Your iMessage contacts are logged and could be shared with the authorities


This is an interesting information to note especially for those of you who doesn't really read the terms and conditions when you agree to the service agreement of applications. APPLE PROMISES THAT your iMessage conversations are safe and out of reach from anyone other than you and your friends.

But every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

Based on a document from the US State Enforcement office, titled “iMessage FAQ for Law Enforcement,” is designated for “Law Enforcement Sources” and “For Official Use Only,” though it’s unclear who wrote it or for what specific audience — metadata embedded in the PDF cites an author only named “mrrodriguez.” (The term “iMessages” refers to an old name for the Messages app still commonly used to refer to it.)



Phone companies routinely hand over metadata about calls to law enforcement in response to pen register warrants. But it’s noteworthy that Apple is able to provide information on iMessage contacts under such warrants given that Apple and others have positioned the messaging platform as a particularly secure alternative to regular texting.

The document reads like a fairly standard overview that one might forward to a clueless parent (questions include “How does it work?” and “Does iMessage use my cellular data plan?”), until the final section, “What will I get if I serve Apple with a [pen register/tap and trace] court order for an iMessage account?”

This is a lot of bullet points to say one thing: Apple maintains a log of phone numbers you’ve entered into Messages and potentially elsewhere on an Apple device, like the Contacts app, even if you never end up communicating with those people. The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often — an Apple spokesperson confirmed only that the logging information in the iMessage FAQ is “generally accurate,” but declined to elaborate on the record.

Apple provided the following statement:
When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.

And it’s true, based on the sample information provided in the FAQ, that Apple doesn’t appear to provide any indication whatsoever that an iMessage conversation took place. But a list of the people you choose to associate with can be just as sensitive as your messages with those people. It requires little stretching of the imagination to come up with a scenario in which the fact that you swapped numbers with someone at some point in the past could be construed as incriminating or compromising.

In a section of its website devoted to touting the privacy safeguards in its products, Apple claims that “your iMessages and FaceTime calls are your business, not ours. … Unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”

In 2013, after Apple was revealed to be among the tech companies caught up in an NSA surveillance program known as PRISM, which tapped into customer information on the central servers of nine leading internet companies, the company released a rare statement regarding its “commitment to customer privacy,” insisting that it would be unable to share sensitive customer data even if it wanted to:

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

Questions of how much Apple could or would aid police if asked vaulted back into headlines following the mass shooting in San Bernardino last year, which left the FBI in possession of the shooter’s iPhone, which it was unable initially to decrypt. Apple balked at demands that it help crack the phone, allowing it to enjoy a reputation as not just a maker of expensive electronics, but a determined privacy advocate. We need more technology companies that are willing to take public, principled stands in defense of our private lives, but these same companies should follow through with technical transparency, not just statements.

Now, most of the examples are those in the United States but with the right court order, authorities from any countries can also request for the contact data to be shared.

With most conversations taking place over the net these days, all conversations we transmitted to friends and acquaintance get logged in one way or another, so if you want your privacy to be respected, go back to the good old ways of meeting face-to-face, especially when you are communicating about sensitive information.

Michael Yip

Phasellus facilisis convallis metus, ut imperdiet augue auctor nec. Duis at velit id augue lobortis porta. Sed varius, enim accumsan aliquam tincidunt, tortor urna vulputate quam, eget finibus urna est in augue.

No comments:

Post a Comment