Over the past couple of months there has been mounting evidence of an issue with Apple’s iMessage service that causes messages to continue being sent to a stolen device even after its SIM has been deactivated. Now, we have received information that, at least in one case, Apple is compensating a victim for this privacy breach. Updates below.
The account that we have been told was verified by means of extensive email communications between the customer and Apple, including technical support staff and Apple’s internal privacy team.
Blockchain and cryptocurrency news minus the bullshit.
Visit Hard Fork.
We should note up front that there have been a couple of prominent stories about iMessage issues in the press recently. One of the most recent was this account from Gizmodo, which ended up being a fairly clear-cut case of a ‘perfect storm’ of circumstances causing the problem. Apple responded to that problem and we’re convinced that the issue here is not of the same nature.
Another story, however, from Ars Technica, focuses on how difficult it is to stop a stolen iPhone or other device from receiving iMessages. We feel that the issues experienced by this customer, as well as that account and numerous postings on Apple’s support forums and other site forums like MacRumors’ indicate a clear problem with the iMessage system that currently requires direct intervention from Apple to fix.
A stolen iPhone continues to receive iMessages
Apple customer K had her iPhone stolen on November 13 of last year, an unfortunate occurrence, but obviously not one that Apple can be held in any kind of responsibility for. K did not immediately wipe her phone with Find My iPhone, though she had the service activated. Instead, she called the police and directed them to the location indicated on the service’s map.
Unfortunately, the police were unable to locate the device and it disappeared from the map soon thereafter. So, the very next morning after the device was stolen, K had her SIM card deactivated, as is prudent in most of these situations.
However, her friends then began to tell her that they were sending her iMessages and not getting responses, even though the status was marked as ‘delivered’. This was an indication that the messages were still going to the remote device, a suspicion that was confirmed for her by Apple’s support team when she subsequently called them.
K, as a former IT worker in the privacy field, was obviously disconcerted by the issue and hoped to have it cleared up quickly.
Troubleshooting the issues
Apple immediately began to walk her through several options designed to deactivate the sending of iMessages to her stolen phone. K mentioned to us that the support technician she worked with was courteous and extremely helpful.
Apple suggested a variety of solutions in order to stop the messages being routed to the other device. Among these were having her reset her Apple ID password and even going into a local Apple Store to have her insert her new SIM into one of its devices in order to try to control the flow of the messages, as she had no other iDevice with which to do so. K followed these instructions but it did not fix the issue.
Apple also recommended that she contact every person in her contact list, ask them if they use an iPhone and, if so, tell them to stop iMessaging her. K felt that this was a bit unreasonable, not to mention nearly impossible as she did not have the contact information for everyone that may have an iPhone and her iMessage ID.
None of these procedures worked and the issues continued until December 27th, when Apple was finally able to remotely push ‘code’ out to the customer’s iPhone in order to make the problem stop. This was a result of an Apple Engineering Team weighing in on how to solve the issue.
Due to her experience in the field, K was able to use careful wording such as “please respond if you don’t agree” in order to force a proactive response, although she mentions that Apple continuously tried to smooth over the issue and end the discussion.
Compensation for trouble
Once K got to the end of the technical procedures portion, she was informed that she would have to contact Apple’s legal team in order to pursue the issue further. She felt that she wasn’t happy with how long the issue had taken to get solved, with messages being sent to her stolen device the entire time, so she did.
Initially Apple balked at any sort of compensation as it said it was not in the habit of replacing stolen iPhones, which is completely reasonable. But K pointed out that any compensation would not for the loss of her iPhone, but for her breach of privacy due to the iMessage bug causing continued re-routing of messages sent to her.
After a discussion with the Apple legal department, conducted by phone, K was offered an iPod touch as compensation for her trouble. We have viewed the AppleCare product order for that iPod touch referencing the case ID of the issue.
K mentioned to us that, although the technician was very helpful during the troubleshooting phase of the issue, she was unsatisfied with the iPod touch as compensation. Apple said that it would at least give her a device with which to receive iMessages again.
An obvious issue
At this point it seems hard to ignore that there is a specific and obvious issue with how iOS devices are de-registered for the reception of iMessages. When a device is stolen, there is an obvious security issue with messages continuing to be delivered to it, there is nothing Apple can do about that, nor should it be held responsible for stolen iPhones.
However, when all of the recommended procedures for causing the issue to stop fail, there is clearly an issue beyond a user’s ability to fix. To recap, disabling the stolen SIM, changing the Apple ID password and registering a new device as the iMessage recipient were not enough.
There have been some suggestions elsewhere that deleting an entire Apple ID and starting over might be enough, but that’s laughably inconvenient. During the snafu about iMessages last week it was suggested by Apple that users needed to toggle iMessage off and back on to re-register it, but this is impossible without another device and the issue above makes it evident that it’s not always that clear-cut.
Having to have Apple intervene to stop the messages being sent isn’t always an option and, frankly, shouldn’t have to be. Apple shouldn’t be held responsible for compensating users for stolen devices, but it should be held responsible for providing clear documentation about how iMessage issues like this can be resolved, without some mysterious procedure only Apple can perform.
Until it does so, you can expect to continue to see articles like this and the ones that came before it about stolen iPhones and iMessage.
We have reached out to Apple for a comment on the story and will update this post if we receive one.
Update: Some clarifications, as we’ve seen some reader response to this article. The customer was not offered, nor did they obtain, any monetary compensation. We have witheld her name for privacy, not because Apple requested or obtained any legal agreements to keep quiet.
How Apple was able to accomplish ‘pushing code’ to the device, which was unable to be located on Find My iPhone is unclear, perhaps it was handled on its own iMessage servers, rather than the device itself. This seems to be the likeliest scenario.