Apple

Apple details what can be recovered from locked iPhones

In a new document for US law enforcement agencies, Apple has explained, in some detail, what can be recovered from locked iOS devices.

Locked iOS security

The document, entitled "Legal Process Guidelines for U.S. Law Enforcement," was posted on Apple's website yesterday and acts as a FAQ and instruction manual for law enforcement agencies and other government entities "when seeking information from Apple Inc. about users of Apple's products and services, or from Apple devices."

Among other things, Apple details when it requires a subpoena for user information and when it requires a signed search warrant, a higher legal process with a greater burden of proof for law enforcement agencies.

The document lays out, in some specificity, what information is available from Apple, including what data the company's technicians can recover from a locked iOS device. It specifically notes that it is not possible for Apple to provide GPS data on a specific device.

Apple will share the following information with law enforcement upon presentation of a subpoena "or greater legal process:"

  • Device registration and customer information
  • Customer service records
  • iTunes data, including the account holder's name, address, and telephone number, plus connection logs with IP addresses
  • Retail store purchase data like the name of a purchaser, email address, purchase amount, and more
  • Online purchase information like name, shipping address, product purchased, and IP address
  • Data about whether an iTunes gift card has been activated or redeemed, whether purchases have been made, and what user account redeemed the card
  • Basic iCloud subscriber information like name, address, email address, and telephone number, plus IP addresses and connection logs
  • Find My iPhone connection logs, but not any location information or email alerts sent through the service
  • Other available device information like MAC addresses, serial numbers, IMEI, MEID, or UDID data
  • Apple Retail Store surveillance videos dating back 30 days

Apple will provide law enforcement access to more sensitive customer data with a court order or search warrant, a higher legal standard that requires judicial oversight and approval:

  • 60 days of iCloud mail logs, consisting of records of incoming and outgoing communications, including time, date, sender, and recipient email addresses
  • A list of specific iTunes content purchased or downloaded
  • Data on Find My iPhone remote erase/wipe transactions

For the most sensitive customer information, Apple will only provide the following upon receipt of a signed search warrant:

  • iCloud email content "as it exists in the customer's mailbox"
  • Other iCloud content, including Photo Stream, Docs, Contacts, Calendars, Bookmarks, and iOS device backups, as long as the customer has elected to maintain that data on their account. "Apple does not retain deleted content once it is cleared from Apple's servers."

For investigators in physical possession of a locked iOS device, Apple can "extract certain categories of active data from passcode locked iOS devices" upon presentation of a valid search warrant. Only certain user data that is not encrypted by the passcode can be extracted, including SMS, photos, videos, contacts, audio recordings, and call history. Apple notes that it cannot provide access to email, calendar entries, or any third-party app data from a locked phone.

The data extraction process "can only be performed at Apple's Cupertino, CA headquarters" and only on devices that are in good working order. The company recommends that a law enforcement agent attend the data extraction in person for evidence preservation reasons, requiring that they bring a FireWire hard drive to store recovered data.

Apple repeatedly claims that it cannot track the GPS location of its devices, nor does it store any geolocation data. The company also promises to notify users of criminal legal process on their accounts, unless there is a non-disclosure order on the case or "we believe in our sole discretion that such notice may pose immediate risk of serious injury or death to a member of the public or the case relates to a child endangerment order."

It can also intercept users' email communications upon receipt of a Wiretap Order, but Apple says it cannot intercept users' iMessage or FaceTime communications as they are end-to-end encrypted.

While many of the data requests would likely be used in routine police investigations, the explicit disclosure of what kinds of data Apple can recover from locked iPhones will be of interest to privacy enthusiasts who will no doubt be pleased with Apple's limited abilities with regards to user data stored on its devices, as well as its requirements for judicial oversight when disclosing personal information.

What are your thoughts about what data Apple can recover on locked iPhones? Let us know in the discussion thread below.

About

Jordan Golson is an Apple Columnist for TechRepublic. He also writes about technology and automobiles for WIRED and MacRumors. He has worked for Apple Retail twice and has been writing about technology since 2007.

6 comments
programit
programit

At least Apple openly admits that it does log and track user data a lot more than they use to state!

Its also been proven long ago that GPS data IS stored. The only difference now is its not in a standard file. Remember they introduced IDFA and IDFV in IOS6 with very little comment to their users, and this tracks user location at all times. "Only used for advertising!" Ha!

Then of course the NSA iPhone spying program. (Government loves the iphone, personal spying machine.) Amazing how they got all the technical info on a "CLOSED" system!

Combine this with phone services data and you have a comprehensive profile on iPhone users by simply waving a piece of paper!

Yes all phones are tracked to a degree, even android, blackberry  but at least Android gives you access and options to lock your data down ie Knox, truecrypt etc. But that means end users have freedom of choice, definitely not an Apple thing.

Apple are doing the PR thing now, with all the paranoia of modern times, and realistically they are NOT going to divulge ALL the information they track, log, access, etc.  

This seems more of an illusionist trick of diverting attention and fooling the audience rather than divulge its secrets!

Gisabun
Gisabun

Sounds like Apple is giving almost everything with the basic request.

The only thing they aren't surrendering are Siri requests [which last I heard are stored for 2 years].  

sbarman
sbarman

On one hand, you want Apple to be able to help you when you are dumb enough to forget your passcode or lose your device. On the other hand, you don't want Apple to be able to do these things because you're involved in a situation where law enforcement is investigating you. I am two thoughts:


1. Apple has set the bar saying that there has to be a legal request so as to not violate their customers' Fourth Amendments rights. Apple has set the bar even higher saying that if you want harder access that requires Apple to apply its secret sauce to get into the phone then you have to see Apple in Cuppertino. This requires that law enforcement obtain a valid court order, carry the phone to their offices, present the paperwork, have their lawyers do the due diligence, then have an engineer help law enforcement. While Apple will accept a fax and a shipped iPhone, the process is more onerous than just walking into the store and demanding action.


Unless it is a serious crime being investigated, Apple has really set the bar high. This should go a long way to prevent the vast majority of law enforcement fishing for something because they think they can.


2. If you cannot do the time, don't do the crime! If you are involved with something that rises to the level that law enforcement is asking the judge permission to search your iDevice, then you will get no sympathy from me.


A few months ago, Apple published a document about iOS security and now has published what law enforcement can expect when they want access to an iDevice. Apple has been the most open company about the security of their devices and how they go about treating their customers. For the most part, Apple is being a good corporate citizen by doing what they can to protect their customers while complying with the law. We will find that this is not perfect as some of the edge cases will cause problems, but I do not see where other companies are following suit.


So Google, Samsung, HTC, and everyone else with a Droid-based phone... now it's your turn. I think what Apple has done is reasonable. What's your vision of reasonable?

johnmckay
johnmckay

You're talking about the 'good guys' and 'your rights'. The bad guys and forensic coos will no doubt find a way to bypass all that crap. I've nothing worth the hassle on mine and suspect most decent folk wont. That leaves the bad guys and I really don't care for their data being 'secure' and 'protected'. I'd like it busted open by anyone that wants to know what they've been up to.

It's a good stance by Apple but I suspect no more than posturing in reality. And I don't care.

Had_to_be_said
Had_to_be_said

If you really believe that "the Government", or anyone wearing an official uniform, are naturally the "good guys", or think that this power is only used against the "bad guys", and not abused, then you are so ignorant of the facts, history, and reality... that you really should just sit down and shut-up.


Unless... of course... you are intentionally trying to subvert the most basic principles of "Liberty", "Freedom" and "Human Rights", upon which, this nation was founded. In which case, there are many, far uglier, words that accurately describe you.


Editor's Picks