Decrypting iMessages at Rest, Questioning NSA Access to Apple Network Devices, and NSLs

The other day  Apple released a privacy transparency statement discussing, among other things, how they can not decrypt iMessage content sent (or Facetime sessions) between two iOS devices. See their full statement below.

There were some other interesting tidbits to consider in their statement as well. For example regarding the recent PRISM leak, Apple does not mention anything about “direct access” to network gear versus just “servers.” Who cares about servers if you have a direct tap into all the network traffic?

The statement also discusses the number of National Security Letters (NSLs) and “other” law enforcement (LE) requests from the last five months as being between 4,000 to 5,000. Seems high but not too bad if you consider the thousands of LE jurisdictions throughout the country. Of course there could have also just been one of those “other” requests and 4,999 NSLs.

Finally, Apple closes with the comment about iMessage content mentioned above. The way the statement reads it seems to only apply to messages “in motion” between two devices. As most of us in security know … protecting data in motion is only half of the solution. Any system also needs to protect data at rest (e.g., files are servers or content stored in databases). So how does this statement apply to content that iMessage may store in such repositories?

And there is still the mysterious process that Apple goes through to acquire images of password-encrypted content on iPhones and other iDevices… With the proper legal filings and a few months of waiting, any LE entity can gain access to unencrypted iPhone content, including stored or deleted iMessages.

We’re not questioning their actual practices here … just asking them to give more details so privacy-conscience consumers can make more informed purchase decisions.

Apple’s Commitment to Customer Privacy

Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government’s “Prism” program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order.

Like several other companies, we have asked the U.S. government for permission to report how many requests we receive related to national security and how we handle them. We have been authorized to share some of that data, and we are providing it here in the interest of transparency.

From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide.

Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it.

Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

We will continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers’ privacy as they expect and deserve.

#####

 Today’s post pic is from Benzinga.com. See ya!

1 comment for “Decrypting iMessages at Rest, Questioning NSA Access to Apple Network Devices, and NSLs

  1. Steve Strongberg
    June 21, 2013 at 12:38 pm

    I think there really is no mystery in many ways.

    1. Many times iMessage is not used, so the standard SMS message, and all the accounting, is in use.
    2. The limits apple has is related to the passcode and passphrase. They, similar to gov. will use a brute force method to break simple passwords. The difference is they have people who built the hardware and software to liaison with.
    3. There is the issue of end point and communication between each. This however is usually a request via the network provider and not Apple. Think, if the FBI has a court order to intercept all traffic from a suspect they can issue a host of false certificates and services, all very legal.
    4. If there is a court order than Apple will have to comply. So if the court wants your data they can get it. Remember, with a court order of course.
    5. Apple is not an ad company and has worked hard to not create these huge privacy nightmare data sets. So, law enforcement may contact Apple and get data, but it is completely useless.
    6. Most law enforcement request relate to location of lost devices or people. Not as sexy as national security.
    7. iMessage and Facetime are a threat to countries that do not allow citizens access to private communications or have no laws that protect the expectation of privacy.

    In the end, I suspect with a issue such as this no matter the case no amount of detail will ever put the question to rest.

    Nice job, thanks for the analysis…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.