Hacker News new | past | comments | ask | show | jobs | submit login
iPhones send call history to Apple, security firm says (theintercept.com)
242 points by mcagl on Nov 17, 2016 | hide | past | favorite | 81 comments

I'm not sure how this is "secret". If you're using iCloud on your mac and your iPhone, and open up Facetime on the former, you'll see a call list (including regular phone calls, not just facetime).

I agree it's undesirable that call history is sent to Apple - but it's pretty easy to notice if you use facetime across devices that the call history is synced.

The "secret" part is that they include information that is only interesting to law enforcement (timestamps and durations) in addition to pulling information from third part communication tools like WhatsApp.

Namely, Apple chose to provide this information to government surveillance when they could have (and indeed promised) to design it in a way that allows for the iPhone to be used in sensitive situations and by people who need security from state coercion and violence.

This doesn't make sense to me. Law enforcement has been able to get that information easily for quite some time directly from telephony systems. Timestamps and durations have been a part of phone UIs for quite some time, which to me indicates that it is in fact interesting to more than law enforcement... unless phone manufacturers conspired to display that information to help LEOs when they confiscate phones.

Anyone who cares about state coercion and violence should know phone calls are about the least sensitive way to communicate.

> Timestamps and durations have been a part of phone UIs for quite some time

This is not familiar to me at all. If true, note the remaining points: the manner in which this data was synchronized allowed this material to be provided to law enforcement (Apple had other options) and Apple also included information from third party communication tools used by some people (mistakenly) to avoid being surveilled.

Timestamps and durations have been visible on the iPhone ever since it was released in 2007. I assume other smartphones do something similar. Integration with third parties is a more recent feature, it's what lets you use VoIP apps with the iPhone's native call interface, and those calls end up in the same call history that your "regular" phone calls do, which is why they're included in the syncing.

leo can get those information about people abroad, using their phone on foreign soil, maybe even being foreigners.

This is just plain wrong. Timestamps of course make sense in the context of call history.

Why undesirable? I found call log sync quite useful.

I think the lack of control is undesirable. I agree the feature itself can be very useful. The title of this post sounds way more sinister than it appears.

What possible controls can Apple put in place though other than a checkbox for do/do not sync ?

And remember Apple is a positioning iCloud as a cloud for dummies solution so adding choice comes with trade offs.

Couldn't I apply the same argument for while google needs to send your call history to its servers to perform number lookup? Yet people cry fowl (rightfully so) about privacy implications.

Google has a track record of disregarding user privacy. Apple has the opposite, a track record of protecting user privacy as much as they can.

They sell ~10 iPhones per Mac so most people are only going to be using FaceTime on their phone.

The key detail for me is that if you delete the call from the log on any device, the next sync will delete it in iCloud.

So the probably-good-enough-for-most-folks way to deal with this is to just delete calls from your log that you don't want to get archived in iCloud for 4 months.

The sure way is to disable iCloud entirely, but that reduces convenience in all sorts of ways (syncing iTunes music, for instance).

The ideal would be for Apple to figure out how to provide the services of iCloud in such a manner that they don't have access to user data. Apparently they are working on that but it would obviously be a major change, and risky too.

Most people don't care that Apple has to see their data in order to sync, but boy will they be pissed if Apple makes their data permanently unreadable. Most people want to be able to go into an Apple store and get problems fixed. Imagine being an Apple retail tech and explaining to some 50-something lawyer that because they lost their password there is absolutely nothing you can do. "Sorry man--encryption."

> The key detail for me is that if you delete the call from the log on any device, the next sync will delete it in iCloud.

I highly doubt that it is a hard deletion of data. My guess is that it would be a soft delete, so your call log won't show up on your iPhone, but the data will be retained on Apple's servers.

I'm just going by the article:

> One way call logs will disappear from the cloud is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization.

Does apple delete it from all their backups as well?

No worries, the NSA keeps a copy for you.

But does it get deleted, or marked as deleted?

Call history is synced between devices via iCloud, so what's the news here?

Note to media companies (and everyone else) talking about security: You have to put security elements in context to say anything reasonable

That means both: 1) Consider your audience, and 2) Do a 'risk analysis' (Meaning figure out where the security issue starts to outweigh the convenience and describe the actual impact of the issue.)

This article (and Forbes') are both severely damaged by a failure to do either. Without stating the contexts where this call logging is a problem, and who it is likely to affect you end up writing alarmist nonsense- especially when the audience is the general public.

> Apple's Reply:

>> Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password.

Can't Apple ID password be reset? If so, how can it be a true encryption?

> Device data is encrypted with a user’s passcode

I think it uses the passcode you set on your phone, not the password of your iCloud account.

> I think it uses the passcode you set on your phone, not the password of your iCloud account.

May be true, but

> access to iCloud data including backups requires the user’s Apple ID and password.

probably doesn't requires the passcode that the user have set, because this data is available across several devices, and the only common thing would be the Apple ID and its password.

If you've recently set up iOS devices you'll have seen it ask for the passcode for another device before you can access iCloud data on the new one.

^ This. First time it happened I was a little confused, but once I realized what was happening I was ecstatic about it's implications for iCloud backup security.

Yep. iCloud security is fantastic. Here's a write up on how the keychain security works:


It involves hardware security modules, cross-device crypto signing and other fun stuff. Apple cannot access the data they store about you on their servers.

From Apple's documentation:

Apple designed iCloud Keychain and Keychain Recovery so that a user’s passwords are still protected under the following conditions:

- A user’s iCloud account is compromised.

- iCloud is compromised by an external attacker or employee.

- Third-party access to user accounts.

Note that the keychain security is a bit of an exception -- it's particularly strong, as it's protecting password data. (My favorite detail, not mentioned in the original white paper: To prevent the iCloud Keychain HSMs from being updated with a more lax policy, the smartcards that would have been required to update them were destroyed in a private ceremony involving a blender.)

Other data in iCloud is generally under less extreme levels of security. This isn't to say that it's insecure, merely that it's not as fanatically protected. Some of it may be accessible by resetting your account password.

Only iCloud Keychain is protected this way. It doesn't apply to backups or other data.

I don't know whether they do, but the data still is on your device, so if you change your password, your phone can overwrite the version in the cloud with a newly encrypted one.

Using Apple ID and password is (for the typical user) fairly weak encryption, though. That could be improved by having your devices exchange encryption keys.

There may be a phrasing issue. Parts of iCloud data are protected with a device passphrase / passcode (or specifically: a encryption key generated based on that). Further, your iCloud account is protected with a password of course. So these are two layers of protection, not quite one or the other like the text may imply.

Maybe the password encrypts the actual encryption key? I don't know about iCloud but that's how LUKS works on Linux.

Except that would mean a password reset would involve losing access to all your data (unless you can remember the original).

You can have an HSM that encrypts the data with its own key, and merely verifies that the apple id & password match before decrypting anything, and you can destroy the private keys necessary to reprogram the HSM, so that way you can't be compelled to change it. The HSM would similarly do whatever verification is necessary when resetting the password to ensure that the rules are met.

That said, I don't know what Apple actually does. I know they use HSMs, but most of the info about how that works is about Keychain syncing, which is done a bit differently than other iCloud data syncing.

Yeah, unless you have another iCloud device I believe you lose your data.

That is a valid question.

But everything on the iCloud can be obtained by the government and the law enforcement agencies. Right? (I don't care much, but apparently one of the reasons many people use iPhones instead of Android phones is that their data is perceived to be protected from the government, so might be important for them - and Apple does have a history of giving the iCloud data to them).


Yes. Not sure why people reject things about their favorite company without checking facts, just like religion. Even the account for which Tim Cook became the privacy crusader, they had already given his iCloud data.

Also, here: http://www.apple.com/in/privacy/government-information-reque...


I do not understand why this is even a discussion, either folks are being disingenuous on purpose, or maybe it is truly a matter of not understanding how it works.

Any data on iCloud which is not encrypted (for example: webmail) or Apple servers (example: Activation information) can definitely be requested by LE. This is a known fact, and as Apple has the data they are required by law to hand it over upon getting a proper subpoena for it. Whether they should be retaining those logs is another matter and can surely be debated.

With regards to iCloud data, the Keychain as well as a great deal of the stored data is now encrypted addditionally by your device passphrase. This is new, and was not the case for the SB iPhone 5c, for what it is worth.

Some other items that get synced through iCloud are phone numbers and emails of people you text, or send email to, even if they are not in your address book. Searches you put into Maps are also synced this way as far as I know.

Most of this data can be viewed on a macOS if you are signed in with the same iCloud account. It is stored in plist-files in a special folder called "SyncedPreferences".

~/Library/SyncedPreferences ~/Library/Containers/com.apple.corerecents.recentsd/Data/Library/SyncedPreferences

It has bothered me for a long time that there is no way to disable call log, text and email recipients syncing in preferences. While I can see how users might find this feature useful, it should be made more obvious what is actually happening when you sign into iCloud.

And by the way, disabling iCloud Drive does not disable the syncing of "SyncedPreferences".

I'd be more worried about my carrier keeping call history forever than Apple keeping it for a few months.

The thing to note here is that it includes all information about the calls including the times and durations and the logs also intercept communications from third party apps like Skype, WhatsApp, and Viber, and that all of this information is available to law enforcement.

This is despite Apple's PR statements claiming that the company has designed the phone and its logs to minimize or eliminate the amount of information will be used to feed into law enforcement surveillance requests.

It has to get from one device to another somehow, right?

There's total[0] privacy and then there's degrees of privacy and convenience. You can't have total privacy and total convenience. At least not presently.

[0] Total is one of those words like 'always' and 'never' that people should try and avoid. Myself included.

> You can't have total privacy and total convenience. At least not presently.

Encrypt the data using a password you enter on both devices and only transfer it encrypted across network?

Cost to convenience: if you lose or forget your password, you lose your data.

that's total convenience?

I've never enabled iCloud on any of my iOS devices, since I find it a bit creepy.

What real benefits am i missing out on that outweigh the privacy aspects of not using it?

Find my iPhone would seem to be an obvious benefit, but are there any others?

What privacy aspects are you referring to? iCloud is extremely secure unless you disable certain aspects of its security or choose to use a weak password.

I'm only using "find my iphone" myself. The rest is of dubious use to me.

Well, of course it does. The question is - why?

Apple's response in the article explains it - so the user of multiple devices has the call log on all of them, so he can respond to calls on any device. Also, this helps when you set up a new phone.

I feel like "sync" is an iCloud feature.

It is, but they are talking specifically about iCloud's backup feature being switched off, not iCloud itself. Syncing is not the same as backup.

Yup, this is exactly it. Even with backup turned off you can answers calls from your Mac/iPad... Why is this surprising?

i'm still using my trusty motorolla razr

If you're not joking, I'm curious how long the battery lasts nowadays. Has it significantly declined since you first got it?

If he's referring the flip phone, and not the Droid Razr, then we're talking about a phone that had a standby time measured in weeks. At best it lasts probably 10x longer than today's smartphones so even a 75% reduction in battery life is still better than what we deal with today.

It's amazing how long a battery can last when it's connected to a device that doesn't do anything.

Have you ever measured the battery life of a battery still in the package? It's amazing, standby time is like years.

Some people still want their phone to (1) make phone calls (2) make phone calls. For them a phone that makes phone calls and the battery lasts a week is far more full featured.

Yeah and some people still want a typewriter. They can have one. That doesn't make it any more useful than the one trick device it is.

It has one of those old-fashioned replaceable batteries, so he could always just buy a new one if it goes downhill.

That's assuming they are still manufactured. With my old blackberry there were batteries on Amazon, but they were clearly expired stock and could barely hold a charge.

Some batteries seem to live on. I bought a no-name cheap dashcam for my car, and was surprised to see that its battery was identical to the one in my first Nokia phone.

A feature of the Razr that I desperately miss from modern phones: it would fire the alarms even when the phone was turned off. Somehow this ability has been lost on smartphones, and people behave as if it is a technical impossibility, but the Razrs managed it.

Yep, the old Nokias did that too

With the in-built BREW environment and the SIM "capabilities", it's probably a lot less "trusty" than an iPhone -- especially an iPhone with iCloud turned off.

More luddite doesn't always mean more secure.

In what ways is BREW secure and insecure?

Motorola Brick here. My hipster street cred is through the roof.

Razr is what the startac should have been.

The razr came out 7 years after the startac - there's no way they could have built the razr with 1996 technology. That's like saying the McLaren F1 is what the ford model T should have been...

I was linking the startac as being the original Razr :)


Please tell me they didnt spend any money to figure this out.

iCloud phone backups contain all sorts of other data, too. But it's encrypted.

I wonder if The Intercept will qualify as "fake news" in the near future for exposing things like this.

What (TF) are you talking about??!!


Aren't people talking about shutting down outlets that just make shit up?

I hadn't realized they were going after outlets on things like age and size and editorial focus.

If you don't see the point of the former, you become convinced of the latter.

Given that one of its founding journalists, Glenn Greenwald, is a pulitzer prize winner, and that the site has published many stories on one of the most significant news topics of the decade (the Snowden revelations), I don't think anyone could reasonably place it in the same category as the fake news sites that have been talked about recently.

> You're really playing with fire if you think it's a good idea to let other people classify things as "real" and "fake" for you.

You do this with literally every news source you read or watch. Most people consider CNN, BBC, The Guardian, New York Times etc. to be credible news sources with long-standing reputations. Sure, they are at times biased in their coverage, and selective on what they cover, but unless you're "on the ground" so to speak experiencing current events directly, you have to rely on a degree of trust in journalists and editors. I think the key is looking at the news with a healthy degree of skepticism, and getting your information from a range of different outlets.

> Most people consider CNN, BBC, The Guardian, New York Times etc. to be credible news sources

Fewer than used to.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact