Apple Discloses Law Enforcement Requests For Cloud Data


Law enforcement has made as many as 5,000 requests for data about Apple customers since Dec. 1, according to a disclosure Apple issued Monday.

"We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order," Apple said in a statement in response to questions from news organizations about its cooperation with the government's Prism program.

Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data from Dec. 1, 2012, to May 31, 2013, Apple said. The requests impacted as many as 10,000 devices or Apple accounts.

[Related: The 9 Most Dangerous Cloud Security Threats]

"The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide," Apple said.

Apple said it released the data in the interest of transparency. Apple joined Google and Microsoft, which each released reports outlining law enforcement requests for cloud-based customer data. In some cases, the firms receive National Security Letters (NSLs) from the FBI and other agencies authorized to issue demands for user data. NSLs prevent the technology giants from revealing the requests to the public or to the individual or entity being targeted by the request.

Apple did not indicate how many NSLs it received. Microsoft said it was given 1,000 NSLs in 2012, forcing it to provide "the name, address, length of service, and local and long distance toll billing records" of users of its services. Google said it granted access to up to 2,000 user accounts when government investigators issued a National Security Letter.

The Apple legal team evaluates each request and delivers "the narrowest possible set of information to the authorities," Apple said.

"Certain categories" of information are not retained, according to Apple. For example, the company said two-way conversations placed over Apple's iMessage and FaceTime applications are protected by encryption and unavailable to Apple or law enforcement. Location data, map searches and Siri requests also won't identify customers, the company said.

In updated statistics released by Microsoft last week, the software giant said requests from law enforcement in the last six months of 2012 impacted between 31,000 and 32,000 Microsoft consumer accounts. Facebook issued a similar statement last week, indicated that it granted requests to law enforcement providing data on approximately 18,000 to 19,000 accounts for the six months ending Dec. 31, 2012.

Requests often run the gamut from information sought by local law enforcement about a missing person to state prosecutors investigating whether to press charges on an individual.

People often misunderstand the role of law enforcement in cybersecurity, said Shane Shook, chief knowledge officer and global vice president of consulting at San Francisco-based security vendor Cylance. Google, Facebook, Microsoft and other companies are encouraging the government to communicate more about what they collect and how it is being collected, Shook said. The private sector can assume a level of risk to specific threats, while the government can't afford any risk tolerance, especially to terrorism, Shook said.

"People often don't appreciate that the infrastructure is largely shared in the cybercriminal underground and provided as managed access platforms," Shook said.

PUBLISHED JUNE 17, 2013