Are Apple’s iMessage and FaceTime really secure from U.S. government’s prying eyes?

“To distance itself from allegations of collaborating with the secret surveillance program PRISM, Apple issued a statement on Sunday night that denies it granted the National Security Agency direct access to its servers,” Lorenzo Franceschi-Bicchierai reports for Mashable. “The company went one step further: Apple claimed it couldn’t turn over certain data to the U.S. government, even if it wanted to. ‘Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them,’ the statement reads. ‘Apple cannot decrypt that data.'”

“If this is true, are iMessages beyond the grasp of the NSA and the FBI?” Franceschi-Bicchierai asks. “‘What Apple is saying is true,’ a former Apple employee familiar with the iMessage encryption told Mashable. The employee agreed to talk on the promise of anonymity, since he is bound by a non-disclosure agreement preventing him from discussing details of his job at Apple. The former Apple employee said that a set of cryptographic keys — similar to a password used to scramble messages — is created and stored on each device. Those keys ‘never leave [the device] under any circumstances,’ he said.”

Advertisement: Limited time offer – 25% off Parallels Desktop 8 for Mac – Run windows on your Mac – Faster

Franceschi-Bicchierai reports, “Despite these claims, however, security and cryptography experts still aren’t convinced. In fact, as the former Apple employee himself admitted, the set of cryptographic keys only rules out the possibility of real-time interception. They don’t prevent Apple from accessing the iMessages and turning them over at a later time to the NSA, DEA or other law enforcement agency.”

Read more in the full article here.

Related articles:
Nine companies, including Apple, tied to PRISM, Obama to be smacked with class-action lawsuit – June 12, 2013
U.S. lawmakers urge review of ‘Prism’ domestic spying, Patriot Act – June 10, 2013
PRISM: Do Apple, Google, Facebook have an ethical obligation not to spy on users? – June 8, 2013
Plausible deniability: The strange and unbelievable similarities in the Apple, Google, and Facebook PRISM denials – June 7, 2013
Google’s Larry Page on government eavesdropping: ‘We had not heard of a program called PRISM until yesterday’ – June 7, 2013
Seecrypt app lets iPhone, Android users keep voice calls, text messages away from carriers, government eyes and ears – June 7, 2013
Obama administration defends PRISM data-collection as legal anti-terrorism tool – June 7, 2013
Facebook, Google, Yahoo join Apple in sort-of denying PRISM involvement – June 7, 2013
Report: Intelligence program gives U.S. government direct access to customer data on Apple servers; Apple denies – June 6, 2013

54 Comments

    1. The current concept is ‘TNO’, Trust No One, coined by security expert Steve Gibson. Encrypt everything whereby the only access is through you.

      iCloud encrypts nothing.

      What I do with the stuff I consider critical is to place it into an AES 256-bit Sparse Bundle disk image that I then backup to DropBox (which itself also encrypts nothing). Only I know the disk image’s nasty ass password. Only I can open it. It’s private. FU if you want to crack into it. That is what it takes to maintain private data today.

      There are some end-to-end encryption cloud services that work reasonably well with Macs. These services include SpiderOak and Arq.

      https://spideroak.com

      http://www.haystacksoftware.com/arq/

  1. If Apple is keeping all of those encrypted messages and FaceTime data, they would need an even more ridiculous giant data center. Too much data for any type of long term storage.
    Then whoever wanted to use the data would have to decipher it to figure out the encryption key from each of the two device. This would require massive computing power to do in any short amount of time. There is no way they are doing this for every message.

    1. Have you calculated the potential size of all this data would occupy? I’m curious how you’ve reached this conclusion. If I can buy a 4TB hard drive that I can hold in the palm of my hand, why can’t Apple have thousands and thousands of cubic feet filled with storage devices? Seems to me that they (and the NSA) can potentially store all data generated – for the foreseeable future.

        1. Really? Every second of every FaceTime? Every iMessage including image data? All encrypted using 128 bit encryption and limited compression?
          How many iPhone users are there in the world, all running this data through the Apple servers? How much data is that over the last couple of years? How much more will be generated over the next few years?

          Flicker offering 1TB to each user is a joke. They know that their average account won’t get close. Plus I’m willing to bet that 1TB is a pre-compressed number.

          Montex – The handheld drive you are talking about is not a server-class solution. Yes, massive amounts of data can be stored in data centers but you can not base the density of that data based on a handheld drive. Drives require servers; servers require cooling, power management and redundancy. Racks of servers and RAIDS require space between them for cord management, air flow and servicing.

  2. a set of cryptographic keys — similar to a password used to scramble messages — is created and stored on each device. Those keys ‘never leave [the device] under any circumstances’

    Apple did point out that they have the metadata regarding such transactions and that can go to the feds. But that is all.

    This key exchange system of encryption is defined as foolproof and unbreakable. The attacks and the hardware used for attacks grow more formidable by the day. But current state-of-the-art encryption is unbreakable using any human meaningful period of time.

    Could there be back doors? Yes. But are there back doors? Incredibly unlikely. You’d have to study encryption to understand why.

    The weakest part of any encryption system is the access password. Keep that in mind. The longer and more diabolical a password, the better.

    1. Any time anyone claims something is unbreakable, foolproof, unsinkable, etc., I perk my ears up and realize they’re wrong. Nothing is unbreakable or foolproof.

      Now, it may be that the time to break it makes breaking the encryption completely unrealistic and useless, which is almost as good. But nothing is unbreakable.

  3. The NSA is recording every email, every text, every jpg and everything you do with a computer. Anyone who doesn’t understand this is nieve. And one day in the future, all that data will be used against us. This is what Osama has done to us – and he made us do it to ourselves.

    1. Spelling Police: The correct spelling is ‘Naive’.

      Also, History Police: The unconstitutional surveillance of US citizens within the USA began under the rule of the Neo-Conservatives by way of the George W. Bush administration.

      Obama modified that criminal system to be slightly less criminal but criminal it remains.

      There is no such thing as a legal court warrant for blanket surveillance of US citizens within the USA. All such warrants are unconstitutional. It really is that simple. Obama is, as I witnessed recently in his interview with Charlie Rose, desperately trying to skirt around this fact in his public discourse. And yet this fact does not change. Blanket surveillance of US citizens within the USA remains the crux of illegality in this matter. It has been proven to be real. It has to END or the USA ends.

      1. Yes, I misspelled ‘naive’ (on my iphone), but please go back and reread my post. Clearly, it states “Osama”, not “Obama”.

        And let’s be honest, the intelligence bureaucracies operate above the law. Go and quote the 4th Amendment all you want, but the reality is that neither you nor I nor anyone else knows exactly what the NSA is doing. It’s all a secret, “National Security”, which is a license to spy on us all, citizen or not.

        1. Osama! I am so used to MDN being a rat’s nest of political ignorance that I assumed Obama. My apologies. At least I got to toss in some useful history.

          Yes, in a very real way, the terrorists won. We now live in a society ruled by FUD, which is one of the points of terrorism.

          I entirely agree with you about the intelligence services of the US government. Their history of illegal behavior in the world is long and bloody. Simple example: They PUT Saddam Hussein into power in Iraq. The Neo-Con invented Iraq war was retribution for Saddam cutting the strings of his puppeteers. Then there are the REAL events of 9/11, which I will merely point out have something to do with the facts you’ll learn here, no lunatic theories required:

          http://AETruth.org

          1. It’s that evil Booooosh!

            Please. The Bush WH was being scrupulously observed by both the legacy media outlets and by the bureaucracy (which is always anti-Republican) During his entire tenure. This is why even LEGAL wiretaps between domestic and international numbers were made public by leakers and became a big deal every time it was tried.

            There is zero evidence that Bush was doing domestic to domestic wiretapping or even metadata gathering to be used against his enemies. That WOULD be illegal and no constitutionalist such as myself would have approved of such behavior.

            Meanwhile, we know that, through his minions, Obama used the IRS against his enemies. He is also using Interior and the EPA in the same way. Is there any liberal reading this who can honestly say that Obama would NOT use the NSA against his enemies whe we already know that he uses his other levers of power against them? Is that where he draws the line? I don’t want ANY president with that much power be he a moderate like Bush or a hard Leftie like Obama.

            Does Obama say, “Use the IRS against the TEA Party but it would be wrong to use the NSA against them”. Sorry, not buying that.

            And before you attempt a counter-claim about Bush, let me remind you that he had very few fellow travelers in the bureaucracy so he had no one to go out and “rid him of his turbulent priest.” Even his IRS chief was a Democrat contributor (which is just a stupid appointment – but that was the way Bush chose to operate), so the IRS under Bush was NEVER going to be used against left wing groups like it is now under Obama.

            1. Typical is Derek’s knee jerk or just jerk ‘blame Bush’ response, naturally not noting that many dems voted for the patriot act, that it had no evidence of being used on citizens and had a sunset attached to it which magically disappeared.. Beetlebrox is right on the money. You can always tell a libtard by their blind contempt of the constitution, amendments.. Notice that for the most part amendment gave a private citizen MORE liberties. More rights. Dems /libtards always seek to limit those rights. Usually bastardizing others rights and traditions in the false name of fairness, like gay ‘Marriage’. Obama is trashing the first, second, forth amendments, more? How anyone can defend the guy is beyond me.

            2. Are you sure you don’t want to become a professional comedian? But it might be useful for you to bother reading what people write before responding to them. Your fictional summary of my point of view is a total FAIL. Darn!

      2. History lesson: J. Edgar Hoover performed unconstitutional surveillance of US citizens waaaaaay before George W. Bush, and it was done under many different administrations.

        Let’s not fool ourselves into thinking surveillance is something new by either W. or Obama — the government has been seeking ways to collect data for decades, and it is simply made easier with smartphones, powerful computers, and cheap and massive data storage facilities.

    2. There is a difference between recording and looking at. They do not record every piece of data, nobody can, but they can have computers looking for key words and phrases in unencrypted data. Then, IF a flag is thrown by the inspection software it can trigger a copy of the message/email/data to be reviewed or simply stored.

      Really, nobody cares how cute your cat is, not even the person you are sending the picture too.

  4. No data is secure with our Spy Industrial Complex and with our government for sale. CEOs have share holder obligation to accept billion dollar deals which require giving the hen house to the fox. The military industrial complex that President Eisenhower warned against has killed and maimed so many for decades, and now this new complex is set to bribe or extort anyone of influence that stands in its way of grabbing possibly unlimited power. The fix is to replace all judges appointed in the last two administrations and all of Congress. Also, take money out of elections, strip legalese from laws and contracts (so that Big Money can’t trick us), give teeth to regulatory agencies and end US involvement in all wars.

      1. I would add that we come up with a single tax rate that has no deductions/loopholes so the gov can’t use it to unfairly pit one group of citizens against another.

        1. Totally agree. But our Corporate Oligarchy, despite their BS to the contrary, actually LIKE having mangled the tax code in their favor. If tax codes were dead simple and were forced to stay that way, that would kill off their ability to influence it.

          So let’s kill off Corporate Oligarchy influence/rule of our federal government. Kick them out of the picture and we’re more likely to fix the totally fuxed up tax code.

      1. So roll over and give in.

        Weren’t we just having a rant war here at MDN about the perception of Tim Cook rolling over for the criminal fed surveillance ‘requests’?

        LIVE FREE OR DIE.

        But by all means die, if that is your personal choice.

    1. Wow, that’s a lot of uninformed words. You think money has been influencing politics only since Eisenhower? That bribery and extortion are 20th century inventions?

      Replacing judges won’t get you anywhere. Most judges are good people who try to apply the law to the facts presented to them. The problem is the law as passed by Congress or other legislatures, not the judges.

      It is absolutely impossible to remove money from elections. You have to pay people to work for a campaign, you have to pay money for advertising (both production and airtime), you have to pay for mail piece and postage, etc. etc. Even if you wanted to limit big donors, campaigns still need money. Think about how many local elections you vote in where you didn’t even know the local Water Board had five people running for two spots, let alone who they were or what they do.

      1. You must be a lawyer because you’ve completely distorted my message. As for your first paragraph which attempts to discredit me, I was not suggesting that the nonsense you asked. Secondly, I think judges are appointed to favor a certain point of view, as in “look the other way with regard to government grabs of power” — these judges have got to go. Finally, not impossible -> a new Congress simply has to remove Court jurisdiction over financing election campaigns, which would clear the way for publicly financed campaigns (http://truth-out.org/news/item/6089:constitutional-amendment-not-needed-congress-already-has-a-remedy). Publicly financed campaigns are already working in Arizona, Maine, Massachusetts, and Vermont.

  5. ya know,

    i should imagine that any “professional” terrorist organization worthy of the name most likely already has access to, and takes advantage of, encrypted communication technology. starting with commercially available PGP and likely much more sophisticated capabilities that foreign government intelligence agencies unenthused about american foreign policy covertly makes available to them.

    so what does that leave ? dolt level, home grown “shoe bombers” and others of that ilk – and – ordinary american citizens, who are having their communications hoovered up wholesale by our wonderful government – for our safety, of course.

    maybe it is time for mr. apple and other tech companies to readily give us the capability to make all of our on-line communications encrypted.

    this big brother business is getting out of hand. what a betrayal of the values and freedoms that my father and the rest of his generation fought for between 1941 and 1945.

    time to ask ourselves – who are we becoming and where are we heading?

  6. From “Apple’s Commitment to Customer Privacy”:

    “conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests IN ANY IDENTIFIABLE FORM.” (My emphasis added.)

    The way I interpret the statement above, particularly the final four words, is that Apple ANONYMIZES the data. You, the user, are DE-IDENTIFIED, so that any link between your identity and the location, search specifics or Siri requests cannot be linked to you. This is standard procedure for responsible and forward-thinking companies.

    While it may be possible that a government agency such as the NSA, with its tremendous resources, could potentially crack the encryption related to iChat/iMessage conversations, it would take a significant degree of computing power to do so. In an age when we are just starting to see the early emergence of quantum computing, it’s not to say that such technology could not crack deep encryption more easily. However, quantum computing can be used in both directions, and promises to generate encryption keys that would be orders of magnitude more complex to crack.

    I’ve basically given up on Mashable. Their postings tend to be amateurish and worse, pandering to to point of being click whores. The suggestion of this article is that Apple is either incompetent or worse, complicit, all to get more eyeballs to their crappy website.

    Don’t buy into this junk. Mashable is using fear to generate readership.

    1. And how exactly could anyone confirm that Apple is not recording iMessage and FaceTime data for their use and the NSA’s? I guess we’ll have to just take their word for it. It’s not like any corporation in history has used private data for their own profit driven motives.

      1. *NOISE*

        Apple can record iMessage and FaceTime data all they like. So can the NSA. BUT, if that data uses end-to-end encryption with keys only in the hands of the senders and receivers, AND that encryption is real, no one is going to be cracking into that data. No one.

        But then again, how do we ever know who to believe in this current Age of Marketing?

      2. I understand not wanting to take anyone’s word, however in Apple’s case you also have their behavior to collaborate their word. They are very interested in the device, they have not yet acted like data miners. Google and others make their money in the data they mine about you. So they keep every email, every text, everything! Apple is not into the data mining, but the device all all the software that makes the ecosystem. This helps me feel better about their claims.

      3. Ask yourself this: if a publicly-held corporation goes on the record and states visibly on its website that the statement I mentioned in my previous post is actually a bald-faced lie as you infer with your comment, what do you think the liabilities would be?

        Please.

      4. Apple responded very early on in the initial uproar about storing location data to prove that it did not store a user’s unique device ID or other identifiable characteristic, and then updated its iOS devices to further ensure that no identifiable data was even sent to Apple.

        Apple (and I’m sure other mobile device makers) do receive information about GPS location, WiFi usage, etc. to help improve their products. Plus, many apps use that information.

        The fact is, if you want to be untrackable, go live in the Amazon or something. If you want to live in today’s modern, internet-connected society, there’s no way you aren’t going to be recorded, tracked, or otherwise findable.

    2. I don’t understand the ad hominem attack on Mashable, a site I’d never heard of or visited. It just seems extremely likely to me that a government agency whose job it is to spy would be quite aggressive in getting their hands on all the data they could. Information is power, and power corrupts. We have the 4th Amendment on our side as citizens, but when all of this spy activity is kept secret as a matter of “national security” there is no way for any of us to verify that we are not being the subject of an unwarranted search and seizure. And I simply don’t trust the Spooks™ when they say they are not recording every move I make online.

      1. Any law enforcement agency is going to push the boundaries of what they believe they can lawfully do in order to do their jobs. The vast majority of people working for the NSA, CIA, FBI, or local law enforcement are doing so because they want to make our country a safer place; they want to catch the bad guys.

        The Constitution was purposely designed as a limited grant of power to the federal government so that things like this can be kept in check. Because when government and law enforcement can intrude on our lives and get into areas which they should not be getting (at least without probable cause), then they need to be stopped. Too lax of monitoring of these agencies lead to blurred lines and eventually abuses of power and innocent people being convicted of crimes.

        While it is a legal argument whether the NSA had authority from Congress to collect this data, the important part for us as citizens to pay attention to is why they need such data, what is being done with it, and is it going too far?

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.