Apple automatically uploading iPhone call logs to iCloud, forensics firm says [u]
Any iPhone user with iCloud Drive enabled is having their call logs automatically uploaded to Apple servers -- without their consent, and whether or not they have backups enabled, a Russian security firm said on Thursday. [Updated with statement from Apple]
The uploads happen "almost in real time, though sometimes only in a few hours," Elcomsoft CEO Vladimir Katalov told Forbes. The logs are said to include FaceTime calls as well, and in the case of iOS 10, missed calls from third-party apps like Skype and WhatsApp.
iPhone owners can stop the uploads by disabling iCloud Drive, Katalov noted, but this cuts off other iCloud-related features and can stop some apps from working.
The data could potentially be useful to government agencies with warrants or other legal access. Officially, though, Apple says the only iCloud data it can provide to agencies includes email logs and content, text messages, photos, documents, contacts, calendars, bookmarks, and iOS device backups.
Apple also says it doesn't hold onto FaceTime call data for more than 30 days, but Elcomsoft said it was able to extract call logs going back over four months. Presumably, deleting a call from an iPhone's logs would also delete that from the iCloud Drive backup.
Apple mentions call histories being included in iCloud backups as part of security whitepaper, but it's likely that most people haven't seen the document.
iOS forensics expert Jonathan Zdziarski suggested to Forbes that the tracking is likely just an oversight related to the handoffs needed for Apple's calling technology, which for instance allows people to seamlessly shift between devices.
"They need to be able to sync a lot of that call data," he said. "I suspect whatever software engineer wrote that part of it probably decided to just go and stick that data in your iCloud Drive because that's kind of what it's purpose is."
Apple could theoretically add end-to-end encryption to iCloud, but this might create even more conflict with U.S. spy and law enforcement agencies, which are already upset about their inability to break into iOS devices. The company stores the keys for iCloud accounts at its U.S. datacenters, allowing them to serve up (readable) data on demand.
Update: An Apple spokesman has provided a statement to AppleInsider:
"We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers' data. That's why we give our customers the ability to keep their data private. Device data is encrypted with a user's passcode, and access to iCloud data including backups requires the user's Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication."
The uploads happen "almost in real time, though sometimes only in a few hours," Elcomsoft CEO Vladimir Katalov told Forbes. The logs are said to include FaceTime calls as well, and in the case of iOS 10, missed calls from third-party apps like Skype and WhatsApp.
iPhone owners can stop the uploads by disabling iCloud Drive, Katalov noted, but this cuts off other iCloud-related features and can stop some apps from working.
The data could potentially be useful to government agencies with warrants or other legal access. Officially, though, Apple says the only iCloud data it can provide to agencies includes email logs and content, text messages, photos, documents, contacts, calendars, bookmarks, and iOS device backups.
Apple also says it doesn't hold onto FaceTime call data for more than 30 days, but Elcomsoft said it was able to extract call logs going back over four months. Presumably, deleting a call from an iPhone's logs would also delete that from the iCloud Drive backup.
Apple mentions call histories being included in iCloud backups as part of security whitepaper, but it's likely that most people haven't seen the document.
iOS forensics expert Jonathan Zdziarski suggested to Forbes that the tracking is likely just an oversight related to the handoffs needed for Apple's calling technology, which for instance allows people to seamlessly shift between devices.
"They need to be able to sync a lot of that call data," he said. "I suspect whatever software engineer wrote that part of it probably decided to just go and stick that data in your iCloud Drive because that's kind of what it's purpose is."
Apple could theoretically add end-to-end encryption to iCloud, but this might create even more conflict with U.S. spy and law enforcement agencies, which are already upset about their inability to break into iOS devices. The company stores the keys for iCloud accounts at its U.S. datacenters, allowing them to serve up (readable) data on demand.
Update: An Apple spokesman has provided a statement to AppleInsider:
"We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers' data. That's why we give our customers the ability to keep their data private. Device data is encrypted with a user's passcode, and access to iCloud data including backups requires the user's Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication."
Comments
You know who else keeps a record of your calls? Your carrier. And you don't have any ability to opt-out of their tracking under any circumstances. And who knows how long they keep those records. I've looked at year-old detailed cell phone bills and seen all the numbers for incoming and outgoing calls.
Edited. Forgot one more thing. Carriers also track which cell towers your phone connects to.
I worked a long time for a government contractor and we required strong privacy and encryption on all of our computers, especially unclassified systems. Just because you don't care doesn't mean the vast majority of people don't need it even though many of these don't understand that fact. Apple is being a big brother/sister without asking because there are way too many people who just don't understand things and need this help. If you wanted to be a responsible person, I'd suggest you spend you time educating people who don't understand how to protect themselves instead of demanding Apple turn into another cheap advertising company who don't produce anything of value (yes, I star with Google, then Facebook and all the other social networks).
THEY WILL NOT DECRYPT A HANDSET... but they will handover the iCloud data. And the NSA has capabilities to decrypt that data...
So it looks like you will have to turn off iCloud back ups if you don't want your call logs to end up in the wrong hands...
sog35 said:
BTW I do give 2 sheets about privacy.
I use Facebook sometimes, I have to - everyone I know is there. It doesn't mean I can't care about privacy. I do very much. When presented with a choice, I use iOS because of many things but one of those things is that I can enjoy all the advantages of the latest technology without Apple knowing my every move. I am the customer, not the corporations looking to advertise. That's important to me, and I suspect the majority of Apple customers.
FYI - Steve Jobs had the exact same stance on privacy.
Google and Facebook already allow opt-out of their services. The hardware makers have all caught up to Apple for now. What would distinguish Apple from their competitors in your customer choice fantasy? Higher prices?
Cook claims that they won't be involved with the process of collecting this type of data, that when it's a free service YOU are the product. Apple's values lie in a different direction. It's tilting after windmills to insist that they make a change. Your "facts" and argument don't make sense.
Seriously, is there nothing you wouldn't give up for your portfolio? The importance you attach to your money (to the exclusion of everything else) is quite disturbing.
Your argument is illogical, but to debate with your train of thought: Apple do collect your data, of course they do. They just anonymise and/or encrypt it and don't, unless the service specifically requires it, tie it back to you. How do you think they recommend news to you in News, and new artists to you in Music?
However Facebook are not the same as Apple. Apple are not a social network, nor do they try to be. Facebook are. Google offer a device to customers, and a platform for other OEMs to build devices. Does Android collect a lot about you? Yes. More than iOS? Yes. Does it have to to provide better services? No. Google's choice has been to collect everything they can. As they are an advertising company it is built into the corporate DNA. It takes the likes of the EU to put them in their place with regard to data privacy. Apple are a hardware/software company so it's not in their corporate DNA to collect and use all the data about you they can.
With regard to your other points: Apple did have an advertising unit. It went away because they couldn't offer such invasive profiling as Google, Facebook and increasingly Snap can. That's not bad news because Apple is not an advertising company so why do something they don't want to do. They aren't a conglomerate. They write software and design hardware.
Apple collects massive amounts of data regarding your behaviour. Read about their approach which guarantees your privacy in other articles recently.
All in all, do I want to be advertised to? No. What has that got to do with the device I use? It shouldn't. However, as I'm the customer I choose to pay for my device, not have the OS development underwritten by advertising revenue. This is my choice, and I do have a choice. Whether I run Facebook or Google services on top of this device is another choice. Do I like them profiling me against all those little 'Like' buttons on EVERY web page in existence. No. So I block them, like so many other people - with an ad blocker. The same for those Google + buttons, and Google's ad network. All blocked. I am exercising my right to privacy as best as I am able. I can't think of any Google services which I must use because they are significantly better than non-Google services which give me more privacy. Not one. My privacy is in good shape and I'm missing nothing by insisting on it.
I made a decision years ago to never sign up to any Google service NOT to any Social Media site. The less they know about you the better.
If you google for me using my name, you find other people with my name but not me. That means I'm not the product.
There is a reason that the Military uses the term 'Need to know'.
Advertising is also evil. It sets out to make you buy stuff that you don't want or can't afford using a weakness in the human psyche. And yes I did spend 4 years working for an Ad company. IT was there that I reached my opinion about it.
If I get a 'targetted' advert (I'm looking at you Amazon) then I ignore it and buy something else (or nothing at all).
So Sog35 why don't you leave this place and go over to the Google place where you will be amongst friends and you can slag off Apple to your hearts content and get upvoted for it. You obviously hate everything about Apple and have done for some time. time to quit.
I personally am one of those that are with Apple for not only their high standards but their also their stance on Privacy and in no way want Apple to relax their stance on it.