This article originally appeared in TidBITS on 2013-06-17 at 2:18 p.m.
The permanent URL for this article is:
Include images: Off

What Apple Data the U.S. Government Can and Cannot Access

by Rich Mogull

On 17 June 2013, Apple released a statement [1] on the recent allegations claiming the NSA has access to user data. In it, Apple states that no government agency has direct access to Apple servers, that the company responds only to lawful legal requests and then provides only the minimum private data necessary to comply, and that sniffing of iMessage and FaceTime conversations is technically restricted due to end-to-end encryption. Apple also revealed that the company responded to 4,000–5,000 requests from U.S. law enforcement this year, predominantly for normal criminal cases as well as assisting in the recovery of lost children, adults with Alzheimer’s disease, and people potentially at high risk for suicide.

Those of us in the security and privacy world haven’t been overly surprised by the recent media storm. Much of the information on government activities was already known, although the scope (especially of monitoring phone metadata) was a tad shocking. This is a difficult issue to write about because the story continues to develop quickly, the levels of hyperbole are astronomical, and it is highly unlikely the full truth has emerged (if it ever will). But as both the government and tech companies respond, and based on previous knowledge, we can learn a semblance of what’s possible, even if we can’t understand the full scope.

My professional assessment is that we should all be concerned with the erosions of our personal privacy enabled by law and business models, but both the government and private enterprises do still operate within those boundaries. Technically, any information we store with Apple, or nearly any online service, is accessible, for as long as it is stored on remote servers, but it is highly unlikely that any government is sweeping it all up on a daily basis.

What the Law Allows -- First, the usual disclosure. I am not a lawyer, I don’t play one on television, and none of my immediate family members are lawyers (just one brother-in-law). But as someone who has worked in global information security for over a decade, I need to be nominally familiar with international legal structures for data privacy.

The first thing to understand is the concept of jurisdiction — companies must comply with the laws in the countries in which they do business. This is a huge pain, but if a company has a business presence in a nation, they have to follow the rules within that nation, or leave. For example, Google still struggles to operate in China [2] due to local requirements to keep all data and make it accessible to the government. Many European businesses cannot legally transfer customer or employee data to the United States due to our lax privacy laws. Amazon builds Amazon Web Services data centers in other countries less for performance reasons, and more to allow businesses to use the services while meeting local legal requirements.

Apple’s data centers are currently located in the United States. The company has not said how often it responds to legal requests in other countries, but we can assume that, as a minimum, Apple complies with U.S. law and may also be required to release data in other countries, on citizens of those countries, where it does business.

The current laws in the United States will likely surprise most residents. For example, law enforcement agencies state that, under current law, they can access any read email stored for over 180 days on a server without either a warrant or even probable cause [3]. That same interpretation extends to most data you store with any online service that you don’t deliberately protect yourself, since the law says you give up your privacy by not keeping it on your person. Often those companies will fight to protect your data, but their user agreements (those things you don’t read before clicking) usually give them full access to your data. Also, while phone calls are protected under law, the metadata about who you call isn’t. And none of this applies to non-U.S. citizens, even if your data is only passing through this country.

In intelligence and counterterrorism situations, U.S. government agencies have even more power. They can listen in on phone calls without a warrant if one side is a foreign terrorism suspect. They can obtain secret warrants after the fact, with very little justification required. They can force technology companies, like Apple, to provide specific data for investigations and operations, without allowing firms to reveal that any such request was ever made (ever!). That’s why Apple could state how many law enforcement requests it responded to, but not how many intelligence requests. We still have no idea how much data the NSA obtained from Apple (or any other company).

This puts PRISM and the disclosure that the NSA obtained all Verizon call information in context. Reading between the lines, it looks like nothing more than technology companies responding to perfectly legal requests with the minimum information required. We don’t know the scope of it, and maybe someone is lying or something is classified, but while you might dislike the extent of the law, it doesn’t appear anyone broke it.

What Apple Can Provide Governments -- Apple is actually in better shape than many competitors, especially Google. Apple can assist law enforcement and intelligence with two categories of data and a third situation:

Open your iCloud preferences to see what data is available, which will likely include any email, calendar events, and to-do items (in iCloud, not your other accounts). Also included: your photos and the metadata (like location) associated with those photos. Your iCloud documents, contacts, notes, and reminders. Your App Store and iTunes Store purchases. Your Safari bookmarks and synchronized tabs. The biggest exposure with Apple is likely your iOS backups, should you back up to iCloud, since backups include everything on your phone.

Compare this data to what Google keeps, including Web searches, Web browsing history (through Google’s extensive ad network), email messages in Gmail, phone calls through Google Voice, events stored in Google Calendar, photos uploaded to Picasa or Google+, location searches in Google Maps, and anything else you do on any Google service.

In its statement, Apple also clarified what it can’t access. Apple doesn’t keep Siri searches or requests, nor does the company retain your location searches in Maps. iMessage and FaceTime are encrypted end-to-end, which means that the data is not accessible on Apple servers.

But it’s not as simple as Apple would have you believe. Apple manages the “root of trust” for iMessage and FaceTime conversation encryption, and Apple could potentially intercept the data using a man-in-the-middle attack, although it is highly unlikely that such capabilities are currently built in. Odds are that Apple’s lawyers would fight such a request to the death since it would involve actual code changes on Apple’s servers and violate its public privacy statements.

Apple may also be using this incident to jab at Google with the statement, “Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.” This criticism also applies to other companies, like Facebook and Amazon, whose businesses are predicated on providing personalized information to customers.

(It’s worth keeping in mind that just because companies collect data about users, it doesn’t mean that they share that data with anyone else voluntarily. Conspiracy theories abound about Internet companies selling customer data to unsavory marketers, but in reality, customer data is the secret sauce for firms like Google, Facebook, and Amazon — they would no more sell it than Coca-Cola would share the formula for Coke. There’s far more money in building a business around that data than in selling it to a would-be competitor.)

Although Apple doesn’t store location history, it can access your current location. This is likely how Apple has assisted law enforcement in locating lost children and mentally ill adults. As a former rescue professional, I’ve been personally involved in situations where such information could have saved lives.

Lastly, there are rumors Apple can assist law enforcement agencies with speeding up the forensic recovery of data on encrypted iOS devices. This almost certainly isn’t through a back door, but probably by supporting off-device brute force decryption, which still is effectively impossible if you use a sufficiently long passcode. Security and jailbreak researchers are constantly hammering on iOS and Apple’s devices; odds are that they would find any deliberate back door. Besides, such a back door is not only not in Apple’s business interests, but would be a massive potential PR (and possibly legal) liability.

A Lack of Transparency -- Without being on the inside, we don’t know exactly how hard Apple or any other technology company fights to protect user data from governments. Businesses need to comply with local laws, but different companies respond in different ways. Google may collect an extensive amount of private user data, but there is every indication that it does its best to minimize government access. Google even provides a real-time Transparency Report [4] of the requests it is allowed to reveal, and has asked the U.S. Attorney General and the FBI for permission to reveal more requests in the Transparency Report.

Apple appears to limit government access as best it can, and Apple collects far less data than many other companies, and only with user permission. If you don’t use iCloud, rely on your own mail servers, and store only local encrypted iOS backups, there isn’t much Apple can provide the government. Plus, FaceTime and iMessage appear more secure than normal phone calls and texts. Any mobile phone can be located physically, even if Apple data is potentially more precise (and your phone provider likely keeps that data for quite some time).

At least, for now. Federal authorities are currently lobbying for government back doors to all online communications services [5], as they currently have for phone wiretaps. (This would be disastrous, since it is inevitable that hostile governments and online criminals would crack the security of any direct access.) We also lack a clear picture of the extent of current U.S. law and the use of those laws, since companies like Apple and Google are not allowed to disclose how often the U.S. government uses such powers, and the government is not revealing how effective such information is in stopping terrorism and other crimes.

While the United States is in the headlines, we have even less insight into the behavior of other nations, some of which require Internet service providers to keep metadata or even all network traffic for years in case it’s needed for an investigation. Lastly, remember that, in general, any online company you provide data to can look at it whenever it wants — I explained how you can determine if this is possible in “How to Tell If Your Cloud Provider Can Read Your Data [6]” (9 April 2012).

Thus, the good news is that Apple appears to provide the government as little data on us as possible, and has practical limits on what is even available. The bad news is that we have nearly no insight into what the U.S. government is doing on our behalf, even if it is within the boundaries of existing laws that all too few understand.