Apple last week faced renewed scrutiny for its data-sharing practices, following a report that it retains iMessage metadata and shares it with law enforcement when presented with a court order.
The company for months has insisted that it would not share data that would jeopardize the privacy and trust of its millions of customers.
iMessage encryption does prevent Apple from accessing the actual content of conversations, but the company maintains for up to 30 days phone logs that contain a range of information, including contacts, IP addresses, and dates and times of conversations, The Intercept reported.
The information on Apple’s practices was included in a cache of documents The Intercept obtained from the Florida Department of Law Enforcement’s Electronic Surveillance Support Team, which facilitates the collection of data using controversial methods like the Stingray program, as well as more conventional tools like pen registers.
Investigators have requested and used iMessage data, the agency confirmed to the E-Commerce Times.
“Florida laws are narrow in scope and FDLE can only request this data when there is a criminal predicate and when authorized by a court,” explained spokesperson Molly Best. “We do not keep information on the number of times it has been used.”
The iMessage data is encrypted, and the agency is able to see only who is communicating, not what is being communicated, she added.
Using encrypted iPhones is a very secure way to protect the content of electronic conversations, but it is possible to glean a great deal of information from metadata, observed Jacob Ginsberg, senior director at Echoworx.
“Metadata and information about who you are contacting, when presented in a bulk manner, is incredibly sensitive,” he told the E-Commerce Times. “It’s nothing to be scoffed at.”
There are few ways to hide every trace of digital information that a user leaves on a mobile device, even if it has strong encryption built in, like the iPhone does, Ginsberg said.
Encryption is designed to protect the data that is embedded in the content of a message, said Gustaf Bjorksten, chief technologist at Access Now.
If the communication uses Internet protocols, then routers and servers have to be able to understand that metadata in order to properly deliver the message, he told the E-Commerce Times.
There are systems, like the Tor network, that can avoid exposing metadata to public scrutiny. Tor uses a concept called “onion routing”: The metadata for each “hop” of a route from sender to recipient is encased in another layer of encryption, and thus is visible only to the two infrastructure devices involved in that particular hop.