So much for encryption turning phones into inscrutable blocks of plastic, metal, and glass. The Intercept is reporting that Apple is doing some of law enforcement's work for it, routing call records to users' iCloud storage.

Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification.

“You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft.

The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user’s carrier, who may retain the data for only a short period, or from the user’s device, if it’s encrypted with an unbreakable passcode.

Plain vanilla call records aren't that difficult to obtain. They've long been considered third-party records and can be obtained without a warrant. The Intercept quotes a former FBI agent as saying this is a "boon" for law enforcement because the four-month retention period is longer than most service providers'.

That doesn't seem to be correct at all. The EFF's Nate Cardozo points out that most service providers retain call logs for at least a year, with some retaining records for as long as a decade. Kim Zetter, who wrote the piece for The Intercept, believes it might be a misunderstanding. Providers may retain content (messages, etc.) for a shorter time frame than the four months of records Apple automatically uploads, but former agent Robert Osgood (quoted in The Intercept's piece) clearly states he's referring to call logs.

The concerning part of this isn't the normal call logs. Those are retained for years by carriers and can be obtained with a subpoena or a pen register/trap and trace order (for "real-time" data). There are two aspects of this automatic collection that should worry iPhone users.

First, it's not solely limited to calls placed directly through carriers.

FaceTime, which is used to make audio and video calls on iOS devices, also syncs call history to iCloud automatically, according to Elcomsoft. The company believes syncing of both regular calls and FaceTime call logs goes back to at least iOS 8.2, which Apple released in March 2015.

And beginning with Apple’s latest operating system, iOS 10, incoming missed calls that are made through third-party VoIP applications like Skype, WhatsApp, and Viber, and that use Apple CallKit to make the calls, also get logged to the cloud, Katalov said.

Trying to route around service providers to limit easily-obtainable records of your call activity is somewhat pointless on Apple devices. It all gets captured and can be obtained directly from the company. Presumably this information would still fall under the Third Party Doctrine, meaning law enforcement most likely won't have to present a warrant to collect this data from Apple.

The other concerning part of this collection is that Apple does it without informing customers that it's doing it. It does list several forms of data it syncs to users' iCloud accounts, but never states that it's collecting call records. Kate Cox of The Consumerist digs into the iCloud fine print.

Under the header “Privacy and security,” Apple writes:

Apple takes data security and the privacy of your personal information very seriously, and iCloud features are designed with your privacy in mind. All your iCloud content — like photos, documents, and contacts — is encrypted when sent over the Internet and, in most cases, when stored on our servers. If we use third-party vendors to store your information, we encrypt it and never give them the keys. And security enhancements like two-factor authentication help to ensure that the important information in your account can only be accessed by you, and only with your devices.

And the full list of features Apple mentions on the site includes backup for “important stuff like photos and videos”; Notes; iTunes and Apple Music; Mail, Calendar, Contacts, and Reminders; Safari browser history and passwords; Safari password keychain; and Find my [Device]. Nowhere is “call history data” mentioned.

Apple's explanation for this hidden syncing is "convenience:" "history syncing" allows users to "return calls from any device." That's fine but it doesn't explain why Apple doesn't list that in the data it syncs to iCloud or why it doesn't give users an easy way to exclude call data from this process.

Not that users of other devices should feel superior. Android and Windows phones do the same thing and give users no easy way to disable call tracking.

But it does drill another hole in the "going dark" theory. Tons of information from locked phones is being synced to cloud storage that manufacturers hold the keys to. And, in the case of Apple, content from end-to-end encrypted iMessages could be no more than a warrant away from law enforcement's possession.

You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.

We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.

One of the more ridiculous claims in the DOJ's filing against Apple last week, was its decision to pick up on former NSA lawyer Stewart Baker's conspiracy theory that Apple had built backdoors into its products for China (side note: I met Stewart in person for the first time recently, and he mocked me about this, saying that I should agree with him on this point). However, as we noted in our post last week, there doesn't seem to be much evidence to support Baker's claims. The two key issues were using the Chinese wireless standard WAPI -- which some have claimed includes some sort of backdoor, but it was also the only real local area wireless tech in China for a while -- and the decision to store iCloud data in China. However, as we noted, there have been reports that the Chinese government tried to then conduct a man in the middle attack against the iCloud servers. If Apple had actually given the government a backdoor, then why would it need to do that?

Either way, in a declaration attached to Apple's response, Apple had Craig Federighi, its senior VP of software engineering, tell the court directly that it has never installed a backdoor for any government ever:

Apple uses the same security protocols everywhere in the world.

Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country's government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code. While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.

It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products or services.

Now, some may push back on the point about WAPI, but again, making use of a third party technology that potentially has backdoors (some of which could be protected against) and being told by the government to build special backdoors just for that government are still vastly different scenarios.

On Friday, we noted that one of the reasons that the FBI was unable to get access to the data on the remaining iPhone from Syed Farook was because after the shooting and after the phone was in the hands of the government, Farook's employer, the San Bernardino Health Department, initiated a password change on his iCloud account. That apparently messed stuff up, because without that, it would have been possible to force the phone to backup data to the associated iCloud account, where it would have been available to the FBI. But, after we published that article, a rather salient point came out: the Health Department only did this because the FBI asked it to do so.

From a San Bernardino County Twitter account:

The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request.

— CountyWire (@CountyWire) February 20, 2016

If you can't read that, it says: "The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request."

In short: a big reason why the FBI can't get the info it wants is because of an action taken... by the FBI.

Apple has also provided further information on this, showing how it was perfectly willing to cooperate in reasonable ways with the FBI -- but that it was the FBI that messed things up:

The Apple executive told reporters that the company’s engineers had first suggested to the government that it take the phone to the suspect’s apartment to connect it to the Wi-Fi there. But since reporters and members of the public had swarmed that crime scene shortly after the shootings occurred, it was likely that any Wi-Fi there had been disconnected. So Apple suggested the government take the phone to Farook’s former workplace and connect the phone to a Wi-Fi network there.

The executive said that Apple walked the government through the entire process to accomplish this, but the government came back about two weeks later and told Apple that it hadn’t worked.

Apple didn’t understand why it had not worked—until the company learned that sometime after the phone had been taken into the custody of law enforcement, someone had gone online and changed the Apple ID that the phone uses to conduct backups.

Two interesting points in there: first, do you remember how there was all this discussion about the insane media scrum that ransacked Farook's house? And lots of people pointed out that useful evidence may have been harmed by it. At the time, the FBI insisted they were all done with the house, but it appears that may have been part of the reason why they couldn't get the backup.

The second is that Apple had not revealed this tidbit earlier. The company explained that it had felt that its conversations with the government had been confidential until the FBI revealed this detail in the totally unexpected Motion to Compel it filed Friday. It appeared that the FBI was so eager to push its PR stunt that it filed the document (which it had no reason to file), and then revealed even more of its own bungling in this particular case.

Whether intentional or not, this is only going to add support to people who say that the FBI doesn't actually care what's on the phone, but wanted to be able to go after the data in this case because they knew they could set a precedent in a case where their argument will generate the most sympathy. Remember, back in September, after the Intelligence Community lost the fight to get a law banning strong encryption, intelligence officials said out loud that they'd just wait until the next terrorist attack:

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Two months later, you get a "terrorist attack" (or a workplace dispute that can be painted as a terrorist attack) and a sorta, kinda encrypted phone, and voila. Just what the intel community asked for. It would be crazy to suggest that any of this was done on purpose -- it's almost certainly a bit of convenience for the intel and law enforcement communities. But the fact that the FBI directed the Health Department to change the password, and that's part of the reason they're now locked out, really raises some questions about what the FBI's priorities were here. It also raises a separate question of whether or not companies should be forced to hack their own system in cases where the FBI's own bungling was responsible for the loss of information. But, really, that's a minor point, given that the DOJ wants that power even in cases where the FBI didn't mess things up itself.

Earlier this year, I wrote about a dumb criminal who reportedly broke into someone's home and incriminated himself by taking a selfie with his victim's phone. Our always helpful community did the digging they so dig to do and uncovered that the story had since been debunked. Many of you must have thought that this should have been obvious. After all, some of you surely thought, even the most idiotic bad guys aren't going to go out of their way to photograph themselves in the midst of committing their crimes.

Ah, sweet vindication is such a wonderful side-dish in a main course of schadenfreude. Not only has a recent dumb criminal proved he's perfectly willing to take a selfie with a phone he stole from his victim, but he's been taking multiple selfies. All these self-incriminating bits of narcissism are, of course, being uploaded to the victim's iCloud account and are currently being shared by police, who I imagine are also rolling around on the ground laughing.

Police in Stockton, Calif. are sharing the photo of a man they say stole a victim's iPhone. The police have identified the man because he's continued to take selfie photos that show up on the victim's iCloud account.

Oh, yes, and there have been all kinds of follow up reports on this, indicating that I won't be getting egg on my face this go around. In the meantime, the police are of course blasting this wonderful gentleman's self-portrait all over social media and local news. I expect he'll be in custody shortly, if he isn't already. Look now upon the face of a mastermind.

And, as I said, the selfies reportedly are still rolling in. Here's to our unnamed phone thief getting a nice, big mirror in his holding cell.

If anything, Apple's announcement of iTunes MusicMatch has made opposing sides equally uncomfortable (a sign of disruption?). Whereas some are concerned about its possible use as a tool to identify infringers, others are more concerned about it 'legitimizing piracy' and are not afraid to pull numbers out of thin air to back up their claims.

One of these people is PRS for Music's chief executive Robert Ashcroft. Ashcroft claims collection societies like PRS for Music could experience an 80% drop in online licensing revenue if unauthorized downloads were to be admitted in locker services and then legitimized. It seems very unlikely that collection societies would even exist if one innovation would cut 80% of their business, but I'm very curious to see evidence to back up this claim.

I've been trying to come up with a scenario that would warrant this 80%, but most would be too far-fetched for a non-fiction blog like Techdirt. The existence of these locker services would have to lead to governments deciding there is no reason to keep downloading illegal. Then either new 'pirate' platforms would have to start outcompeting already existing platforms or most legitimate platforms would have to decide there is no value in having good relations with the artists and labels their users adore. Then most users must stop spending money on music. Why is this not realistic? Despite the increasing convenience of unauthorized downloads, authorized platforms such as Netflix are beating piracy in terms of traffic. If the suggested 80% decline would be realistic, it would have already happened. It didn't.

He further stated that:

“We are at a turning point. Either the internet becomes an economically viable replacement to CDs or else there is an admission you can’t get fair value from the internet, which would lead to lasting damage to the music industry.”

No, just no. Either the internet becomes an economically viable replacement to CDs or else? The internet is a revolution in computer networking and communication - it was never intended to be a replacement to CDs. The internet is a disruptive technology which among many great things has helped thousands (if not millions) of artists and musicians reach global audiences they would otherwise not have reached. It has helped artists gain exposure and popularity to generate the licensing revenue which helps pay for the salary of collection societies' staff. For this reason the new generation doesn't blame the internet (although sometimes they forget where they came from). Just recently I interviewed Para One, a successful French electro producer, who said:

“I personally see the internet as a blessing. It would be unfair to hate it, since it pretty much kickstarted our careers through forums, then MySpace, etc, a while ago.”

Let's just label the part where he says that the internet should be a CD replacement "or else" as the FUD that it is and move on. Actual research into this suggests there's actually money to be made for the music industry. Of course that remains to be seen and depends on a few factors such as how good consumers are at predicting their own behaviour. It's also dependent on the moves of other competing platforms such as Spotify and Google Music.

However, these are intelligent platforms, built in a reality where they have to compete with free and in which they must convert 'free users' into paying users. This is why I cringe when I hear people from a less reality-based side of the business say "piracy" needs to be stopped in order for these startups to succeed. A piracy-free internet would have to be so restricted (three strikes is not enough) that it would devastate these startups and most other future innovation along with human rights.

When Apple announced its iCloud Music Match service, a lot of people started suggesting that it "legitimized" infringement, or in some manner created an amnesty program for infringers: pay $25/year and all of your infringing copies get replaced by licensed copies from Apple. In fact, this really pissed off some copyright holders. The whole thing struck me as a huge exaggeration, because no one was looking at the files on your hard drive to see if they were infringing anyway.

But... what if they started now? And what if they started now because they could... thanks to Apple's iCloud Music Match.

I still think this is a huge stretch (and I'll explain why below), but Slashdot points us to a story from someone suggesting that rather than "amnesty" for unauthorized file sharers, Music Match could be used to track down infringers. My initial response was that this was totally crazy, because it wouldn't know if the non-iTunes-bought tracks were authorized or not. After all, you could have bought them elsewhere or ripped them. However, the author of the article, Daniel Nolte, does a good job walking through both scenarios and explaining why Apple might still be able to figure out what files were likely infringing:

Although the �DRM free� MP3 now being provided from many of the the major music download companies can be played anywhere, each download is watermarked with header information specific to the exact purchase and purchaser.  This article from Techcrunch gives more details on �dirty� MP3s.  Consequently, if you purchase a �DRM free� MP3 file from iTunes and then share it, and the person(s) who received it saves it to their iCloud, then Apple will know both (i) who shared their copy and (ii) whose copy is illegal.  For files from other watermarked retailers, the same information would only require coordination with the other site.

Next consider music purchased from sites that sell legal but �clean� MP3s without watermarks.  These files will have unique MD5 or SHA-2 signatures that can distinguish them to a particular company.  They will certainly have different signatures than the watermarked versions (because the addition of the watermark) and they will be unique from versions of the same song encoded by others.  When Apple�s servers detect a number of copies far in excess of the �clean� mp3 company�s reported sales, they will know where to suspect illegal copying.

Then there will be MP3s that individuals created themselves from, for example, �ripping� their CD collections.  While these are not watermarked to the individual, they appear to be unique for each �rip�.  To confirm this, I ran a test with fresh installations of the exact same CD ripping software on two different computers.  I then had them rip the same track from the exact same CD using the unchanged system default settings on both computers.  The MD5 hashes did not match. Small differences between the two reads, the internal timestamps, the system metadata, etc. likely resulted in the mismatch.  It will almost certainly also be different from the file hashes from legal download sites, both those that watermark and those that do not.    In short, if you and thousands other people have MP3s of the same song with the same file hash value, you will not be able to credibly claim it occurred because all of you ripped it from your CD collections.

The obvious next response is that Apple would never let its data be used in this manner, as it would kill the service. But Nolte notes that might not matter either:

Apple would not have to.  They would simply have to comply with an information demand from the RIAA, who has had no problem with being seen as the bad guy in hardball enforcement against file sharing.  Moreover consider this:

1. Apple is the largest music retailer on the planet.
2. Apple believes, possibly justifiably, that it loses billions of dollars annually to illegal music file sharing.
3. The easiest way out of the legal jam over challenged content in your iCloud storage would be to convert the suspected iCloud music by buying it from Apple.  Apple becomes almost like a white knight in the process.

While this is possible, I don't think it's probable for a variety of reasons. While the RIAA may not have a problem being seen as the bad guy in hardball enforcement, I think that even it has some limits, and this almost certainly passes those limits. I could actually see a random misguided indie label seeking this kind of information, but I'm not convinced it would really get that far. I would hope that most courts would recognize that this was a fishing expedition, rather than a reasonable search based on evidence of specific infringement. Simply demanding all data would (hopefully) be a non-starter.

In the end, I think both claims are probably overblown. Music Match is neither a way to launder infringing files, nor is it a honeypot to get you in trouble for your infringing files. It's just a service to sync music.

Via Hypebot, we learn of an indie label called Numero that apparently has decided that it wants no part of Apple's iCloud Music Match offering:

In the coming weeks, many customers and friends will ask us this question: why am I not able to automatically access Numero in my iCloud? The simple reason is that Apple and their major label "partners" have created a reward system that is both incomprehensible in scope and totally out of sync with iCloud's streaming peers' (Rdio, Spotify, et al) financial mechanics. As we have been entrusted with an incredible wealth of creative assets, and our primary responsibility is to our partners; the artists, producers, and songwriters that make up the Numero catalog, we feel that Apple�s pittance is an insult not only to them, but every other musician, living or dead, and, if the latter is the case, their heirs.

With that in mind, we have declined Apple�s invitation to iCloud.

The label seems upset at the fact that Apple cut deals with the major labels, but I'm at a bit of a loss concerning the full reasoning here. Doesn't this just seem to harm consumers? I assume that users will still be able to upload Numero songs, as they would with other songs not in the iTunes database. It just makes it more difficult for them. The complaint about the financials being different than Rdio and Spotify is meaningless, because the service is totally different. This isn't about streaming music you don't already have. This is about sync'ing music you already have. I can definitely understand indie labels being upset about preferential treatment given to the majors, but I'm just not sure this sort of "protest" makes sense in response.

We've already discussed the pointlessness of arguing over whether or not iTunes new Music Match service "legalizes" infringement. It does not. No one cared about the files on anyone's hard drive, so this doesn't make one whit of difference. Besides, my hard drive has tons of music that wasn't purchased on iTunes, but was ripped (legally) from CDs I own. How can anyone tell the difference? On top of that, if for some reason, someone actually did care about the files on a hard drive, the fact that there were copies from the "iCloud" wouldn't "legitimize" the files at all.

And yet... it's kinda funny to see the varying reactions to all of this, especially from the copyright holders themselves. On the one hand, we have a Forbes story highlighting how the IFPI loves the new service:

IFPI�s chief executive, Frances Moore, told me via email that iTunes Match was �good news for music consumers and for the legitimate digital music business. It is the latest example of music companies embracing new technology, licensing new services that respect copyright and responding to the new ways consumers want to access and enjoy music.�

Yet, apparently not all copyright holders are so thrilled. aguywhoneedstenbucks points us to a different article, where the guy who holds the rights to Jimi Hendrix's music in Australia appears to be pretty upset about the whole thing:

Brisbane-based intellectual property lawyer Ken Philp said iTunes Match provided a means for people to "launder" pirated music, as it would substitute a pirated track on a person's hard drive for a legitimate version accessed from the cloud.

Mr Philip, who is retained to defend the intellectual property rights of Jimi Hendrix's collections in Australia, said iTunes Match had the potential to legitimise pirated collections and encourage more piracy.

That makes little sense. As we've already pointed out there's no real legal benefit to moving your songs to the iCloud. Of course, it's not too hard to figure out the real backstory here. Apple paid out about $150 million upfront to the major labels -- the companies represented by the IFPI. So of course the IFPI is happy about it. Folks like Mr. Philp, however, didn't get any cash, so of course he's upset. But, it's not like he was going to get random cash from some new source anyway, so it's not clear what he's complaining about.

As an interesting contrast, that Forbes article above quotes former Pirate Bay spokesperson Peter Sunde pointing out how silly Music Match is:

Peter Sunde, co-founder of file-sharing site The Pirate Bay says iTunes Match marks a big step towards consumers losing control of their media. The problem isn�t the $25, it�s that it doesn�t make sense to pay Apple, with its closed-source system, to gain access to music you�ve downloaded. More crucial than that, he says, is what that could mean for the future of sharing music.

Sunde cites Spotify as an example. The music-streaming service does let you share music links with your friends, but they must have a Spotify account to hear them. People who use Spotify have already stopped sharing and keeping their songs, he says. �In the end if people are dependent enough on the services, there will be no more copies [on local drives].�

Sunde later warns that relying on Apple may backfire for people, if it suddenly decides to "remove" tracks it believes don't belong there.

On the whole, I tend to agree with Sunde on this. First of all, I don't see how this legitimizes "piracy" at all -- as explained above. I also don't see it as being all that compelling. Almost all of the features Apple offers I already have set up through alternative means. And I'm not clear why I should pay Apple $25/year to gain access to the music I already paid for.