In light of recent news about Apple not securing iCloud backups with end-to-end encryption, a question I’ve already seen is: If Apple does hand over my data to the FBI, are they obligated to notify me?
And the answer is: It depends. From Apple’s Legal Process Guidelines [PDF]:
Apple will notify customers/users when their Apple account information is being sought in response to legal process from government, law enforcement, or third parties, except where providing notice is explicitly prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case.
Here’s a list of iCloud data that Apple can hand over:
- Subscriber information, like name, physical address, email address, phone number, and IP connection logs (which are retained up to 30 days).
- Mail Logs, which include records of incoming and outgoing communications such as time, date, sender email addresses, and recipient email addresses.
- Other iCloud content, which can include My Photo Stream, iCloud Photos, iCloud Drive, contacts, calendars, bookmarks, Safari browsing history, maps search history, messages, iOS device backups. It does note that Apple doesn’t retain data after it’s deleted from its servers.
- Find My iPhone. This data seems to be limited. Device location data is stored locally on the device, and Apple can’t retrieve it. Nor can Find My iPhone be turned on remotely.
- Sign-on logs with IP addresses.
- FaceTime. This data is limited as this service is end-to-end encrypted.
- iMessage. This data is limited as this service is end-to-end encrypted. Message contents can’t be shared, but metadata can be shared, which can still be put to use.
I plan to put together a list of secure alternatives to Apple services.