Following Allo's failed privacy promises, security experts have discovered that Apple hasn't been providing its promised privacy features with iMessage either. Apple promises that your iMessageconversations are safe and are limited to your own access. New research discovers that the premier messaging service does leave some breadcrumbs that can be accessed by law enforcement and others.

The Cupertino tech giant won all hearts with its battle with the FBI over user privacy. The San Bernardino case became one of the most talked-about cases of the year as the FBI tried to use it to force tech companies into handing over data and creating security vulnerabilities in their own products. Apple stayed firm on its position of protectinguser privacy over law enforcement's incessant and often ridiculous demands of weakening user security, and came out as adetermined privacy advocate.

Apple logs your iMessage contacts

The company promises that its iMessageservice, like Telegram and WhatsApp, is free from government snooping, as the company doesn't store anything on its own servers. A latest report by The Intercept reveals that if compelled by a court order, Apple can reveal details about a user's iMessagecontacts and IP addresses.

It's not surprising that Apple has to store some metadata in its own servers in order to verify whether the recipient uses iMessageor not. While this data could be used by the state agencies, what is worrying is Apple retainingthe IP addresses. For a company that has remained outspoken aboutuser privacy, this goes against its own fight over user privacy. Apple has previously claimed that the company doesn't "store data related to customers' location." However, this data could very well be used to trackiMessageusers despite them believingthat they are using a service that touts end-to-end encryption as its primary feature.

Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form. - Apple in 2013

The company doesn't have access to the actual conversations. But this metadata can be used by sophisticated threat actors (or government agencies) to piece together information. Apple confirmed to The Intercept that these logs are only stored for 30 days. However, as the publication has pointed out,"court orders of this kind can typically be extended in an additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering."

When law enforcement presents us with a valid subpoena or court order, we provide therequestedinformationif it isin our possession.Because iMessageisencrypted end-to-end, wedo not have access to thecontents ofthosecommunications.In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps ontheir devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations orprovethat any communication actually took place. - Apple's response.

It is a routine practice for communication agencies like phone companies to hand over customer metadata to law enforcement. But iMessageis considered as a relatively secure alternative to texting. Making it possible for LEAs to track iMessageusers goes against the promises that Apple has made to its users. While we do need more technology companies to start vocallyadvocatinguserprivacy and security, tech leadersalso need to be more open about the technical details that are kepthidden under the cloaks and may reveal potentially risky information about users.

-These details come from a document "iMessage FAQ for Law Enforcement," part of a much larger cache originating from a state police agency,"The Florida Department of Law Enforcement's Electronic Surveillance Support Team."

Source & Image