Apple Releases Statement on Customer Privacy and Law Enforcement Requests for Customer Data

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,368
8,773



In the wake of a public revelation of "PRISM", a top secret intelligence gathering program run by the U.S. National Security Agency in which Apple was reportedly among a number of companies providing the government with direct access to user data, Apple has now issued a "Commitment to Customer Privacy" statement addressing the issue.

According to Apple, no agency has direct access to customer data, and each request for data by law enforcement is evaluated by Apple's legal team to determine the legitimacy of the claim.
From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide.

Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it.
Apple goes on to note that there are certain categories of information that it does not provide to law enforcement, either because the company never stores it in the first place or is unable to decrypt it. Specifically, Apple notes that iMessage and FaceTime conversations are unable to be decrypted by Apple and that customer location data, Maps searches, and Siri requests are not stored by Apple in any form that could be tied to a specific user.

Note: Due to the political nature of the discussion regarding this topic, the comment thread is located in our Politics, Religion, Social Issues forum. All MacRumors forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: Apple Releases Statement on Customer Privacy and Law Enforcement Requests for Customer Data
 

furi0usbee

macrumors 68000
Jul 11, 2008
1,781
1,248
Hey wait, what about my FileVault password that I let Apple store... in case I forget.. does the NSA get that? I guess I'm creating a new FileVault and not giving Apple access to "hold" it for me.

Bryan
 

spacehog371

macrumors regular
Dec 13, 2003
238
0
Hey wait, what about my FileVault password that I let Apple store... in case I forget.. does the NSA get that? I guess I'm creating a new FileVault and not giving Apple access to "hold" it for me.

Bryan
By allowing Apple to store it, they have access to it and would be able to give it to Law Enforcement. As you stated, the solution is to disable it and then re-enable it and don't use the option to allow Apple to hold the key in case you lose it.

----------

It's the carriers that store your information not apple.
If Apple can't decrypt the information, the carriers can't either.
 

SandboxGeneral

Moderator emeritus
Sep 8, 2010
25,541
8,384
Detroit
Last week's podcast on TWiT.tv, Security Now, Steve Gibson detailed how the NSA is obtaining data and how companies themselves are not participating or cooperating with them outside of court orders and requests.

Basically, they're tapping into the fiber optic feeds at the ISP level and splitting the light waves off (hence the term Prism) to their own routers and equipment. This is all done upstream of companies like Apple and Google. So the NSA is getting that data before it ever makes it's way to Apple, Google et al...

Skip ahead to about 57:31 to get the technical details of this.

 

kot

macrumors regular
Sep 10, 2011
161
0
By allowing Apple to store it, they have access to it and would be able to give it to Law Enforcement. As you stated, the solution is to disable it and then re-enable it and don't use the option to allow Apple to hold the key in case you lose it.

----------



If Apple can't decrypt the information, the carriers can't either.
AFAIK before the key is sent to Apple, it is encrypted with your "secret answers" so if you forget them, no Apple will be able to help you, all your data is lost.
 

spacehog371

macrumors regular
Dec 13, 2003
238
0
So the NSA is getting that data before it ever makes it's way to Apple, Google et al...
There is no one on earth with the computing power necessary to break the encryption Apple uses. The same encryption is in use by the military, banks, etc. They may be getting the data scrambled, but they can't decrypt it.
 

SandboxGeneral

Moderator emeritus
Sep 8, 2010
25,541
8,384
Detroit
There is no one on earth with the computing power necessary to break the encryption Apple uses. The same encryption is in use by the military, banks, etc. They may be getting the data scrambled, but they can't decrypt it.
While that is true, PGP when used properly is virtually un-crackable, that doesn't stop the NSA from gathering the data and storing it.

There is plenty of un-encrypted data flowing through ISP's that is being gathered and easily analyzed.
 

arcite

macrumors 6502a
While that is true, PGP when used properly is virtually un-crackable, that doesn't stop the NSA from gathering the data and storing it.

There is plenty of un-encrypted data flowing through ISP's that is being gathered and easily analyzed.
Of course, the vast majority of people have nothing to hide, as they aren't doing anything particularity interesting, nor illegal. However Meta-data analysis is becoming increasingly powerful and useful in deriving useful information from the chaos.
 

whooleytoo

macrumors 604
Aug 2, 2002
6,560
628
Cork, Ireland.
Unless they state how many requests they refused, it's a bit meaningless. If they received ~4,000 and only refused a handful, it doesn't mean much.

I doubt if even Apple has the will or resources to scour through thousands of data access requests and give them any kind of meaningful review.
 

osofast240sx

macrumors 68030
Mar 25, 2011
2,521
1
By allowing Apple to store it, they have access to it and would be able to give it to Law Enforcement. As you stated, the solution is to disable it and then re-enable it and don't use the option to allow Apple to hold the key in case you lose it.

----------



If Apple can't decrypt the information, the carriers can't either.
Are u 100% sure?
 

Thunderhawks

Suspended
Feb 17, 2009
4,057
2,087
Lots of appropriate songs on it for that situation too:

1. "Speak to Me"
2. "Breathe"
3. "On the Run"
4. "Time"
5. "The Great Gig in the Sky"
Side 2
1. "Money"
2. "Us and Them"
3. "Any Colour You Like"
4. "Brain Damage"
5. "Eclipse"
 

charlituna

macrumors G3
Jun 11, 2008
9,629
805
Los Angeles, CA
Hey wait, what about my FileVault password that I let Apple store... in case I forget.. does the NSA get that? I guess I'm creating a new FileVault and not giving Apple access to "hold" it for me.

Bryan
Paranoid much. They would only give it up under a verified warrant etc.

You brewing meth or something to get law enforcement on your back? No, then they won't get a warrant for your information
 

iceterminal

macrumors 68000
May 25, 2008
1,870
27
Dallas Tx.
What I noticed is that they say they have their "legal team" review each request. Which is nice. However, did anyone else notice they didn't even state one time they required a warrant for the information?

Nope. They just said "we looked at it and said sure". No warrant needed for them to give up personal information. Regardless of the situation, Apple is saying they are the judge and jury.

Scares the hell out of me.
 

SandboxGeneral

Moderator emeritus
Sep 8, 2010
25,541
8,384
Detroit
Are u 100% sure?
If the encryption is using PGP, then yes, one can be about as certain as gravity that it's protected. PGP has been pounded on for years by all the "experts," and it's never been broken. However, anything is possible and I'd say there is a 99.999999% certainty that it's safe.

PGP Security quality
To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means. Indeed, in 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption."[1] Early versions of PGP have been found to have theoretical vulnerabilities and so current versions are recommended. In addition to protecting data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files. These long-term storage options are also known as data at rest, i.e. data stored, not in transit.

The cryptographic security of PGP encryption depends on the assumption that the algorithms used are unbreakable by direct cryptanalysis with current equipment and techniques. For instance, in the original version the RSA algorithm was used to encrypt session keys. RSA's security depends upon the one-way function nature of mathematical integer factoring.[2] Similarly, the symmetric key algorithm used in PGP version 2 was IDEA, which might at some point in the future be found to have previously undetected cryptanalytic flaws. Specific instances of current PGP or IDEA insecurities (if they exist) are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerability varies with the algorithm used. In practice, each of the algorithms in current use are not publicly known to have cryptanalytic weaknesses.

New versions of PGP are released periodically and vulnerabilities are fixed by developers as they come to light. Any agency wanting to read PGP messages would probably use easier means than standard cryptanalysis, e.g. rubber-hose cryptanalysis or black-bag cryptanalysis i.e. installing some form of trojan horse or keystroke logging software/hardware on the target computer to capture encrypted keyrings and their passwords. The FBI has already used this attack against PGP[3][4] in its investigations. However, any such vulnerabilities apply not just to PGP but to all encryption software.

In 2003 an incident involving seized Psion PDAs belonging to members of the Red Brigade indicated that neither the Italian police nor the FBI were able to decrypt PGP-encrypted files stored on them.[5]

A more recent incident in December 2006 (see United States v. Boucher) involving US customs agents and a seized laptop PC which allegedly contained child pornography indicates that US government agencies find it "nearly impossible" to access PGP-encrypted files. Additionally, a judge ruling on the same case in November 2007 has stated that forcing the suspect to reveal his PGP passphrase would violate his Fifth Amendment rights i.e. a suspect's constitutional right not to incriminate himself.[6][7] The Fifth Amendment issue has been opened again as the case was appealed and the federal judge again ordered the defendant to provide the key.[8]

Evidence suggests that as of 2007, British police investigators are unable to break PGP,[9] so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for nine months for refusing to provide police investigators with encryption keys to PGP-encrypted files.[10]
 
Last edited:

charlituna

macrumors G3
Jun 11, 2008
9,629
805
Los Angeles, CA
Last week's podcast on TWiT.tv, Security Now, Steve Gibson detailed how the NSA is obtaining data and how companies themselves are not participating or cooperating with them outside of court orders and requests.
Or his guess on how. Since they aren't likely to have released this detail to the public 'for security reasons'
 

notabadname

macrumors 65816
Jan 4, 2010
1,323
353
Detroit Suburbs
Most notable that no iMessage or FaceTime data is decrypted, and no location data, map data or SIRI requests can be tied to users. That satisfies my basic needs for privacy.
 

gnasher729

macrumors P6
Nov 25, 2005
16,570
3,148
Hey wait, what about my FileVault password that I let Apple store... in case I forget.. does the NSA get that? I guess I'm creating a new FileVault and not giving Apple access to "hold" it for me.

Bryan
You didn't read anything, did you?

But go ahead. Waste your time.

Or maybe you could switch on your brain: Even with the FileVault key, how would Apple access data on your computer? FileVault only matters if your computer is turned on. And when your computer is turned on, _you_ enter the FileVault password, and the data on the drive is readable. For this to make any difference, the NSA would have to get your hard drive and then get the keys.

Or maybe you could for a moment forget your paranoia. These keys don't store themselves, someone has to write code for it. And that person is a highly intelligent software developer, who with 99% certainty wouldn't just follow orders (maybe they would; I'm not American, so maybe American people are wimps without a backbone who just do as they are told, I hope they are not). It's the kind of thing that is hard to achieve and impossible to keep secret. And how exactly would doing this benefit Apple?