iMessage Contact Lookups Are Stored by Apple for 30 Days

Sam Biddle, writing for The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

It shouldn’t be surprising that Messages does a lookup on each phone number and email address you attempt to send an iMessage to. If there wasn’t some sort of directory lookup, how would the messages get routed? Here’s Apple’s own description, from their iOS Security Guide (page 41):

Users start a new iMessage conversation by entering an address or name. If they enter a phone number or email address, the device contacts the IDS to retrieve the public keys and APNs addresses for all of the devices associated with the addressee. If the user enters a name, the device first utilizes the user’s Contacts app to gather the phone numbers and email addresses associated with that name, then gets the public keys and APNs addresses from the IDS.

IDS is Apple’s directory service. What’s unclear is why Apple is keeping a log of these lookups for 30 days. Biddle’s article, and the leaked law enforcement document upon which his reporting is based, only mentions phone numbers, but I think it’s almost certainly the case that the same information is logged for email address Apple IDs. Also worth pointing out: these logs don’t even indicate whether the sender ever communicated with the receiver — only that they looked up that phone number or email address in Messages. You know when you type a phone number in the To: field in Messages and it turns from green to blue? That’s the lookup that gets logged.

Maybe I’m missing something but it seems like Apple would be better off flushing these logs at much shorter intervals. The only reason I can think of to log them is for fraud detection — to aid in identifying bad players who are attempting to spam a list of Apple IDs. There must be a better way to do that.

Update: This didn’t occur to me yesterday, but a few readers have suggested that these 30-day logs could be useful when investigating claims of abuse.

Wednesday, 28 September 2016