Despite strong encryption — and claims that it "doesn't scan your communications" or "store data related to customers' location" — Apple is saving some metadata from iMessage and other apps and sharing it with law enforcement agencies, according to a new report.
In a document about Apple's iMessage system obtained by The Intercept, the Florida Department of Law Enforcement's Electronic Surveillance Support Team noted that when users enter a phone number into iMessage, metadata is periodically uploaded to Apple servers to check whether a text should be routed through iMessage or standard SMS. This material includes not just phone numbers but the date and time of the lookup, and the querying user's IP address.
While the data doesn't include message contents, or even reveal when conversations happened, it could potentially be used to identify who a person is associating with, and/or trace an IP address back to a real-world location.
Responding to The Intercept, Apple acknowledged the data collection, saying that it retains logs for 30 days and hands them over when served with a valid legal request. Because these orders can sometimes be extended in 30-day blocks, though, it's possible that some people are being tracked for longer durations.
"When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession," Apple said in an official statement. "Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don't contain the contents of conversations or prove that any communication actually took place."
Apart from Messages, the company didn't specify which apps are uploading metadata.
Though Apple is often considered more invested in privacy than other high-tech corporations like Google, it has regularly complied with data searches by U.S. law enforcement and spy agencies. In 2013 it was implicated in the National Security Agency's PRISM program, found to be gathering customer data en masse from a number of American tech companies, including people not suspected of any crime. Apple denied providing "direct access" to its servers, or even hearing about the program.