There's possible bad news for privacy advocates and Apple customers alike: a sharp-eyed look at Apple's two most recent Transparency Reports (more specifically, what's not in them) suggests that, despite the company's recent announcements affirming its strong commitment to protecting customers' privacy, it might have been forced to secretly spy on people under provisions of the Patriot Act.
First, a little background: Apple CEO Tim Cook made privacy-related headlines twice this week, first for giving a televised interview to PBS' Charlie Rose where, among other things, Cook said the company is not in the business of collecting or selling people's private information. He also discussed (and obliquely criticized) the U.S. government's mass, warrantless surveillance of its citizens, and other revelations exposed by former NSA whistleblower Edward Snowden.
“I don’t think that the country or the government’s found the right balance. I think they erred too much on the collect everything side. And I think the [U.S.] president and the [Obama] administration is committed to kind of moving that pendulum back,” Cook said to Rose.
A couple days later, Apple updated its Privacy Policy, promising more stringent protections for customers' personal data. Cook also released an open letter saying, in part, that “Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.”
Incidentally, Cook's statement in no way contradicts the suggestion “Apple has handed sensitive customer data over to the government;” it only specifies that the government wasn't able to reach in and grab such data by itself.
Gag order
Cook released his letter on Sept. 17. The very next day, Gigoam.com discovered that a look at Apple's two most recent Transparency Reports (from a total of three) strongly suggests the FBI or some other branch of government is secretly forcing Apple to spy on its customers, though the company is legally forbidden to admit this since it's operating under a legal gag order.
Such claims might sound like a paranoid conspiracy theory, but under modern U.S. law – specifically the Patriot Act – they are all-too-plausible.
Apple didn't get into the habit of writing and releasing Transparency Reports until last November, when it issued its first-ever such report, including some language which BoingBoing's Cory Doctorow first identified as a potential “warrant canary.”
The phrase “warrant canary” stems from the older saying “canary in a coal mine,” which in turn alludes to a common mining practice from the old days: before going down into the mines for a day's work, miners first had to make sure no poisonous or suffocating gases had collected there overnight. So before descending into the mine themselves, they'd lower a cage holding a canary or other small bird. If the bird lived, that proved the air in the mine safe to breathe. But if the bird died, the miners knew something was wrong.
Secrets are secret
A warrant canary is a statement meant to show that an organization, such as a tech company or even a public library, has not been forced to comply with a secret (and possibly warrantless) government investigation coupled with a gag order. And should the warrant canary later disappear, that suggests the opposite.
In Apple's case, its Transparency Report from November 2013 (which is available here in .pdf form, but only covers the first half of 2013) included this potential warrant canary statement: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”
What does that mean? Section 215 says that the FBI can order any person or organization/entity to hand over “any tangible things,” provided the FBI says it is “for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.”
However, as the ACLU points out in its call to reform the Patriot Act, Section 215 goes far beyond standard constitutional limits on how the government is allowed to perform investigations:
The FBI need not show probable cause, nor even reasonable grounds to believe, that the person whose records it seeks is engaged in criminal activity.
The FBI need not have any suspicion that the subject of the investigation is a foreign power or agent of a foreign power.
The FBI can investigate United States persons based in part on their exercise of First Amendment rights, and it can investigate non-United States persons based solely on their exercise of First Amendment rights. For example, the FBI could spy on a person because they don't like the books she reads, or because they don't like the web sites she visits. They could spy on her because she wrote a letter to the editor that criticized government policy.
Another part of Section 215 — the part that makes “warrant canaries” a necessity in modern-day America – specifies that “Those served with Section 215 orders are prohibited from disclosing the fact to anyone else. Those who are the subjects of the surveillance are never notified that their privacy has been compromised. If the government had been keeping track of what books a person had been reading, or what web sites she had been visiting, the person would never know.”
Timeline
So let's recap what we know so far: in November 2013, Apple decided to release a Transparency Report for the first time, covering all activities through end-of-June that year, and including a statement which might be interpreted as a warrant canary, especially since (as Gigoam announced on Sept. 18), the canary does not appear in Apple's next two Transparency Reports.
If you believe that the statement “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us,” which appeared only in the first of three Transparency Reports, was indeed put there as a warrant canary, that strongly suggests a behind-the-scenes timetable something like this:
January 1 through June 30, 2013: Apple was not forced to comply with any Section 215 orders.
Sometime between July and November 2013: Apple got a Section 215 order and was forced to comply, meaning it not only had to turn over sensitive customer data to the government with no regard for warrants, probable cause or other constitutional niceties, Apple was also legally forbidden from telling anybody about this.
Early November 2013: Determined to let people know something's going on yet forbidden to outright say so, Apple released its first Transparency Report including the warrant canary, announcing it had no Section 215 orders as of June 30, 2013 — knowing full well that the canary's absence from its second Transparency Report would strongly imply that Apple did receive such an order shortly afterwards.
Missing canary
Gigoam's discovery of the warrant canary missing from Apple's latest two reports is not the only discouraging bit of Apple-related privacy news to come out this week. On Sept. 17, when Apple updated its privacy policy, it boasted that any data stored on a mobile device with the iOS8 operating system was so secure, even the police and Apple itself couldn't access it unless they know your own personal, secret password.
More specifically, Apple said, “it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Of course, “technically” can cover a lot of ground – after all, the Patriot Act including the whole need for warrant canaries is, many would argue, technically unconstitutional and therefore can't happen in America, yet current legal reality does not reflect this at all.
And so, on the same day that Gigoam.com first noted the possible death of Apple's warrant canary, Wired's Threat Level security blog found the technicality, noting that “Despite Apple's privacy pledge, cops can still pull data off a locked iPhone”:
iOS forensics expert Jonathan Zdziarski offered a word of caution for the millions of users clamoring to pre-order the iPhone 6 and upgrade to iOS 8. In many cases, he points out, the cops can still grab and offload sensitive data from your locked iPhone without Apple’s help, even in iOS 8. All they need, he says, is your powered-on phone and access to a computer you’ve previously used to move data onto and off of it.
Such claims might sound like a paranoid conspiracy theory, but under modern U.S. law – specifically the Patriot Act – they are all-too-plausible. ...