The Intercept’s Sam Biddle published a story today citing police documents that he reported prove Apple logs every contact you type in iMessage to share with law enforcement without telling anyone. But it’s not exactly news. Apple doesn’t log every contact you type into your Messages app, and there’s already a lot of publicly available information from Apple about it storing contact info that could be shared with law enforcement. From The Intercept:
“Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system… over Apple’s proprietary and more secure messaging network…The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate”
To be clear, Apple isn’t actually sharing any of your conversations — those are entirely encrypted and out of its reach– we’re only talking about contact numbers here.
Biddle makes two main claims:
- Apple is storing all contact info from your iPhone’s Messages app without telling anyone… and sharing with law enforcement through the proper court process.
Apple has made it clear a number of times that it stores contact information. Here are just a couple of mentions from one of its legal documents and its iOS 10 license agreement on how it provides that data and more to law enforcement:
“When you use your device, your phone number and certain unique identifiers for your iOS Device are sent to Apple in order to allow others to reach you by your phone number when using various communication features of the iOS Software, such as iMessage and FaceTime.”
“Apple has FaceTime call invitation logs when a FaceTime call invitation is initiated. These logs do not indicate that any communication between users actually took place.”
“Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party app data.”
“iCloud content may include stored photos, documents, contacts, calendars, bookmarks and iOS device backups. iOS device backups may include photos and videos in the users’ camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. iCloud content may be provided in response to a search warrant issued upon a showing of probable cause.”
Apple notes in its legal documents that it can’t extract data from locked devices running iOS 8 or later due to its new security features, but it has long provided contact info using that method to law enforcement. It has had disclosure about storing contact info and sharing that data with law enforcement for a number of years.
The second major claim…
2. IP address info in the logs can expose a user’s location, something Apple hasn’t informed customers it shares with law enforcement.
Again, Apple has long kept IP address log data for a long list of software related services from when you sign-on to iCloud or somewhere with your Apple ID to just the IP addresses of all its iTunes subscribers, and it makes that data available to law enforcement with proper warrants.
Apple discloses this several times for various services in its legal documents linked above. Not to mention an IP address doesn’t offer exact location or even accurate location data that could allow law enforcement or anyone else to pinpoint your location.
“My Apple ID and iForgot logs for a user may be obtained from Apple. Connection logs with IP addresses can be obtained with a subpoena…”
“iCloud subscriber information and connection logs with IP addresses can be obtained with a subpoena number, email address, product purchased, purchase amount, and IP address…A subpoena or greater legal process is required in order to obtain this information.”
“iTunes subscriber information and connection logs with IP addresses can be obtained with a subpoena…”
“Apple maintains information regarding online purchases including name, shipping address, telephone…”
So Apple’s servers do log some contact related info for the company’s own debugging purposes and to route some messages to the right service (SMS or Apple’s Messages platform) when that info is needed — that’s what makes iMessage work the way it does with switching between SMS and iMessage on the fly. It keeps the data for 30 days before deleting it, and it does make some data available to law enforcement with proper warrants, but it has been clear about disclosing that to customers.