Any iPhone user with iCloud Drive enabled is having their call logs automatically uploaded to Apple servers — without their consent, and whether or not they have backups enabled, a Russian security firm said on Thursday. [Updated with statement from Apple]
The uploads happen "almost in real time, though sometimes only in a few hours," Elcomsoft CEO Vladimir Katalov told Forbes. The logs are said to include FaceTime calls as well, and in the case of iOS 10, missed calls from third-party apps like Skype and WhatsApp.
iPhone owners can stop the uploads by disabling iCloud Drive, Katalov noted, but this cuts off other iCloud-related features and can stop some apps from working.
The data could potentially be useful to government agencies with warrants or other legal access. Officially, though, Apple says the only iCloud data it can provide to agencies includes email logs and content, text messages, photos, documents, contacts, calendars, bookmarks, and iOS device backups.
Apple also says it doesn't hold onto FaceTime call data for more than 30 days, but Elcomsoft said it was able to extract call logs going back over four months. Presumably, deleting a call from an iPhone's logs would also delete that from the iCloud Drive backup.
Apple mentions call histories being included in iCloud backups as part of security whitepaper, but it's likely that most people haven't seen the document.
iOS forensics expert Jonathan Zdziarski suggested to Forbes that the tracking is likely just an oversight related to the handoffs needed for Apple's calling technology, which for instance allows people to seamlessly shift between devices.
"They need to be able to sync a lot of that call data," he said. "I suspect whatever software engineer wrote that part of it probably decided to just go and stick that data in your iCloud Drive because that's kind of what it's purpose is."
Apple could theoretically add end-to-end encryption to iCloud, but this might create even more conflict with U.S. spy and law enforcement agencies, which are already upset about their inability to break into iOS devices. The company stores the keys for iCloud accounts at its U.S. datacenters, allowing them to serve up (readable) data on demand.
Update: An Apple spokesman has provided a statement to AppleInsider:
"We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers' data. That's why we give our customers the ability to keep their data private. Device data is encrypted with a user's passcode, and access to iCloud data including backups requires the user's Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication."
49 Comments
Non-story by someone needing some free publicity for their company.
You know who else keeps a record of your calls? Your carrier. And you don't have any ability to opt-out of their tracking under any circumstances. And who knows how long they keep those records. I've looked at year-old detailed cell phone bills and seen all the numbers for incoming and outgoing calls.
Edited. Forgot one more thing. Carriers also track which cell towers your phone connects to.
Even if the majority of individual users these post authors may be aware of may not care, there are legal jurisdictions (I am in one) that prohibit storing data beyond the immediate territorial/legal border, as it regards confidential and sensitive client data, and so in effect making iCloud illegal for use for such work... In terms of export sales with the new US governance next year could such policies become increasingly ubiquitous and restrictive? The only solutions I can think of for Apple is to either make sure one can properly turn such services off, or perhaps a macOS server version of iCloud, which could be run locally, with encryption that ensures routing (the internet routes far and wide) is secure... Given the privacy creep of all things iCloud into the OSs, I hope Apple comes up with an option that allows for legal use beyond the mindset of the US border...