General security

What Apple Knows about Us

Fabio Natalucci
November 12, 2014 by
Fabio Natalucci

Introduction

Every day, we share information about us or what we do on the Internet, and our information is targeted by multinational companies in order to build high profile marketing campaigns.

What are the company's limits in collecting information? What does the company know about us?

Focus on the big player of mobile devices, Apple. What does it know about its customers?

To give an answer to this question, while surfing on web, I found an interesting document.

The document described the operative guidelines reserved to US law enforcement agencies and how they are allowed to acquire some information about Apple customers.

The guidelines indicate step by step who can acquire information, in which case, and what can be done with it. Apple can release data about its customers in particular cases as a service of subpoenas, search warrants, and court orders for information by fax.

Apple reveals data of its customers only if a previous warrant has been issued.

If you are part of law enforcement and have a fax available, it's not hard to perform a request.

Apple gives you this simple fax template.

Fax Number: (408) 974-9316

Apple Inc.

Attention: Privacy and Law Enforcement Compliance

1 Infinite Loop, Cupertino, CA 95014

We require law enforcement to include the following information with the legal request so the request can be verified:

It's required to attach to the fax these details:

  • Law Enforcement Agency
  • Law Enforcement Agent Name and Badge/ID number
  • Agency issued email address
  • Law Enforcement Phone number (with extension if applicable)
  • Verifiable physical return address
  • Law Enforcement Fax number

But, if you aren't part of US law enforcement or you don't have an available court order, it is necessary to take a plane and go to the Cupertino Office, where someone from Apple may help you.

Apple Customers' Information Storage Policies

What does Apple maintain on its servers about us?

Apple gives us details about the information they have on their own datacenter.

Take a look to the most important and relevant:

Device Registration Information

Basic registration or customer information, including, name, address, email address, and telephone number are provided to Apple by customers when registering an Apple device. Apple does not verify this information, and it may not be accurate or reflect the device's owner. Additionally, the date of registration, purchase date and device type may also be included. This information can be obtained with a subpoena or greater legal process.

Customer Service Records

Contacts that customers have had with Apple customer service regarding a device or service may be obtained from Apple. This information may include records of support interactions with customers regarding a particular Apple device or service. Additionally, information regarding the device, warranty, and repair may also be available. This information can be obtained with a subpoena or greater legal process.

iTunes Information

iTunes is a free software application which customers use to organize and play digital music and video on their computers. It's also a store that provides content for customers to download for their computers and iOS devices. When a customer opens an iTunes account, basic subscriber information such as name, physical address, email address, and telephone number can be provided. Additionally, information regarding iTunes purchase/download transactions and connections, update/re-download connections, and iTunes Match connections may also be available. iTunes subscriber information and connection logs with IP addresses can be obtained with a subpoena or greater legal process. iTunes purchase/download transactional records can be obtained with an order under 18 U.S.C. §2703(d) or court order meeting the equivalent legal standard. A search warrant issued upon a showing of probable cause is required for Apple to provide the specific content purchased or downloaded.

Apple Retail Store Transactions

Point of Sale transactions are cash, credit/debit card, or gift card transactions that occur at an Apple Retail Store. A subpoena or greater legal process is required to obtain information regarding the type of card associated with a particular purchase, name of the purchaser, email address, date/time of the transaction, amount of the transaction, and store location. When the providing legal process is requesting Point of Sale records, include the complete credit/debit card number used and any additional information such as date and time of transaction, amount, and items purchased. Additionally, law enforcement may provide Apple with the receipt number associated with the purchase(s) in order to obtain duplicate copies of receipts, in response to a subpoena or greater legal process.

iTunes Gift Cards

iTunes gift cards have a sixteen-digit alphanumeric redemption code which is located under the "scratch-off" gray area on the back of the card, and a nineteen-digit code at the bottom of the card. Based on these codes, Apple can determine whether the card has been activated or (2) redeemed as well as whether any purchases have been made with the card. When iTunes gift cards are activated, Apple records the name of the store, location, date, and time. When iTunes gift cards are redeemed through purchases made on the iTunes Store, the gift card will be linked to a user account. iTunes gift cards purchased through the Apple Online Store can be located in Apple systems by their Apple Online Store order numbers (note: this only applies to iTunes gift cards purchased through Apple as opposed to third-party retailers).

(2) redeemed (i.e., used to increase the store credit balance on an iTunes account or used to purchase content in the iTunes store).

iCloud

iCloud is Apple's cloud service that allows users to access their music, photos, documents, and more from all their devices. iCloud also enables subscribers to back up their iOS devices to iCloud. With the iCloud service, subscribers can set up an iCloud.com email account. iCloud email domains can be @icloud.com, @me.com and @mac.com. iCloud data is encrypted wherever an iCloud server is located. When third-party vendors are used to store data, Apple never gives them the keys. Apple retains the encryption keys in its U.S. data centers. The following information may be available from iCloud.

i. Subscriber Information

When a customer sets up an iCloud account, basic subscriber information such as name, physical address, email address, and telephone number may be provided to Apple. Additionally, information regarding iCloud feature connections may also be available. iCloud subscriber information and connection logs with IP addresses
can be obtained with a subpoena or greater legal process.

ii. Mail Logs

iCloud mail logs are retained for approximately a period of 60 days. Mail logs include records of incoming and outgoing communications such as time, date, sender email addresses, and recipient email addresses. Mail logs may be obtained with a court order under 18 U.S.C. § 2703(d) or a court order with an equivalent legal standard or a search warrant.

iii. Email Content

iCloud only stores the email a subscriber has elected to maintain in the account while the subscriber's account remains active. Apple is unable to provide deleted content. Available email content may be provided in response to a search warrant issued upon a showing of probable cause.

Other iCloud Content. Photo Stream, Docs, Contacts, Calendars, Bookmarks, iOS Device Backups

iCloud only stores content for the services that the subscriber has elected to maintain in the account while the subscriber's account remains active. Apple does not retain deleted content once it is cleared from Apple's servers. iCloud content may include stored photos, documents, contacts, calendars, bookmarks and iOS device backups. iOS device backups may include photos and videos in the users' camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. iCloud content may be provided in response to a search warrant issued upon a showing of probable cause.

Find My iPhone

Finding My iPhone is a user-enabled feature by which an iCloud subscriber is able to locate his/her lost or misplaced iPhone, iPad, iPod touch or Mac and/or take certain actions, including locking or wiping the device. More information about this service can be found at http://www.apple.com/icloud/. Location information for a device located through the Find My iPhone feature is user facing and Apple does not have records of maps or email alerts provided through the service. Find My iPhone connection logs may be available and can be obtained with a subpoena or greater legal process. Find My iPhone transactional activity for requests to remotely lock or erase a device may be available with an order under 18 U.S.C. § 2703(d) or a court order with the equivalent legal standard or a search warrant. Apple cannot activate this feature on users' devices upon a request from law enforcement. The Find My iPhone feature has to have been previously enabled by the user for that specific device. Apple does not have GPS information for a specific device or user.

Extracting Data from Passcode Locked iOS Devices

For all devices running iOS 8.0 and later versions, Apple will no longer be performing iOS data extractions as the data sought will be encrypted and Apple will not possess the encryption key. For iOS devices running iOS versions earlier than iOS 8.0, upon receipt of a valid search warrant issued upon a showing of probable cause, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple's native apps and for which the data is not encrypted using the passcode ("user generated active files"), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 through iOS 7. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party app data.

The data extraction process can only be performed at Apple's Cupertino, California headquarters for devices that are in good working order. For Apple to assist in this process, the language outlined below must be included in a search warrant, and the search warrant must include the serial or IMEI number of the device.

Please make sure that the name of the judge on the search warrant is printed clearly and legibly in order for the paperwork to be completed.

Once law enforcement has obtained a search warrant containing this language, it may be served on Apple by fax to (408) 974-9316. The iOS device can be provided to Apple for data extraction either through an in person appointment or through shipment. However, Apple recommends that law enforcement attend the data extraction. If law enforcement chooses to ship the device, the device should not be shipped unless and until the officer receives an email from Apple requesting shipment.

For an in-person data extraction process, Apple requires that the law enforcement agent bring a FireWire hard drive with a storage capacity of at least two times the memory capacity for the iOS device. Alternatively, if law enforcement chooses to ship the device, law enforcement should provide Apple with an external hard drive or USB "thumb" drive that is capable of storing the equivalent of two times the memory size of the iOS device. Please do not send the device unless and until you receive an email requesting its shipment.

After the data extraction process has been completed, a copy of the user generated content on the device will be provided. Apple does not maintain copies of any user data extracted during the process; accordingly all evidence preservation remains the responsibility of the law enforcement agency.

Documents and Forms

Required Search Warrant Language:

"It is hereby ordered that Apple Inc. assist [LAW ENFORCEMENT AGENCY] in its search of one Apple iOS device, Model #____________, on the _______ network with access number (phone number) _________, serial or IMEI number __________, and FCC 4 ID#_____________ (the "Device"), by providing reasonable technical assistance in the instance where the Device is in reasonable working order and has been locked via passcode protection. Such reasonable technical assistance consists of, to the extent possible, extracting data from the Device, copying the data from the Device onto an external hard drive or other storage medium, and returning the aforementioned storage medium to law enforcement. Law Enforcement may then perform a search of the device data on the supplied storage medium.

It is further ordered that, to the extent that data on the Device is encrypted, Apple may provide a copy of the encrypted data to law enforcement but Apple is not required to attempt to decrypt, or otherwise enable law enforcement's attempts to access any encrypted data.

Although Apple shall make reasonable efforts to maintain the integrity of data on the Device, Apple shall not be required to maintain copies of any user data as a result of the assistance ordered herein; all evidence preservation shall remain the responsibility of law enforcement agents."

Apple Emergency Disclosure Request Form for Law Enforcement

Please provide the information requested below in order to assist Apple in exercising its discretion to disclose under the standard stated in 18 USC § 2702(b)(8) and § 2702(c)(4). Please email this form to subpoenas@apple.com with the subject line: Emergency Disclosure Request.

Please note that it is Apple's policy to notify a customer when we receive an emergency request from law enforcement requesting customer account information 90 days after the request is received.

  1. What is the nature of the emergency involving death or serious physical injury?
  2. Whose death or serious physical injury is threatened?
  3. When did this emergency arise and when did you become aware of it?
  4. Why is this situation an emergency such that normal disclosure processes would be insufficient or not timely? Is there reason to believe the threat is imminent? Please provide information that suggests that there is a specific deadline before which it is necessary to receive the requested information.
  5. What specific information do you believe is in Apple's possession related to the emergency? Please make your request as narrow as possible; requesting all information about an account will delay the processing of your request. NOTE: You must specify the Device ID or an email address associated with an Apple iTunes or iCloud account. 6. Please explain how the information you are requesting will assist in averting the threatened emergency.

This form has been completed by an authorized law enforcement official.

I declare under penalty of perjury that the foregoing is true and correct.

__________________________________________ _______________________________

Signature of requesting law enforcement agent Date

__________________________________________ _______________________________

Printed name of requesting law enforcement agent Badge/ID number of requesting agent

__________________________________________ _______________________________

Contact email address of law enforcement agent Direct contact telephone number

______________________________________________________________________________

Law enforcement agency

FAQ

Can Apple intercept users' communications pursuant to a Wiretap Order?

Apple can intercept users' email communications, upon receipt of a valid Wiretap Order. Apple cannot intercept users' iMessage or FaceTime communications as these communications are end-to-end encrypted. Mail header data may be provided in response to a valid Pen Register Order that includes a showing issued upon 18 U.S.C. § 2703(d) of specific and articulable facts showing that there are reasonable grounds to believe that the records and information sought are relevant and material to an ongoing criminal investigation.

Do you notify users of criminal legal process?

Yes, unless there is a non-disclosure order or applicable law prohibiting notice, or we believe in our sole discretion that such notice may pose immediate risk of serious injury or death to a member of the public or the case relates to a child endangerment matter.

Does Apple store GPS information that can be produced under proper legal process?

No, Apple does not track geolocation of devices. (???????)

Can Apple provide me with the passcode of an iOS device that is currently locked?

No, Apple does not have access to a user's passcode but, depending on the version of iOS that

the device is running, may be able to extract some data from a locked device with a valid

search warrant as described in the Guidelines.

Conclusions

We have talked about how Apple manages our private information and how Apple manages it in the case of search warrant and subpoenas. It's clear that Apple hasn't admitted some other process to recover data from its customers, but this is enough to understand.

Apple has been only an example. Nowadays every electronic device can potentially steal our data and send it to some company in another part of the world, in absolute silence.

We can't provide how and when our data will be stolen from a router, mobile phone, watches and other devices, but we know that one day it can happen.

Reference

http://images.apple.com/privacy/docs/legal-process-guidelines-us.pdf

Fabio Natalucci
Fabio Natalucci

Fabio Natalucci is an IT Security Specialist with more than 10 years of experience. He is an ethical hacker and penetration tester. Check out his blog at https://www.fabionatalucci.it/ .