If you’ve ever backed up your iPhone or iPad to Apple’s servers, which many devices do nightly, that data – all your data, really – can be disclosed if legally compelled.
This data could include text messages, photos, videos, contacts, audio recordings and call history, but does not include e-mail, calendar entries, or any third-party app data. (E-mail, which is stored on Apple’s servers, requires a separate warrant.)
The guidelines don’t apply to requests made by law enforcement agencies outside the U.S., of course. But they very likely offer insight into similar requests that government and law enforcement agencies in Canada and abroad could be allowed to make.
In February, it was revealed that just such a request was made by Toronto Police during the investigation of Toronto Mayor Rob Ford’s friend and occasional driver Sandro Lisi – with a warrant – for access to the contents of Mr. Lisi’s iPhone.
According to Apple’s most recent transparency report, six account information requests came from Canadian authorities in the first half of 2013, with some data disclosed for four of those requests. Another 38 device information requests were also made during the same time period, with some data disclosed for almost all, or 35 of those requests.
In the U.S., according to Apple’s guidelines, Apple will notify users of requests for their data, unless prevented by law. But in Canada, according to those same documents, Apple will not notify users in Canada when their data is requested by government agencies under any circumstance.
An Apple Canada spokesperson declined to clarify whether this notification policy is still in effect.
“I’m surprised to see a technology company have an explicit written practice that’s a policy in the U.S., and do something differently in Canada,” said said David Fraser, an Internet, technology and privacy lawyer and partner at the Halifax firm McInnes Cooper. He noted that other U.S. companies operating in Canada can and have notified users of requests for data in the past.
“The exact same principles, I would think, would apply.”
When telecommunications companies were asked in 2011 by the Privacy Commissioner of Canada to explain disclosure practices – “Do you notify your customers, when the law allows, that their information has been requested, thus giving them an opportunity to contest the request in court?” – the answer from each was no.
While many technology companies – in the U.S., at least – now publish regular transparency reports detailing aggregate government and law enforcement disclosure statistics worldwide, publishing guidelines given to law enforcement is a new step.
In the past, law enforcement guidelines from other companies such as Google, Twitter, Yahoo, and Facebook were only revealed via leaks online.
“I don’t think you would have seen this document two years ago, frankly,” Mr. Fraser said. “But you’re seeing it now, in large measure I think, because of the efforts of certain tech companies really leading the way in terms of transparency and wanting to be out there, not only for their consumer to know, but for the wider community to know, and also for law enforcement to understand what can they get and what can’t they get.”
This should also serve to remind Canadians of the sorry state of transparency here at home, where technology and telecommunications companies refuse to report disclosures – let alone detail what can be asked of them – and voluntary, warrantless disclosures to law enforcement agencies are seemingly the norm.
“Certainly that is the most detailed such document that I have seen that a company has made publicly available,” Mr. Fraser.
Just this week, the Canadian government’s Standing Committee on Justice and Human Rights met to further discuss the implications of proposed bill C-13 – colloquially known as the government’s cyberbullying bill, but which actually increases the number of public officers that can request voluntary, warrantless disclosure of private data, and provides legal immunity for companies that do.
Another related act, Bill S-4, proposes that companies can provide voluntary, warrantless disclosures of data in secret, without knowledge of an affected user – effectively codifying a practice that is already taking place.
Canadian telecommunications companies have refused to detail the number or frequency of their disclosures, warranted or otherwise – despite reports that a subset of Canada’s carriers alone received a whopping 1.2 million requests for data in 2011.
BlackBerry, the closest thing Canada still has to a technology giant, would only point to a vague legal policy page in response to questions about its own law enforcement guidelines.
The other parts of Apple’s disclosure are important because it details the type of data the company collects from its users – and more importantly, what can be provided to law enforcement in response to a court-ordered warrant or request. While many of the legal process guidelines for U.S. law enforcement agencies released on Wednesday shouldn’t come as a surprise, they confirm what many have suspected. Some of the key disclosures include:
- Apple discloses such basic customer data as a user’s name, e-mail address, telephone number, IP address and transaction history. That is similar to what can be obtained from other technology and telecommunication companies through similar legal means.
- Though Apple is unable provide the passcode to an iOS device, it can attempt “to extract some data from a locked device with a valid search warrant.” Data extraction can only be done at Apple’s Cupertino, Calif. headquarters, and if data on the device is encrypted, it’s up to law enforcement agencies to decrypt that data themselves.
- Law enforcement agencies may not even require access to a physical device. Apple’s cloud storage and syncing service iCloud – which is an integral part of all recent iPhones, iPads, and increasingly, Macs – stores “music, photos, applications, contacts, calendars, and documents.” But it also enables users to back up their iOS devices to the cloud. Having access to an iCloud backup could be just as useful as having physical access to the device itself.
- There are things that Apple claims it can’t do. For example, the company “does not track geo-location of devices,” it maintains, and cannot remotely activate a device’s “Find My iPhone” or iPad feature for law enforcement. “Apple does not have GPS information for a specific device,” the document states.
- Though Apple’s ability to intercept iMessages has also been contested, the company also maintains that it cannot intercept such messages, “as these communications are end-to-end encrypted.”