Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it’s not.
End-to-end encryption doesn’t mean that your iMessages are secure enough to hide your trace because Apple not only stores a lot of information about your iMessages that could reveal your contacts and location, but even share that information with law enforcement via court orders.
According to a new document obtained by The Intercept, Apple records a log of which phone numbers you typed into their iPhone for a message conversation, along with the date and time when you entered those numbers as well as your IP address, which could be used to identify your location.
Actually, every time a user type a phone number into their iPhone for a message conversation, iMessage contacts Apple servers to find out whether to route a given message over the iMessage system.
"Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not," The Intercept reports.
Moreover, the company is compelled to turn over this information to law enforcement with a valid court order — generally "pen registers" or "tap and trace devices" warrants that are very easy to obtain.
Pen register warrants are routinely being used to compel telephone companies to provide metadata about customers’ phone calls to law enforcement.
Apple Logs Your IP Address (Location)
But it’s surprising that Apple, which has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, hands over its users’ information on iMessage contacts under such warrants.
The report also points out that keeping logs of users IP address that could be used to reveal one’s actual location is contrary to Apple’s 2013 claim that the company "do not store data related to customers’ location."
The Intercept obtained the document, titled ‘iMessage FAQ for Law Enforcement,’ about Apple’s iMessage logs as part of a much larger cache originating from within a state police agency, "The Florida Department of Law Enforcement’s Electronic Surveillance Support Team."
The team facilitates mass data collection for law enforcement using controversial tools such as Stingrays, along with the help of conventional techniques like pen registers and tap and trace devices warrants.
Although your iMessages are end-to-end encrypted, it doesn’t mean that all Apple users are enjoying the company’s so-called privacy benefit.
If you have enabled iCloud Backup on your Apple devices to keep a backup of your data, the copies of all your messages, photographs and every important data stored on your device, are encrypted on iCloud using a key controlled by Apple, and not you.
So, Apple can still read your end-to-end encrypted iMessages, if it wants.
Even if you trust the company that it won’t provide your decrypted data to law enforcement (just don’t forget San Bernardino case in which Apple helped the FBI with the iCloud backup of the Shooter’s iPhone), anyone who breaks into your iCloud account could see your personal and confidential data.
Apple deliberately Weakens Backup Encryption
Fortunately, it is possible to store your backups locally through iTunes, though it is not such an obvious choice for an average user.
What’s even worse is that a recent issue in the local password-protected iTunes backups affects the encryption strength for backups of devices on iOS 10, allowing attackers to brute-force the password for a user’s local backup 2,500 faster than was possible on iOS 9.
Apple has already confirmed that the issue exists and that a fix would be included in an upcoming update.
However, in response to the latest report about iMessage logs, Apple provided the following statement:
"When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place."
The Florida Department of Law Enforcement still has to comment on the matter.