Article Lead Image

Apple new privacy policy doesn’t make iPhones impervious to law enforcement

It's unclear how truly effective the new encryption protocols adopted by Apple will be.

 

Dell Cameron

Tech

Posted on Sep 18, 2014   Updated on May 30, 2021, 1:46 pm CDT

A new privacy policy introduced by Apple claims to make it impossible for the company to hand over customer data to law enforcement, as long as the information is contained solely on a mobile device running its new operating system. That doesn’t mean that the police or FBI can’t acquire the data on its own, however.

Apple’s new policy involves the use of private encryption keys unknown to them, which means they’d be unable to fulfill a law enforcement request for certain forms of data stored on a device. It’s definitely a big shift for the company, which has until now retained access to its customer’s private data while citing a responsibility to law enforcement.

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” Apple’s new policy states.

Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

Its unclear, however, how truly effective the new encryption protocols adopted by Apple will be. It could, in fact, be just a way for the company to capitalize on rising concerns over government surveillance. Less than 24 hours after Cook’s announcement, iOS forensics expert Jonathan Zdziarski authored a blog post describing certain flaws in the upgrade.

“Apple wants you to be able to access your photos and other information from your desktop while the phone is locked—for ease of use,” Zdziarski writes. “This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump: your camera reel, video, and recordings; podcasts, books, and other iTunes media; all third party application data.”

Zdziarski added that existing commercial forensics tools could still be used to acquire the types of data mentioned above from a device running iOS 8. “I have tested with my own private forensics tools, as well, and confirmed this,” he said.

Apple notes that it still has the capability to access data stored on iCloud, including text, photos, and videos—a service widely used among its customers and often enabled by default. It is possible for users to adjust their settings, however, to prevent iCloud from automatically backing up their data.

For weeks, the company has been beset with controversy after the iCloud accounts of several celebrities were breached and nude photographs were stolen and published. But it’s unlikely that Apple could have engineered such extensive changes to its new operating system in response, given the time frame.

Apple’s newfound appreciation for privacy likely stems from the 15 months of top secret government surveillance revelations brought to light by National Security Agency (NSA) whistleblower Edward Snowden.

Apple is also pushing customers to use of two-step verification on all devices—something they’ve been criticized over recently for having not done sooner. In theory, this should prevent hackers from changing a user’s Apple ID, or gaining unauthorized access to an iCloud account, by requesting a one-time code sent directly to the user’s mobile device.

In a letter published Wednesday, Apple CEO Tim Cook emphasized that any personal information used by Apple is designed to enhance user experience, but that users can opt out of sharing with the company at any time.

“Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience,” he said.

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Cook added. “We have also never allowed access to our servers. And we never will.”

Photo via Apple | Remix by Jason Reed

Share this article
*First Published: Sep 18, 2014, 4:51 pm CDT