A government is known by the Apple data it requests

Sergio De Los Santos    11 July, 2019
A government is known by the Apple data it requests

Sometimes, governments need to be underpinned by huge corporations to carry out their work. When a threat depends on knowing the identity or gaining access to a potential attacker or a victim in danger’s data, digital information stored by these companies may be critical to perform an investigation and consequently avoid a disaster. Apple has published a full transparency report on government requests where they explain which and the extent to which such requests are granted. Ranging from App Store takedown requests to account access requests: Which government requests what? In order to make it clear, we have created a number of graphs to identify through this post what concerns governments most.

Device-based Requests

The following graph represents those requests based on devices. For instance, when law enforcement agencies are working on behalf of customers regarding lost or stolen devices. They also receive requests related to fraud investigations. Device-based requests generally seek details of Apple customers associated with devices or device connections to Apple services (for example, a serial number or IMEI number).

Device Requests by country

Without a doubt, China is the country that most requests on details of customers associated with devices or device connections to Apple services submitted. We can imagine as well that figures have soared due to piracy and fraud in the country.

Financial Identifier-based Requests

Examples of such requests are where law enforcement agencies are working on behalf of customers who have requested assistance regarding suspected fraudulent credit or gift card activity used to purchase Apple products or services.

Financial Identifier Requests by country

The U.S. and Germany are the countries that most financial identifier requests submitted. It may be explained by the increasing number of frauds in the U.S. related to credit cards (although it may not seem the case, in the U.S. credit card signatures are still usual to validate a payment). In this case requests are granted to a lesser extent, compared with the previous case.

Account-based Requests

Examples of such requests are where law enforcement agencies are working on cases where they suspect an account may have been used unlawfully or in violation of Apple’s terms of service. They usually seek details of customers’ iTunes or iCloud accounts, such as a name and address; and in certain instances, customers’ iCloud content (iOS device backups, stored photos, contacts…).

Account Requests by country

This is perhaps the most intrusive measure, since Apple provides private content. Again, China and the U.S. are the countries that most accounts requests submitted. Interestingly, China’s requests were granted in 98% of cases, while U.S.’s ones “only” in 88% of cases. Apple has the power to reject a request if they consider there is a problem of form or content. It must be taken into account that Apple, in addition to providing data, can also providing metadata not directly linked with data. This case is not considered a “granted” request, although it includes providing information as well.

Account Preservation-based Requests

Under the U.S. Electronic Communications Privacy Act (ECPA), government agencies may request Apple to freeze accounts for 90-180 days. This is the previous step before requesting access to accounts (while they obtain legal permission to request data), and this way they prevent the individual under investigation from deleting the account.

Account Preservation Requests by country

The U.S. is the country that most account preservation requests submitted. It is remarkable that on this occasion China has disappeared from the graph, although it is considered a previous step before requesting access to accounts, where the country is quite active. Is it possible that China does not find many problems to obtain legal permission?

Account Restriction/Deletion Requests

Examples of such requests are where government agencies request to delete a customer’s Apple ID, or to restrict access. They are quite unusual. The U.S. submitted 6 requests and 2 of them were granted. The remaining countries just submitted one or two, but none was granted.

Account Restriction/Deletion Requests by country

Emergency Requests

Under the U.S. Electronic Communications Privacy Act (ECPA) as well, Apple may be requested to disclose account information to a government entity in emergency situations if Apple considers that an emergency involving imminent danger of death or serious physical injury to any person requires such disclosure without delay.

Emergency Requests by country

Interestingly, here the winner is the United Kingdom with 198 requests, even though they were not always granted; and it was closely followed by the U.S. The remaining countries submitted around 10 requests, and most of them were rejected. Is the United Kingdom mainly worried about emergencies and consequently it only requests data in such a case?

App Store Takedown Requests

They are usually related to apps that are supposed to be unlawful.

App Store Takedown Requests by country

China is far and away the country that most app store takedown requests submitted. It is curiously followed by Norway, Saudi Arabia and Switzerland. On this occasion, the U.S. ꟷquite active on data access requests in generalꟷ has completely disappeared from the graph.

This report also discusses private party requests upon legal request. Up to 181 requests; 53 of them granted by Apple on information access.

Conclusions

They are complex. We can see it from two different points of view: we can conclude that some governments request data access “all too often”, but we could argue as well that perhaps justice systems of such countries work in a more agile and effective manner, or that fraud is mostly located in them. You can interpret it as you wish. Only the following data-based conclusions seem to be clear:

  • China’s interest in deleting applications that it considers unlawful.
  • The United Kingdom’s involvement (the U.S. as well, but the UK only appears in this category) in emergency situations.
  • The U.S.’s preventive actions, since it requests to freeze accounts much more often than the remaining countries.
  • Germany’s high involvement (again, along with the U.S.) in financial frauds related to Apple products.
  • China, the U.S., Taiwan and Brazil are the countries that most personal data requested.

Please note that: over this post we have represented those graphs published by Apple itself. It is important to point out that all requests are submitted by batches. For instance, Apple counts the number of app store takedown requests, and in turn each request may include an undetermined number of apps. The same for account requests and the number of accounts included in the request. When Apple talks about the percentage of granted requests, it talks about requests, not about specific accounts. For example, Apple receives 10 requests, all of them adding 100 accounts. Later, it states that it has granted 90% of those requests, but we do not know how many individual accounts have been provided. However, the graphs show the total amount against that percentage. Even though it is not an exact exercise, it may give us an approximate idea of the real amount of data provided.

Leave a Reply

Your email address will not be published. Required fields are marked *