The Intercept says it has obtained an internal document from the Florida Department of Law Enforcement’s Electronic Surveillance Team which reveals Apple’s supposedly secure iMessage application is logging contact information for each user, and this data can be provided to the police in response to a warrant.
The document is summarized as follows:
Apple maintains a log of phone numbers you’ve entered into Messages and potentially elsewhere on an Apple device, like the Contacts app, even if you never end up communicating with those people. The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often — an Apple spokesperson confirmed only that the logging information in the iMessage FAQ is “generally accurate,” but declined to elaborate on the record.
In other words, Apple has some idea of who each user has attempted to communicate with, or at least added to your contact list. The date and time this contract information was entered is also recorded, along with the device’s IP address at that time – which, it is noted, could allow the general location of the device to be determined, despite Apple’s promises to the contrary. The log is only retained by Apple’s system for 30 days.
The Intercept includes the statement Apple issued in response:
When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.
Questions remain about how often these contact logs are updated, and most pertinently, why Apple is logging the information at all.
The Intercept judges this revelation “doesn’t necessarily undermine the company’s posturing (and record) as a guardian of privacy,” but zings Apple for not forthrightly explaining how the tracking system works to their customers, who had to wait for a media organization to obtain a FAQ sheet from a police department to learn about it.
“Sure, the app doesn’t collect your message contents, but Apple hasn’t been entirely transparent about how private its messaging service really is, while vehemently claiming that Messages leaves no trace of your communications,” The Next Web complains. “It isn’t clear why the company needs to store this data; doing so only seems to make it a point of investigation for law enforcement and undermines the promise of privacy in Messages.”
Apple has famously scrapped with law enforcement over its refusal to compromise customers’ privacy or unlock encrypted data, earning credibility in the eyes of electronic privacy advocates, and an equal level of concern from those who worry that unbreakable encryption can be a valuable tool for terrorists and organized crime.
9to5Mac argues that the Intercept story is unfair to Apple, citing legal documents that prove “Apple has already made it clear a number of times that it stores contact information.”
Also, there are already a number of apps that keep more comprehensive IP address logs than iMessage, which can be given to law enforcement, and IP addresses are a very inexact took for determining physical location in any event.
“So Apple’s servers do log some contact related info for the company’s own debugging purposes and to route some messages to the right service (SMS or Apple’s Messages platform) when that info is needed — that’s what makes iMessage work the way it does with switching between SMS and iMessage on the fly. It keeps the data for 30 days before deleting it, and it does make some data available to law enforcement with proper warrants, but it has been clear about disclosing that to customers,” 9to5Mac concludes.