What Apple surrenders to law enforcement when issued a subpoena
Apple won't unlock iPhones or other devices for law enforcement, but it can and will provide substantial data about a user when it gets a subpoena. Here's what Apple has access to you from your device — and what it doesn't.
Apple is not going to casually surrender information about any of its users to anyone. However, if law enforcement has a legal warrant or if the company is asked to help following an incident like the San Bernardino shootings, Apple has provided data. It's just that in this case, the data isn't seemingly enough for the authorities — yet it is genuinely the absolute most that Apple is capable of providing.
Short of introducing backdoors into iOS and macOS, as governments around the world regularly request, Apple has less data stored about you than it could because of technical limitations. They are limitations that Apple itself has created, but it's done so in order to protect the privacy of citizens.
Destroying that privacy by forging a backdoor in order to allow access to the data of criminals would destroy it for everyone. Defenders say that this backdoor could be kept secure — but if the NSA can't keep its own penetration tools safe, this seems like a specious claim. At least for the moment, then, and despite Apple's common sense argument, US Attorney General William Barr appears likely to continue pressing Apple for what he knows it cannot give him.
What Apple can provide
Apple can give the authorities the details of your iCloud account and access to any of the data that's on there — but that data is likely to be encrypted. Apple publishes a list of what data gets stored on iCloud and which of it is encrypted.
So much of what Apple has is encrypted. Your calendar and contact details are encrypted, for instance, as are your Safari bookmarks, your Notes, Photos, Reminders and so on. It's easier to say what isn't encrypted.
Out of everything from your health data to your photos and contacts, the only data not encrypted is Mail and text messages. That's not the same thing as iMessages: Apple does encrypt iMessages both as they are in transit - transmitted or received - and then when they are on Apple's servers.
Mail is encrypted in transit, but not at rest. "Consistent with standard industry practice," says Apple, "iCloud does not encrypt data stored on IMAP mail servers." There is an option to use encrypted mail, however.
Apple is physically able to give legitimate authorities your data on iCloud as it has the decryption key to much of it, but giving them iMessages means giving them the encrypted iMessages. It's not as if Apple can decrypt them for the government.
Or that's what Apple says, at least. According to data forensics company ElcomSoft, iCloud backups are "inherently much less secure" than users would hope.
"If you have iCloud backups enabled, the encryption key for iMessages will be stored in the backup," the company says in a blog.
"If the "Messages in iCloud" option is enabled, the messages themselves are NOT included in iCloud backups," it continues. "The encryption key, however, will be included and accessible by Apple (like the rest of the iCloud backup) and so available to the law enforcement."
Apple appears to confirm this in its support documentation about Apple Platform Security.
"If the user has enabled iCloud Backup, the CloudKit Service Key used for the Messages in iCloud container is backed up to iCloud to allow the user to recover their messages even if they have lost access to iCloud Keychain and their trusted devices," it says.
If you turn off this iCloud Backup feature, then a new encryption key is generated on your device "to protect future messages." This isn't stored by Apple.
From the iPhone itself
If the device is a modern iPhone, then in theory nothing can be accessed from it. Unless they have the passcode or a suspect unlocks the device for them, there is nothing at all that either law enforcement or Apple can retrieve from the device.
There have been clear exceptions, however, especially with the use of Cellebrite's software and techniques to crack various iPhones. The most recent example of this, however, was the extraction of WhatsApp data from the phone of Lev Parnas — and that was done with his permission and, seemingly, assistance.
US authorities also use a forensic tool called GrayKey, which reportedly can crack any iPhone. However, it does so by guessing the user's six-digit passcode.
Apple has been through this before
The current requests from law enforcement are not new. In response to previous ones, Apple has taken steps including a fast-track method for authorities to request what data it can provide. And Apple has also published details of what that data can be, at least within the US.
As well as iCloud data, it is possible for authorities with the correct legal backing to obtain details of a user's interactions with Apple services, such as registration information like name and address.
"Apple does not verify this information," says Apple's law enforcement guidelines, "and it may not be accurate."
On provision of the correct information regarding Apple ID and/or device details, Apple may provide iTunes subscription information. Apple can also provide details of transactions at retail or the online Apple Store, and so on.
Apple will also provide mail logs that include date/time stamps and sending/receiving email addresses, again if served with a court order. In this case, the data is only kept by Apple up to 30 days.
Devices are key
Apple says US Attorney William Barr is wrong to claim it has offered no "substantive assistance" to law enforcement. Since it did hand over iCloud data, Apple's position appears to be true.
It's still the case, though, that not even Apple can unlock a user's device. So, data that is stored there and not backed up to iCloud Drive is out of Apple's reach.