What Apple Data the U.S. Government Can and Cannot Access
On 17 June 2013, Apple released a statement on the recent allegations claiming the NSA has access to user data. In it, Apple states that no government agency has direct access to Apple servers, that the company responds only to lawful legal requests and then provides only the minimum private data necessary to comply, and that sniffing of iMessage and FaceTime conversations is technically restricted due to end-to-end encryption. Apple also revealed that the company responded to 4,000–5,000 requests from U.S. law enforcement this year, predominantly for normal criminal cases as well as assisting in the recovery of lost children, adults with Alzheimer’s disease,
and people potentially at high risk for suicide.
Those of us in the security and privacy world haven’t been overly surprised by the recent media storm. Much of the information on government activities was already known, although the scope (especially of monitoring phone metadata) was a tad shocking. This is a difficult issue to write about because the story continues to develop quickly, the levels of hyperbole are astronomical, and it is highly unlikely the full truth has emerged (if it ever will). But as both the government and tech companies respond, and based on previous knowledge, we can learn a semblance of what’s possible, even if we can’t understand the full scope.
My professional assessment is that we should all be concerned with the erosions of our personal privacy enabled by law and business models, but both the government and private enterprises do still operate within those boundaries. Technically, any information we store with Apple, or nearly any online service, is accessible, for as long as it is stored on remote servers, but it is highly unlikely that any government is sweeping it all up on a daily basis.
What the Law Allows — First, the usual disclosure. I am not a lawyer, I don’t play one on television, and none of my immediate family members are lawyers (just one brother-in-law). But as someone who has worked in global information security for over a decade, I need to be nominally familiar with international legal structures for data privacy.
The first thing to understand is the concept of jurisdiction — companies must comply with the laws in the countries in which they do business. This is a huge pain, but if a company has a business presence in a nation, they have to follow the rules within that nation, or leave. For example, Google still struggles to operate in China due to local requirements to keep all data and make it accessible to the government. Many European businesses cannot legally transfer customer or employee data to the United States due to our lax privacy laws. Amazon builds Amazon Web Services data centers in other countries less for performance reasons, and more to allow
businesses to use the services while meeting local legal requirements.
Apple’s data centers are currently located in the United States. The company has not said how often it responds to legal requests in other countries, but we can assume that, as a minimum, Apple complies with U.S. law and may also be required to release data in other countries, on citizens of those countries, where it does business.
The current laws in the United States will likely surprise most residents. For example, law enforcement agencies state that, under current law, they can access any read email stored for over 180 days on a server without either a warrant or even probable cause. That same interpretation extends to most data you store with any online service that you don’t deliberately protect yourself, since the law says you give up your privacy by not keeping it on your person. Often those companies will fight to protect your data, but their user agreements (those things you don’t read before clicking) usually give them
full access to your data. Also, while phone calls are protected under law, the metadata about who you call isn’t. And none of this applies to non-U.S. citizens, even if your data is only passing through this country.
In intelligence and counterterrorism situations, U.S. government agencies have even more power. They can listen in on phone calls without a warrant if one side is a foreign terrorism suspect. They can obtain secret warrants after the fact, with very little justification required. They can force technology companies, like Apple, to provide specific data for investigations and operations, without allowing firms to reveal that any such request was ever made (ever!). That’s why Apple could state how many law enforcement requests it responded to, but not how many intelligence requests. We still have no idea how much data the NSA obtained from Apple (or any other company).
This puts PRISM and the disclosure that the NSA obtained all Verizon call information in context. Reading between the lines, it looks like nothing more than technology companies responding to perfectly legal requests with the minimum information required. We don’t know the scope of it, and maybe someone is lying or something is classified, but while you might dislike the extent of the law, it doesn’t appear anyone broke it.
What Apple Can Provide Governments — Apple is actually in better shape than many competitors, especially Google. Apple can assist law enforcement and intelligence with two categories of data and a third situation:
- Information you store on iCloud or with other Apple services, like the iTunes Store
- Your location, if Find My iPhone/iPad/Mac is enabled
-
Forensic recovery of information on an encrypted iPhone or iPad, but the security of those products may make that data unrecoverable even with Apple’s help
Open your iCloud preferences to see what data is available, which will likely include any email, calendar events, and to-do items (in iCloud, not your other accounts). Also included: your photos and the metadata (like location) associated with those photos. Your iCloud documents, contacts, notes, and reminders. Your App Store and iTunes Store purchases. Your Safari bookmarks and synchronized tabs. The biggest exposure with Apple is likely your iOS backups, should you back up to iCloud, since backups include everything on your phone.
Compare this data to what Google keeps, including Web searches, Web browsing history (through Google’s extensive ad network), email messages in Gmail, phone calls through Google Voice, events stored in Google Calendar, photos uploaded to Picasa or Google+, location searches in Google Maps, and anything else you do on any Google service.
In its statement, Apple also clarified what it can’t access. Apple doesn’t keep Siri searches or requests, nor does the company retain your location searches in Maps. iMessage and FaceTime are encrypted end-to-end, which means that the data is not accessible on Apple servers.
But it’s not as simple as Apple would have you believe. Apple manages the “root of trust” for iMessage and FaceTime conversation encryption, and Apple could potentially intercept the data using a man-in-the-middle attack, although it is highly unlikely that such capabilities are currently built in. Odds are that Apple’s lawyers would fight such a request to the death since it would involve actual code changes on Apple’s servers and violate its public privacy statements.
Apple may also be using this incident to jab at Google with the statement, “Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.” This criticism also applies to other companies, like Facebook and Amazon, whose businesses are predicated on providing personalized information to customers.
(It’s worth keeping in mind that just because companies collect data about users, it doesn’t mean that they share that data with anyone else voluntarily. Conspiracy theories abound about Internet companies selling customer data to unsavory marketers, but in reality, customer data is the secret sauce for firms like Google, Facebook, and Amazon — they would no more sell it than Coca-Cola would share the formula for Coke. There’s far more money in building a business around that data than in selling it to a would-be competitor.)
Although Apple doesn’t store location history, it can access your current location. This is likely how Apple has assisted law enforcement in locating lost children and mentally ill adults. As a former rescue professional, I’ve been personally involved in situations where such information could have saved lives.
Lastly, there are rumors Apple can assist law enforcement agencies with speeding up the forensic recovery of data on encrypted iOS devices. This almost certainly isn’t through a back door, but probably by supporting off-device brute force decryption, which still is effectively impossible if you use a sufficiently long passcode. Security and jailbreak researchers are constantly hammering on iOS and Apple’s devices; odds are that they would find any deliberate back door. Besides, such a back door is not only not in Apple’s business interests, but would be a massive potential PR (and possibly legal) liability.
A Lack of Transparency — Without being on the inside, we don’t know exactly how hard Apple or any other technology company fights to protect user data from governments. Businesses need to comply with local laws, but different companies respond in different ways. Google may collect an extensive amount of private user data, but there is every indication that it does its best to minimize government access. Google even provides a real-time Transparency Report of the requests it is allowed to reveal, and has asked the U.S. Attorney General and the FBI for permission to reveal more requests in the Transparency Report.
Apple appears to limit government access as best it can, and Apple collects far less data than many other companies, and only with user permission. If you don’t use iCloud, rely on your own mail servers, and store only local encrypted iOS backups, there isn’t much Apple can provide the government. Plus, FaceTime and iMessage appear more secure than normal phone calls and texts. Any mobile phone can be located physically, even if Apple data is potentially more precise (and your phone provider likely keeps that data for quite some time).
At least, for now. Federal authorities are currently lobbying for government back doors to all online communications services, as they currently have for phone wiretaps. (This would be disastrous, since it is inevitable that hostile governments and online criminals would crack the security of any direct access.) We also lack a clear picture of the extent of current U.S. law and the use of those laws, since companies like Apple and Google are not allowed to disclose how often the U.S. government uses such powers, and the government is not revealing how effective such information is in stopping terrorism and other crimes.
While the United States is in the headlines, we have even less insight into the behavior of other nations, some of which require Internet service providers to keep metadata or even all network traffic for years in case it’s needed for an investigation. Lastly, remember that, in general, any online company you provide data to can look at it whenever it wants — I explained how you can determine if this is possible in “How to Tell If Your Cloud Provider Can Read Your Data” (9 April 2012).
Thus, the good news is that Apple appears to provide the government as little data on us as possible, and has practical limits on what is even available. The bad news is that we have nearly no insight into what the U.S. government is doing on our behalf, even if it is within the boundaries of existing laws that all too few understand.
It's a very important topic and needs to be discussed. Thank you for the contribution.
Amen. Too many folks seem to expect that this young "information highway" came preconfigured for a reality that's had no previous existence or counterpart.
Discussion is needed to expose or highlight where common, arbitrary, naive assumptions exist and need revision toward possible remedy. Quite possibly, most of those who are "shocked" by the current much ado about "not-so-new" are either older fuzzies or younger idealists who've been assuming too much with no basis in reality.
This general situation isn't really new, despite the fact that it's making news. What to do? Build your own knowledge base, find clarifications, minimize knee jerk reactions, and weigh trade-offs. This isn't a simple situation, not really. Decide your own way and expect that your decision might feel less than ideal, regardless.
Somehow I don't think what is on any of my devices would be of much interest to anyone. Do they really want my mother's recipe for cut-out cookies?
That's not the point.
The point is that the government has no business knowing anything at all what's on your devices until you've actually done something wrong and those devices might be evidence. But in advance, they have no business there.
Period.
Some people feel that "If you've got nothing to hide, why are you concerned?", or " Why should I care if the government can read my recipe for potato salad?".
Might I suggest an essay by noted security expert Bruce Schneier: https://www.schneier.com/essay-114.html
A teaser:
"For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable."
A few years ago, I linked to an excerpt from a book about this. Definitely still worth reading:
http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/
It's widely known that Apple DOES keep Siri searches and conversations for two years. Google "siri data retention" for scores of articles pointing that out.
According to the recent disclosures by Apple, Siri searches are kept *in aggregate* for the purposes of improving the service, but are anonymized (nearly immediately, I think). I.e., prior discussions of how long Apple keeps Siri data have been clarified: a Siri search does not leave a data trail whereby someone can find out *what* you Siri-searched for two months later.
That's a big difference from the statement "Apple doesn’t keep Siri searches or requests". If Apple keeps the data at all -- and they do -- then these data can be subpoenaed and analyzed. Siri searches can contain a lot of information and even if they can't directly be associated with a subscriber (though they are stored with a "random" identifying number) many indirect associations can be made which can link a search back to an individual.
I'm not going to get into what's proper and what's not but I did want to point out the error in the article.
For all the justifiable uproar concerning privacy, few press, media, blog, comment coverage of this asks whether the surveillance works to prevent or correct crime or attacks. I respect Mogul for mentioning some of other uses (like tracking lost Alzheimer's and kids). But almost no one offers any ideas of what they would find an acceptable and effective way of using 'wiretaps' to fight terrorism and crime. Invading two countries to fight terror didn't work. How do you balance privacy and security?
"How do you balance privacy and security?"
It isn't a balance. It's unconstitutional. Secret laws are unacceptable.
Having followed this issue with some interest, I have a somewhat different take than Rich.
(1) Nearly every phone call including the content is being swept up by the surveillance state. The NSA justifies this by claiming they are not "targeting" anyone, they're just collecting the data.
(2) There is a fundamental lack of effective oversight or controls on how this data may be used now and in the future. Anyone who challenges the secret procedures from within may be dismissed or subject to retaliation.
http://www.usatoday.com/story/news/politics/2013/06/16/snowden-whistleblower-nsa-officials-roundtable/2428809/
If you want to learn more or get involved, see www.eff.org
This is one of the huge questions, since the government will occasionally say that they used these powers to stop some terrorist act, but they'll never give details, so it's hard to believe them.
We should realize that the laxity of legislation about online privacy involves "levels" of government. As Rich Mogull cites, local law enforcement seems to act with less constraint because of the "loophole" environment. The Feds are more readily in the public bulls eye but how many folks in South Carolina are bothered by excessive surveillance tactics by local law agencies in Colorado? Or vice versa. The world didn't get to its current state of electronic communications over the centuries. This happened virtually overnight in many lives--and that reality didn't arrive preconfigured for societal ideals. We have work to do and there's no "do-over" button. We have lots of work to do.
Rich -- a clarification. The man-in-the-middle attack whereby Apple *could* decipher iMessage and FaceTime is real-time only, correct? Or is it theoretically possible that Apple could go back and decipher past iMessage conversations with minimal work?
(I'll assume that FaceTime *must* be real-time because the conversations aren't recorded, and it would be a massive storage problem to do so. But iMessages *are* stored on both ends, and it would be trivial for Apple to keep an encrypted copy.)
I am having a hard time understanding something that occurred today on my iPhone. Today I installed a new app and it immediately started giving me targeted adds to my location. I find it hard to believe Apple does not assist in this as they are the "owners" of the entire system. How is this possible?
This app was open for maybe 10 seconds before it started giving me adds for a local Bank. And then another banner for a different local business. According to the "location" "settings" the only app that had accessed my location in the Last 24 hrs was "setting time zone". This does not seem possible to me if everyone sticks to their stated policy. I am not sure that trust in Apple is well founded.
Can anyone enlighten me?
If you were on WiFi, your IP address is enough to locate you at least the city level.
So the App is able to "phone home" with my personal info??
Tripp, anytime you access information over the internet, your IP address is viewable by the other party. IP addresses can be traced back to geographic locations. (For a demo see http://www.maxmind.com/en/locate_my_ip )
The app didn't "phone home" it probably just requested that an advertisement be sent, and the advertisement provider noted you were in a specific area and sent an advertisement specific to that area. The likely app hasn't gathered any more information than an advertiser could get from targeting a local television or newspaper..