device is running iOS 4-7, Apple can retrieve some data from Apple’s native apps with a search warrant, specifically SMS messages, iMessage conversations, MMS messages, photos, videos, contacts, audio recordings, and call history. Apple cannot retrieve email messages, calendar entries, or data from third-party apps. (p. 9)
    • Even if Apple can retrieve this data, it still cannot provide law enforcement with the device’s passcode. (p. 13)
    • If Apple can retrieve data from a device, it puts the data on an external FireWire drive (provided by law enforcement) and gives the hard drive to law enforcement. Apple does not keep a copy of the data it extracts. (p. 10)
  • Apple does not track geolocation (GPS data) of devices. (p. 14)

Data in iCloud

  • Apple says that it encrypts all iCloud customer data on its servers, and in the event that the data is stored on 3rd party servers, the decryption keys remain on Apple servers in the United States. (p. 8)
  • Law enforcement can retrieve basic iCloud subscriber information, such as name, mailing address, email address, and telephone number. Connection logs for the iCloud account, including IP addresses, are available and retained for up to 30 days. (p. 8)
  • Mail logs, which identify incoming and outgoing email transactions, sender and receiver email addresses, date and time, and IP addresses, are retained for up to 60 days. They are accessible with a court order under 18 USC § 2703(d). (p. 8)
  • Apple indicates that actual email messages are stored on Apple’s servers (and therefore accessible with a search warrant) so long as the customer doesn’t delete the email. Apple writes that, “Apple does not retain deleted content once it is cleared from Apple’s servers. Apple is unable to provide deleted content.” (p. 8) However, Apple does not disclose how long it keeps deleted messages. 
    • Apple can, however, intercept users’ email communications upon receipt of a valid wiretap order (p. 14).
  • If a user chooses to keep other iCloud-related data in iCloud, Apple maintains this data on its servers, and the data is accessible in response to a search warrant. Examples of data users could choose to keep in iCloud are photos, documents, contacts, calendars, and bookmarks.  (p. 8)
    • In addition to regular iCloud data, users can choose to back up their iOS devices to iCloud. If they do, those device backups may include photos and videos in the users’ camera roll, device settings, app data, iMessage conversations, SMS messages, MMS messages, and voicemails. (Note that developers can choose to exclude their apps’ data from iCloud backups, but without specifically programming this functionality into their apps, iCloud backup will back up the app data.) (p. 8)
    • Apple again says that “Apple does not retain deleted content once it is cleared from Apple’s servers.” It does not indicate how long the deleted data is stored on its servers. (p. 8)
  • Find My iPhone: Apple maintains connection logs to this service, as well as transaction requests to remotely lock or erase devices, for about 30 days. This information is available with a search warrant. Apple does not maintain maps or email alerts provided through the service. Finally, Apple cannot remotely enable the “Find My iPhone” service. (p. 9)

Other Data

  • Apple can also provide Game Center connection logs with IP addresses with a valid subpoena. A search warrant is required if the agency wants Apple to provide the specific games played. (p. 11)
  • Some device identification information, such as IP address and ICCID/SIM numbers are stored on Apple’s servers when a person activates a device or performs an operating system upgrade. This data is available with a subpoena. (p. 11)
  • Apple keeps logs from user interaction on My Apple ID and iForgot websites. Connection logs with IP addresses can be obtained with a subpoena. Transactional records can be obtained with a court order under 18 USC § 2703(d). Apple does not indicate how long it keeps these logs. (p. 11)
  • Apple has limited information it can share about FaceTime connections. FaceTime communications are end-to-end encrypted, so Apple cannot decrypt FaceTime data when it is in transit between devices. Apple does have call invitation logs that it keeps for 30 days, but the logs do not indicate whether the call is ever completed or how long a completed call lasts. (p. 12)

 

Analysis & Recommendations

  • Statutory data retention policies vary from country to country, but it is reasonable to assume that Apple keeps your email for at least one year after you delete it in order to comply with statutory retention policies in the European Union. While there is no official retention policy in the United States, there is some evidence that Apple participates in the NSA PRISM program, despite Apple's public denials.
  • Today, Apple faces legal challenges from the FBI and is willing to buck public opinion in order to protect its users’ data, despite its ability to comply with the FBI’s demands. Apple’s efforts to make data irretrievable from its iOS devices are commendable. 
  • Unfortunately, Apple’s users voluntarily store much of the data they hold dear in iCloud, such as photos, emails, and contacts. Even if Apple makes it impossible to retrieve this kind of data from a locked phone, Apple can easily hand over much of the same data to law enforcement because users choose to keep a copy of the data in the cloud. If you use iCloud for email and contact syncing, and if you use iCloud Photo Library or even My Photo Stream, Apple can turn over your emails, the phone numbers of everyone you know, and all the photos you have ever taken to law enforcement — even if the company can’t unlock your phone.
  • Other data users may care about, such as iMessages, text messages, voicemails, and third-party app data is not normally accessible to Apple. But if a user chooses to use iCloud for device backup, Apple can extract that data from the backups users voluntarily store on Apple’s servers.

What are some best practices for people who want to continue to use iOS devices and preserve their privacy?

  • First, use a strong alphanumeric passcode for your iOS device. Do not use the four-digit passcode. Ideally, do not use the six-digit passcode. Choose a long, alphanumeric passcode with a mix of upper and lowercase letters, numbers, and symbols. This greatly increases the time law enforcement must spend trying to attack your passcode via brute force. 
    • Even if Apple is able to create and install a version of iOS on your device that doesn’t self destruct after 10 failed passcode attempts or artificially slow the input speed of passcodes, a 30-character alphanumeric passcode is going to take a prohibitive amount of time to crack compared to a four-digit code. 
  • Set your iOS device to erase all data with ten failed passcode attempts.
  • Keep your iOS operating system up to date and immediately update to iOS 9 if you are running iOS 7 or earlier (and have a device compatible with iOS 9). 
  • Ideally, do not use iCloud. Period. It is easiest for Apple to provide law enforcement with your data when you store it in iCloud.
  • If you must use iCloud, bear in mind that each service you turn on (email, contact syncing, iCloud Photo Library, etc.) is a service that stores your data on Apple’s servers. The more services you use, the more data Apple can disclose.
  • DO use iMessage. This appears to be Apple’s most secure service. Apple says it cannot decrypt your iMessages, and there’s no mention of Apple keeping logs that track who communicates with whom. 
  • Using FaceTime for audio and video calls could also be a good idea. Apple cannot decrypt the calls (which should mean law enforcement cannot, either), although Apple may be able to tell law enforcement who you have attempted to call in the last month (even if the company can’t tell the agency whether you successfully placed the call). 
  • Do not use iCloud for backing up your data. Once you do, all the iMessages you send and receive (among other things) become accessible to Apple. Of course, when you exchange iMessages with others, they may choose to use iCloud for backups, which means your messages may be preserved in their accounts for Apple to access. Whether law enforcement can figure out who you’re communicating with and get a search warrant to retrieve those people’s backups is a different question.
  • Before you decide this means you should store backups in iTunes, keep in mind that forensics data software can decrypt encrypted iTunes backups. A best practice would be to encrypt the entire contents of the drive on which both your copy of iTunes and the device backups exist. Using a strong alphanumeric passcode for your backup also helps prevent the software from being able to decrypt the backup.

There you have it. If you feel I have provided incorrect information or that I have failed to cover an important aspect of Apple's guidelines, please let me know.