updated 03:00 am EDT, Thu May 8, 2014
Email can be intercepted, but iMessage and FaceTime are off-limits
In line with its repeated desire to be more transparent about when, how often and how it is legally liable to handle customer data, Apple on Wednesday posted a set of guidelines dealing with how US authorities can request information from Apple in search of data from and about its users. The document articulates what is required to obtain Apple assistance in collecting information, and what information is and isn't available.
The document says it is "provided for use by law enforcement or other government entities in the US when seeking information from Apple Inc. ("Apple") about users of Apple's products and services, or from Apple devices," and notes that the company will "update these guidelines as necessary." The guidelines published today do not apply to US agencies that are seeking information outside the US from Apple's international subsidiaries.
The document, titled "Legal Process Guidelines -- US Law Enforcement," notes that some basic data (such as device registration information and iTunes purchase history) can be obtained through a "subpoena or higher legal process," with the former being fairly easy for authorities to get, particularly when going through the secret US FISA court system.
More detailed data, such as personal data from iCloud or Find My iPhone, requires search warrants or court orders -- meaning authorities must convince a judge of a reasonable suspicion in documented hearings, and be granted permission to search for specific data. Apple requires a search warrant before it will perform an extraction of data from a user's device (running iOS 4 or later and in "good working order") now in the hands of law enforcement, but will only extract unencrypted and limited forms of user-generated data, such as SMS messages, photos, call histories, contacts, videos and audio files that are not protected by a passcode. Extraction must take place at Apple's headquarters in Cupertino, California.
The company says it will not provide email, calendar entries, or any data from third-party applications. It can intercept email messages in some cases, but not the encrypted peer-to-peer iMessage and FaceTime protocols. It will assist agencies in returning lost iPhones to owners by contacting the owner of record and arranging for them to get the device back from the recovering law enforcement agency. There is, however, an "emergency disclosure form" that can be used for situations that involve "imminent danger of death or serious physical injury to any person" which requires disclosure without delay.