Over the last few years information privacy in the context of public safety has been the subject of much debate. From the Snowden revelations about wide spread data mining in the name of national security to the debate over what role Apple had in helping the FBI unlock the San Bernardino shooter’s iPhone.
Though headlines and stories occur with some regularity what is rarely shown or shared is the exact nature government agents use in order to compel private companies into sharing user data. The point of this article is not to support or object any side. My desire is merely to provide information and let you decide where on the moral compass these issues should reside and most importantly start a debate about cloud privacy.
On July 16th 2014 Gregory Raymond Kelley, then a resident of Cedar Park Texas, was convicted of sexually assaulting a child. The case garnered a lot of attention in the local media. Kelley agreed to a 25 year prison in lieu of having a jury sentence him.
On August 2nd 2017 Kelley, who’s lawyer Keith Hampton had earlier filed a Writ of Habeas Corpus petition, was in court for the first hearing regarding this writ.
During the hearing Texas Ranger C. Mitchell presented details of his investigation. Ranger Mitchell had been asked by the Williamson County District Attorney to conduct an investigation into the Kelley’s case.
In the course of Ranger Mitchell’s investigation a search warrant to get access into Kelley’s iCloud account was obtained. The warrant application, which was approved, was released to the public. I have managed to obtain a copy and it is this which I detail below.
The warrant application itself is about 15 pages in length. Most of the document is Ranger Mitchell making a case why the warrant should be approved. Since this article is not a position piece I will focus just on what was ultimately granted to be searched.
Item #7 really peaked my attention as it states: “Backups to include but no limited to full, unencrypted, non-password restricted backups of any and all Apple devices stored on the Cloud.”
If Apple is to be believed, and according to this document, iCloud backups are encrypted with 128-bit AES encryption (minimum). Therefore, this would seem to directly imply, that Apple has the means to decrypt user data. Indeed they do.
After some research I found this document title: Legal Process Guidelines Government & Law Enforcement within the United States. The second page enumerates the type of information Apple is able to provide to law enforcement. I find it quite suspicious that “Extracting Data from Passcode Locked iOS Devices” is buried in the middle at item letter i. “iCloud”, which presumably includes the backup data which can be synced with iCloud, sits at letter G.
Not very surprising the iCloud Terms and Conditions, and again about half way down, buried under V. Content and Your Conduct, E. Access to Your Account and Content:
Apple reserves the right to take steps Apple believes are reasonably necessary or appropriate to enforce and/or verify compliance with any part of this Agreement. You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if Apple has a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.
To be fair this language is not unique to Apple. Most websites have similar language. What is a potential concern is Apple is not most websites. The depth and scope which can be stored in iCloud is staggering. Essentially all the user generated data on your computer and phone is potentially stored.
Though CEO Tim Cook’s statement on privacy assures us:
Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.
What is plainly lacking is any talk about Apple just providing this information. A “backdoor” is hardly needed if Apple gives the data out.
Back to the iCloud terms the added caveat (again buried in the middle) to include “third part[ies]” and “…as Apple believes is reasonably necessary or appropriate…”
True the guidelines relating to law enforcement requests (linked to above) seem pretty reasonable and require the execution of legal process (such as Ranger Mitchell’s search warrant); what is lacking is the information on when or how Apple may release information to “third parties”? How does Apple decide it believes “reasonably appropriate”? In legal jargon the “or” connector between necessary and appropriate means that Apple may release the information in either case; as apposed to both conditions being met.
What about iOS Devices?
The document Legal Process Guidelines Government & Law Enforcement within the United States. makes it pretty clear that after iOS 8.0 Apple alleges it cannot access a locked device. However, what is not addressed is what about those backups stored on iCloud? An answer I believe is hinted at in this statement buried in the above document:
iOS device backups may include photos and videos in the Camera Roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. All iCloud content data stored by Apple is encrypted at the location of the server.
A couple things stand out: 1) if the backup data is encrypted and Apple does not have the ability to decrypt the back up then why include it all? It would stand to reason if it was impossible to access Apple would be wise to specifically address this as to avoid having to spend time dealing with requests they cannot fulfill. After all they did articulate they cannot unlock iOS 8.0 devices. Furthermore, voice mail and SMS data is cellular and hints at the potential Apple must be able to read the back up file. 2) “[E]ncrypted at the location of the server…” can mean many things but it could also infer that the encryption scheme employed is the same that allows for Apple to retrieve any other iCloud user data; which we already know Apple can make available to law enforcement.
If this is the case, the fact Apple claims (which I do not doubt) it cannot unlock an iOS 8.0 device is largely irreverent so long as a user uses iCloud to back up their phone. It means that the passcode does not need to be bypassed as it would fall in the same data catchment stream as all other iCloud data.
Indeed, Ranger Mitchell’s search warrant seems to expect that iOS data will be returnable as his search warrant specifies just that.
Many questions remain. I hope this information starts a dialogue and eventually gets answers to exactly how our data is stored, secured and retrieved.
Thank you for reading.