Apple has said time and again that its Messages app (formerly iMessage) – which allows iOS users to send SMS and encrypted messages to their contacts – is more secure than other tools, to the point that the company couldn’t comply with wiretap orders from law enforcment even if it wanted to.
It turns out that’s not entirely true: The Intercept has secured a document from the Florida Department of Law Enforcement’s Electronic Surveillance Support Team, that details how Messages stores metadata about every phone number you try to contact through the app, and how police can get their hands on that data by filing a request.
Here’s how it works: When you enter a number into Messages on your iPhone, the app pings Apple servers to figure out whether it should send your message over SMS or over the company’s encrypted service (if the recipient also uses Messages).
Apple records those queries, in addition to the date and time when you entered that number, as well as your IP address – which could used to determine your approximate location. The company is compelled to hand over these logs when served with court orders in connection with investigations.
Apple confirmed the collection of metadata in a statement to The Intercept:
When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.
It’s worth noting that Apple only stores these logs for 30 days; however, it’s possible that law enforcement agencies could secure multiple logs and string them together to come up with a record of association with your contacts.
Sure, the app doesn’t collect your message contents, but Apple hasn’t been entirely transparent about how private its messaging service really is, while vehemently claiming that Messages leaves no trace of your communications. It isn’t clear why the company needs to store this data; doing so only seems to make it a point of investigation for law enforcement and undermines the promise of privacy in Messages.
Ultimately, this revelation proves that few communication tools can operate beyond the reach of the long arm of the law. So which service can you trust for truly secure messaging? Messages is now out of the running, and whistleblower Edward Snowden warned the internet about Google’s Allo. Perhaps you’d be better off using his weapon of choice – Signal.