Apple

Apple details what can be recovered from locked iPhones

In a new document for US law enforcement agencies, Apple has explained, in some detail, what can be recovered from locked iOS devices.

Locked iOS security

The document, entitled "Legal Process Guidelines for U.S. Law Enforcement," was posted on Apple's website yesterday and acts as a FAQ and instruction manual for law enforcement agencies and other government entities "when seeking information from Apple Inc. about users of Apple's products and services, or from Apple devices."

Among other things, Apple details when it requires a subpoena for user information and when it requires a signed search warrant, a higher legal process with a greater burden of proof for law enforcement agencies.

The document lays out, in some specificity, what information is available from Apple, including what data the company's technicians can recover from a locked iOS device. It specifically notes that it is not possible for Apple to provide GPS data on a specific device.

Apple will share the following information with law enforcement upon presentation of a subpoena "or greater legal process:"

  • Device registration and customer information
  • Customer service records
  • iTunes data, including the account holder's name, address, and telephone number, plus connection logs with IP addresses
  • Retail store purchase data like the name of a purchaser, email address, purchase amount, and more
  • Online purchase information like name, shipping address, product purchased, and IP address
  • Data about whether an iTunes gift card has been activated or redeemed, whether purchases have been made, and what user account redeemed the card
  • Basic iCloud subscriber information like name, address, email address, and telephone number, plus IP addresses and connection logs
  • Find My iPhone connection logs, but not any location information or email alerts sent through the service
  • Other available device information like MAC addresses, serial numbers, IMEI, MEID, or UDID data
  • Apple Retail Store surveillance videos dating back 30 days

Apple will provide law enforcement access to more sensitive customer data with a court order or search warrant, a higher legal standard that requires judicial oversight and approval:

  • 60 days of iCloud mail logs, consisting of records of incoming and outgoing communications, including time, date, sender, and recipient email addresses
  • A list of specific iTunes content purchased or downloaded
  • Data on Find My iPhone remote erase/wipe transactions

For the most sensitive customer information, Apple will only provide the following upon receipt of a signed search warrant:

  • iCloud email content "as it exists in the customer's mailbox"
  • Other iCloud content, including Photo Stream, Docs, Contacts, Calendars, Bookmarks, and iOS device backups, as long as the customer has elected to maintain that data on their account. "Apple does not retain deleted content once it is cleared from Apple's servers."

For investigators in physical possession of a locked iOS device, Apple can "extract certain categories of active data from passcode locked iOS devices" upon presentation of a valid search warrant. Only certain user data that is not encrypted by the passcode can be extracted, including SMS, photos, videos, contacts, audio recordings, and call history. Apple notes that it cannot provide access to email, calendar entries, or any third-party app data from a locked phone.

The data extraction process "can only be performed at Apple's Cupertino, CA headquarters" and only on devices that are in good working order. The company recommends that a law enforcement agent attend the data extraction in person for evidence preservation reasons, requiring that they bring a FireWire hard drive to store recovered data.

Apple repeatedly claims that it cannot track the GPS location of its devices, nor does it store any geolocation data. The company also promises to notify users of criminal legal process on their accounts, unless there is a non-disclosure order on the case or "we believe in our sole discretion that such notice may pose immediate risk of serious injury or death to a member of the public or the case relates to a child endangerment order."

It can also intercept users' email communications upon receipt of a Wiretap Order, but Apple says it cannot intercept users' iMessage or FaceTime communications as they are end-to-end encrypted.

While many of the data requests would likely be used in routine police investigations, the explicit disclosure of what kinds of data Apple can recover from locked iPhones will be of interest to privacy enthusiasts who will no doubt be pleased with Apple's limited abilities with regards to user data stored on its devices, as well as its requirements for judicial oversight when disclosing personal information.

What are your thoughts about what data Apple can recover on locked iPhones? Let us know in the discussion thread below.

About

Jordan Golson is an Apple Columnist for TechRepublic. He also writes about technology and automobiles for WIRED and MacRumors. He has worked for Apple Retail twice and has been writing about technology since 2007.

Editor's Picks

Free Newsletters, In your Inbox