Last night Apple made a huge privacy-focused publicity blitz, led by a letter to the public written by CEO Tim Cook. The message was clear: Apple cares about keeping your data secure. But there's something a bit confusing about Apple's now very public privacy push. On a page explaining Apple's handling of government information requests, the company says this:
On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.
That paragraph, which outlines a new hardline stance, sounds comforting for customers. But it also flies in the face of this landing page at Apple's website, still live as of today, directed at law enforcement. Here, Apple very clearly states that it can bypass the passcode in iOS to retrieve at least some of the data stored on your device — so long as the iPhone, iPad, or iPod touch is delivered to its Cupertino headquarters first.
"Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices," Apple said in May. "Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history." The entire relevant section is included below.
Can Apple break through your passcode or not?
That's still plenty of content for authorities to dig through. But has everything changed with iOS 8? This document on iOS 8 security measures suggests that's the case, showing that Apple has extended deep encryption protections to more of its own apps. "Key system apps, such as Messages, Mail, Calendar, Contacts, and Photos use Data Protection by default, and third-party apps installed on iOS 7 or later receive this protection automatically," it reads.
Either way, Apple taking a stand doesn't guarantee unbreakable privacy; authorities can still request call logs and your non-iMessage SMS history from carriers like Verizon and AT&T through search warrants and secret government requests you'd never even know about. And Wired reports forensics tools can still break through under certain circumstances. But if Apple has indeed removed every iOS backdoor and now steadfastly refuses to assist law enforcement, the two sides will inevitably clash. And the government would potentially have a compelling case based on one law: the Communications Assistance for Law Enforcement Act.
Signed under President Bill Clinton, the legislation says that anyone building telecom equipment needs to design it to "have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic." It's controversial whether the law would apply to Apple's data, but if the company shuts out the feds entirely, as it claims to have done, it could be setting the stage for a major legal challenge under CALEA and similar laws.
We've reached out to the company in hopes of getting a definitive answer. Apple is clearly trying to be more transparent and open about privacy right now than at any point in its history, which is obviously a commendable mission. But a consistent message is critical to that effort, so hopefully the company will clear things up or update the law enforcement page in short order.
Update: The article and headline have been updated to reflect Apple's white sheet on iOS 8 security measures.