Apple has profoundly changed how it interacts with law enforcement officials with the release of iOS 8, including how much data it can reveal to law enforcement thanks to new encryption protocols.
Earlier this year, Apple explained in detail what can be recovered from locked iOS devices for law enforcement agencies, and what level of request — whether a subpoena, warrant, or national security letter — would be required to turn over information like email content stored on iCloud, plus certain user data from locked iOS devices.
Now, with the release of iOS 8, Apple has expanded encryption and consumer protections against law enforcement searches. In a letter to customers, Apple CEO Tim Cook addresses customer concerns over user data protections, particularly following the recent theft of personal photographs belonging to dozens of celebrities that were stored on iCloud.
Cook discussed several different privacy-related topics and took a big shot at some of Apple's competitors. It's great PR and looks to reaffirm Apple's commitments to its customers. Here are some of the key quotes:
- "Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information now also protects all of the data you store and keep up to date with iCloud."
- "We believe in telling you up front exactly what's going to happen to your personal information and asking for your permission before you share it with us... When we do ask to use your data, it's to provide you with a better user experience."
- "Our commitment to protecting your privacy comes from a deep respect for our customers. We know that your trust doesn't come easy. That's why we have and always will work as hard as we can to earn and keep it."
Cook goes on to emphasize that, unlike Google (which he doesn't mention by name, of course), Apple makes money from the sale of its products to customers. Namely, it makes money when it sells iPhones, iPads, Macs, and more. Google, on the other hand, offers services to users for free, but people are really the product.
"A few years ago," Cook writes, "users of internet services began to realize that when an online service is free, you're not the customer. You're the product."
Apple, on the other hand, makes money when customers buy its products, meaning Apple doesn't have any great incentive to charge for products like iPhoto or iCloud, aside from add-on items like additional online storage or products like iTunes Match — and, even then, it prices those services mostly to cover its own costs.
That said, Google has millions of customers (including me) that don't seem to mind having their data shared in exchange for free services. However, where things really get interesting is when Apple starts sharing information about government information requests.
In his letter, Cook denies reports that Apple had given access to government agencies to its servers, notably the NSA's PRISM program, saying "we have never worked with any government agency from any country to create a backdoor in any of our products or services," and adding that "we never will."
In iOS 8, data — including photos, messages, contacts, call history, notes, and reminders — is encrypted and "placed under the protection of your passcode." Apple notes that, "unlike [its] competitors," the company cannot bypass the passcode and access user data.
As a result, "it's not technically feasible" for the company to respond to government warrants to extract data from devices running iOS 8. This is a notable change from iOS 7, where Apple engineers could extract some users data from iOS devices in the hands of law enforcement.
Apple also promises to advise customers (when allowed) if their data has been requested by law enforcement, though it retains an exemption if "it is not counterproductive to the facts of the case."
In separate data, Apple reveals that some 93% of law enforcement requests come on behalf of a customer, generally to locate a stolen device. The remaining 7% sees law enforcement requesting information about a customer's iTunes or iCloud account, with "a small fraction" seeking email, photos, or other stored customer content.
All in all, less than 0.00385% of Apple's customers have had data disclosed due to government requests.
Apple has repeatedly filed amicus briefs and other legal documents looking to share more data with customers about when governments look for data. It says it received "250 or fewer" national security-related requests, the only data that it can legally disclose, though the company "would like to be more specific."
That text has now disappeared, suggesting that Apple has received a Section 215 request. It does note that Apple has not "received any orders for bulk data," suggesting the warrant that was served under the Patriot Act was highly targeted.
Despite Apple's assurances that it cannot pull data off customer devices for law enforcement, WIRED notes that third-party software can retrieve some data, even when protected by a passcode. However, even that software requires a powered on iPhone and access to a computer that has previously been used to transfer data to and from the iPhone, like a laptop or home computer.
The best way to protect against this vulnerability is to turn off a computer and phone, plus encrypt computer hard drives. This would make it significantly more difficult for governments and other third parties to extract data from devices, even when they have physical access.
Regardless, following concerns about government spying and surveillance, as well as the breaches of celebrity iCloud accounts, Apple appears to be attempting to take its user security seriously, though it may have taken longer than it really should have for that to happen.
Upgrading to iOS 8 is strongly recommended for users who are concerned about their personal privacy.
What are your thoughts about user privacy and government spying? Let us know in the comments below.