peshkova - Fotolia

Apple transparency report shows national security requests rising

The latest semiannual Apple transparency report showed national security requests on the rise and one expert questioned whether Apple could do more to be open about requests.

The Apple transparency report for the second half of 2017 showed national security requests on the rise, and the number of devices included in requests is up sharply.

The latest semiannual Apple Report on Government and Private Party Requests for Customer Information detailed requests by governments around the world from July 1, 2017, through Dec. 31, 2017. According to Apple, although overall device requests are down, governments around the world have been using fewer requests to attempt to get information on far more accounts.

The Apple transparency report showed a slight year-over-year decrease in the total number of device requests received worldwide (30,184 in the second half of 2016 versus 29,718 in H2 2017), but the number of devices impacted by those requests more than doubled from 151,105 to 309,362.

Apple is not alone in receiving more government data requests; Google has reported similar increases, but Apple noted it has complied with a higher percentage of government data requests in the second half of 2017 (79%) compared to the same time period in 2016 (72%).

Apple's transparency report shows the company has been complying with more of the government requests across multiple request types. Apple's compliance with financial information requests was up year over year from 76% to 85%; account-based request compliance was up from 79% to 82%; and only compliance with emergency requests went down from 86% to 82%.

National security requests also rose sharply, according to the Apple transparency report. In the second half of 2016, Apple received between 5,750 and 5,999 national security requests and complied with the majority of them (between 4,750 and 4,999). In the same time period in 2017, Apple received more than 16,000 national security requests, but only provided data to the U.S. government in about half of those cases.

Richard Goldberg, principal and litigator at the law firm Goldberg & Clements in Washington, D.C., said he was struck by the large percentage of U.S. government requests made by either national security request or subpoena.

"Although Apple has challenged certain government requests aggressively in public, we don't know how aggressive the company has been in private -- which is especially relevant because these requests typically do not require a judge's approval," Goldberg said via email. "So the government collects this information, and it may never see the inside of a courtroom."

Additional information

Goldberg added that the general level of detail in Apple's transparency report is helpful, but suggested Apple "should break out administrative subpoenas from all other types."

"Administrative subpoenas can have broad scope, because they often need only be related to something the agency is permitted to investigate, and they need not be connected to a grand jury proceeding or active litigation," Goldberg said. "It's a one-sided way for the government to demand information with little to no oversight, unless the recipient chooses to fight. And we don't know how Apple makes that decision."

According to Apple, the predominant reason for financial information requests around the world was credit card and iTunes gift card fraud and in multiple regions -- including the U.S. -- a "high number of devices specified in requests [was] predominantly due to device repair fraud investigations, fraudulent purchase investigations and stolen device investigations."

It is unclear what data in the Apple transparency report correlates to the allegedly large number of devices the FBI and other law enforcement cannot access due to encryption, nor is it clear which data in the report correlates to iCloud backup data, which Apple has previously admitted to handing over to law enforcement.

SearchSecurity contacted Apple for clarification on these issues and Apple referred to its Legal Process Guidelines, which detailed the types of data in iCloud backups that Apple would be able to provide to law enforcement, including the subscriber's name, address, email, telephone, mail logs, email content, iMessage data, SMS, photos and contacts.

However, Apple did note in the report that it would be adding "government requests to take down Apps from the App Store in instances related to alleged violations of legal and/or policy provisions," starting with the transparency report for the second half of 2018.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing