How Much of Your Data can Apple Hand to Law Enforcement?

We are all aware (or at least we should be) that our telecom providers are handing over our data to the police when necessary. Well have you ever wondered just how much and what it takes to get that data? iphone-privacy-2011-04-06-1302104043Apple posted their new guidelines describing what data the company can provide to law enforcement and the processes for requesting that data.

The document breaks it down into two basic types of data: information stored on Apple’s servers and information stored locally on iOS devices.  I have outlined the kinds of data and how they can be obtained in a chart below.

Essentially anything you’ve backed up to or stored on iCloud is available for Apple to provide to law enforcement, including connection logs and IP addresses you’ve used. Additionally a lot of the data associated with your Apple ID is available as well. Therefore, any information you’re providing Apple is available for them to pass along. This is something to consider when deciding if or what to back up on iCloud.  You may want to avoid backing up sensitive company data or private information on iCloud. Some information cannot be avoided, such as anything associated with your Apple ID.

Can they access data on my iOS device???

Yes. Apple can bypass security passcodes on our iOS devices to extract “certain categories of active data,” though it apparently cannot bypass that protection entirely. If provided with a valid search warrant, Apple can hand over SMS messages, pictures and videos, contacts, audio recordings, and your phone’s call history, but it can’t access e-mails, calendar entries, or information from third-party applications. Devices must be running iOS 4 or newer, must be “in good working order,” and must be provided directly to Apple’s headquarters along with an external storage drive twice the size of the iOS device’s internal storage.

Will I know if this is happening?

Maybe. The guidelines state that Apple will “notify its customers when their personal information is being sought in response to legal process except where providing notice is prohibited by the legal process itself.” Apple will also avoid notifying users if the company “believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals or in situations where the case relates to child endangerment,” though this is entirely up to Apple and not to the law enforcement agencies involved. These notification requirement will help prevent random and unfounded searches.

What is missing?

The policies and capabilities surrounding iCloud Keychain, iMessages and FaceTime calls are unclear and disputed. Apple claims iMessage & Facetime are encrypted but there is some speculation otherwise.

Is this unusual?

No, other tech companies have similar policies. For example, Google provides a similar “Transparency Report” outlining the types of data available to law enforcement. The notification policy is new and several other tech giants, including Facebook and Microsoft, have already indicated that they plan to expand their policies on notifying customers whose data has been requested by law enforcement

 

Where is the Data? Type of Data Means to Obtain Data Restrictions
Information stored on Apple Servers Data Associated with your Apple ID contact inormation obtainable with a subpoena or greater legal process
customer service records
transaction history both in store & online
iTunes gift card information
Data Associated with your iCloud Account connection logs & IP address used Any iCloud information that the user deletes cannot be accessed.
60 days of iCloud mail logs that “include records of incoming and outgoing communications such as time, date, sender e-mail addresses, and recipient e-mail addresses” e-mail logs require a court order or search warrant
any e-mail messages that the user has not deleted requires a search warrant
any other information that can be backed up to iCloud – As of this writing, this list includes contacts, calendars, browser bookmarks, Photo Stream photos, anything that uses the “documents and data” feature (which can include not just word processors but also photo and video apps, games, and data from other applications), and full device backups
Information stored locally on iOS devices SMS messages requires a search warrant – Devices must be running iOS 4 or newer, must be “in good working order,” and must be provided directly to Apple’s headquarters along with an external storage drive twice the size of the iOS device’s internal storage. Cannot access e-mails, calendar entries, or information from third-party applications
pictures and videos
contacts
audio recordings
phone’s call history

US to Relinquish Control of the Internet?

On Friday, the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) announced it is giving up control of a system that directs Internet traffic and Web addresses. As a result, Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit organization charged with managing the Internet, is tasked to convene global stakeholders to develop a proposal to transition the current role played by NTIA in the coordination of the Internet’s domain name system (DNS). This announcement came as a surprise to many but a coalition of nations has been calling for the US to relinquish control of the Internet for at least the last nine months. Politically this takes the US out of the line of fire but practically what does this do for the culture of the Internet?

Why is this important to you? Because it may change the Internet as you know it….

What exactly was the US Doing?

NTIA is the Executive Branch agency that advises the President on telecommunications and information policy issues. NTIA’s programs and policymaking focus largely on expanding broadband Internet access and adoption in America. NTIA controls the DNS which essentially converts the web addresses (URLs) we type in to the search bar into the correct IP address to retrieve the website you requested. Whether you are accessing a Web site or sending e-mail, your computer uses DNS to look up the domain name you’re trying to access. This system is essential to the functionality and security of the Internet.

If not the US, then who?
This contract to control DNS has allowed the U.S. government to exert what some claim is too much influence over the Internet. technology that plays such a pivotal role in society and the economy. So if not the US, then who with the world feel comfortable wielding that power and influence?

There’s a meeting, ICANN 49, March 23 in Singapore and the future of the Internet is at the top of the agenda.

According to Lawrence Strickling, assistant secretary at the Commerce Department, “[The department] will not accept a proposal that replaces the NTIA’s role with a government-led or intergovernmental solution.” Does that leave ICANN or a similar organization to maintain the DNS?

Why should you care?
Because this could mean a very different Internet…

While companies like Verizon applaud the moveITIF and other organizations have argued before that U.S. government oversight has played an essential role in maintaining the security, stability, and openness of the Internet and in ensuring that ICANN satisfies its responsibilities in effectively managing the Internet’s DNS. Without the U.S. government’s presence some lawmakers and members of the tech industry have expressed concern that relinquishing control of IANA will open up the Internet to threats from other governments that seek to censor it.  This could mean a very different Internet.

Are their concerns justified? No one really knows right now but what we can surmise is that the Internet is in for some changes in the years to follow the change of control. Many countries have dealt with privacy and censorship in ways different from that of the US. How will ICANN deal with these conflicting views democratically and ensure Internet users from all economies and sovereign nations will be represented and heard? Will the standards of openness and free flow of information embraced today remain the baseline? Does the “global multistakeholder community” NTIA is referring to exist? What is the legal jurisdiction for both ICANN and this new multistakeholder body?

There are no answers to these questions because so little is known about whats to come. I look forward to the information and ideas that flow from the ICANN meeting next week.  The questions need to be among those at the top of the list.

Social Media: Personal Expression or Supplement to Your Resume?

Can you imagine your employer or potential employer looking at those Facebook pictures you posted from last weekend’s night out with the girls…. Not a pleasant thought, right? You are not the only person upset or even outraged by the thought of employers and potential employers attempting to “learn more about you” by requesting social media passwords and sifting through your content.

New technology always brings new legal hurdles and protecting the privacy of employees who use social media is one such legal hurdle. When this phenomenon began employees and potential employees were unaware of whether this violated their rights and divulged the information. Whether or not this made a difference in their employment status, this intrusion int their privacy is absolutely unnecessary and crosses a line that seemingly becomes blurrier with each new phase of the technology boom.

Luckily, there have been a few state politicians that agree with need to protect the privacy rights of employees and have drafted legislation attempting to prevent this type of invasion. Right now, Maryland and Illinois and most recently California announced the passage of laws limiting and employer’s ability to request an employee’s social media password. California’s law is more comprehensive than that of its predecessors because it also protects the social media privacy of post-secondary students, similar to Delaware which has passed a law only protecting student social media privacy.

Over a dozen other states including Washington and New Jersey are still working on similar bans. Senators Chuck Schumer (D-NY) and Richard Blumenthal (D-Conn.) have requested the Department of Justice and the Equal Employment Opportunity Commission to investigate whether or not these social media password inquiries violated federal law.

Although only a few states have stepped up to address this issue, I encourage all employees and job-seekers to be aware that this is an invasion of your privacy and unless your employer or potential employer can show you just cause or legal standing as to why they should be provided your social media passwords, refuse. If your refusal is the difference between you getting or keeping that job you have to ask yourself, “do you want to work for a company that would seek to invade your privacy in such an obvious way.” It is almost like coming to your home and asking to do a search. Any information not made widely available is protected for a reason so if that company isn’t able to access the information open source, they need to understand that it is private.

NLRB Issues First Social Media Decision – What Does this Mean?

Social Media is a new frontier in cyber law.  It is impacted by a variety of regulations such as labor laws, internet law, IP law, etc. Recently the intersection between labor law and social media has impacted corporate policy. Many companies dove head first into the social media craze when they realized the potential marketing impact. Many realizing much later that they needed to regulate use by employees and some not realizing at all. Many of the social media policies created violated employment law namely the National Labor Relations Act (“NLRA”).

Over the last year the National Labor Relation Board (“NLRB”) Acting General Counsel issued a series of memos that provided insight into its interpretation of how the NLRA applies to social media policies. This month was noteworthy as the National Labor Relations Board issued its first decision taking on an employer’s social media policy in Costco Wholesale Corp., 358 NLRB No. 106 (2012).  The ruling was pretty consistent with the recommendations for the NLRB memos which highlighted a need for specificity and examples.

Costco’s “Electronic Communications and Technology Policy” stated:

Costco recognizes the benefits associated with electronic communications for business use. All employees are responsible for communicating with appropriate business decorum whether by means of e-mail, the Internet, hard-copy in conversation, or using other technology or electronic means. Misuse or excessive personal use of Costco technology or electronic communications is a violation of Company policy for which you may be disciplined up to and including termination of employment. Your use of Costco technology and electronic communication systems represents your agreement with the following policies: . . .

  • Any communication transmitted, stored or displayed electronically must comply with the policies outlined in the Costco Employee Agreement. Employees should be aware that statements posted electronically (such as online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement, may be subject to discipline, up to and including termination of employment.

The NLRB found that employees would reasonably construe the rule as prohibiting Section 7 activity. More specifically, the NLRB found the “broad” prohibitions against damage to the Company or another individual’s reputation included communications by employees that protest how the employer treated its employees.  The NLRB also found the rule requiring employees to use “appropriate business decorum” was lawful under the NLRA, which is good news for employers.

Employers following this opinion should note it affirms that context and specificity play an important role in whether a policy is considered lawful under the NLRA.  Policy’s are evaluated as a whole so employers must be aware of how each section works together. I encourage Employers to pay close attention to NLRB recommendations and all relevant state & federal regulations as you craft your social media policy.