Apple Inc. (NASDAQ:AAPL) has always maintained that iMessage is secure. It claims that messages sent using the service are encrypted, and that it wouldn’t be able to intercept communications even if it was ordered to. AAPL also claims to not to store any data related to customer location.
But those claims aren’t the warm security blanket you might think.
Apple does keeps a log of who you contacted using Messages, and where you were — and it’s willing to share this information with law enforcement.
Apple has always played up the security of iMessage communications. The company goes out of its way to assure customers that despite the fact that their confidential texts are being sent using its devices, its Messages app and its servers, it is safe. From Apple and from law enforcement agencies.
In its privacy statement about iMessage, Apple states:
“Your iMessages and FaceTime calls are your business, not ours. Your communications are protected by end-to-end encryption across all your devices when you use iMessage … unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”
The company has also gone on record claiming it does not store customers’ location data.
However, Apple Logs Your iMessage Contacts
It turns out that there’s a big iMessage security loophole that Apple doesn’t talk about. The Intercept reports AAPL has confirmed it keeps iMessages logs for 30 days. And, as it turns out, AAPL has been turning this data over to law enforcement agencies as part of criminal investigations.
Those logs don’t include the actual text sent using iMessage, but they do include the date, time and contact info for people contacted using Apple’s Messages app. In addition, they log the IP address of the sender at the time. And that IP address can provide law enforcement agencies with an accurate physical location.
The implication here is that Apple may not intercept your texts or messages on behalf of law enforcement agencies, but when compelled by a court order, it will hand over 30 days worth of iMessage data showing who you contacted, when, and where you were.
While there’s been a lot of shocked reaction to The Intercept’s reveal, it’s not as sinister as it seems.
For one thing, as The Verge notes, the contact info AAPL is logging isn’t necessarily a complete record. The numbers aren’t recorded every time Messages is used. The trigger is likely a function of the Messages functionality that switches between iMessage and SMS text depending on whether the receiving contact is online or not.
9to5Mac points out that AAPL has long been openly collecting IP addresses when users sign into iTunes and iCloud services. So nothing new there, although you’d have to actually read those Terms of Service agreements you click through to realize it. (You probably don’t.) Apple doesn’t actually record a physical location. However, investigators can analyze those IP addresses to come up with that info.
And let’s not forget that the logs AAPL is handing over aren’t the actual text of the iMessages communication. Yes, the location and contact info could be incriminating, but the police are not being given carte blanche to read your texts.
Finally, AAPL won’t hand over these log files without a court order.
The report from The Intercept may tarnish AAPL’s reputation a little and make more people suspicious of Apple’s claims about iMessage being a secure platform.
But to put things in context: It’s nothing really new, and the actual message contents are not being intercepted. Unless you’re engaged in illegal activity and using Messages to plan it all, you probably shouldn’t worry.
As of this writing, Brad Moon did not hold a position in any of the aforementioned securities.