Apple responds to PRISM reports, emphasizes user-privacy efforts

In an open letter published to Apple's website Sunday, the company outlined its policies for responding to government requests for information and promised to work to safeguard user privacy.

Early this month, The Guardian broke the story about a U.S. National Security Agency (NSA) program--code-named PRISM--under which the NSA has reportedly been monitoring the Internet activities of Americans. The report claimed that the NSA has been directly monitoring the servers of major computing and technology companies such as Apple, Facebook, Google, and Microsoft.

Since that tech-world bombshell, many of these companies, including Apple, have denied working with the NSA in any capacity other that required by court order. Specifically, an Apple representative told the Washington Post that the company does "not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order." Other companies have issued similar statements.

These same companies have attempted to further assuage user fears by revealing exactly what cooperation has occurred, but they've reportedly been hamstrung by "gag orders" preventing them from revealing such details due to national-security concerns.

Last week, Google requested from the Justice Department permission to publish aggregate information about national-security requests. Facebook and Microsoft have made similar requests, and it appears the U.S. government--under increasing pressure to provide some transparency about its data-monitoring programs--has conceded.

In an open letter, titled Apple's Commitment to Customer Privacy and posted to the company's website, Apple reiterates that it was unaware of the PRISM program before the press asked about it on June 6, 2013. The letter also repeats, verbatim, the company's earlier statement about government access and court orders. However, Apple also provides some hard data about the number of information requests it has received.

As part of the summary data the government has apparently authorized companies to release, Apple says that from December 1, 2012 to May 31, 2013, the company received from U.S. law enforcement organizations between 4,000 and 5,000 requests for customer data. Those requests specified between 9,000 and 10,000 accounts or devices, and the requests "came from federal, state and local authorities and included both criminal investigations and national security matters."

Apple further says that among those requests, the most common came "from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide." The statement claims that when receiving such requests, Apple provides only the narrowest possible amount of information, and only if appropriate. The statement notes that Apple sometimes refuses to fulfill inconsistent or inaccurate requests.

Apple also outlines the kinds of data it does not provide to government agencies. FaceTime and iMessage messages, which are encrypted, cannot be provided to government agencies because Apple chooses not to retain that data. Location information, Maps searches, and Siri requests are never retained in personally identifiable form.

Apple concludes the letter by promising to "continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers' privacy as they expect and deserve."

The statement closely echoes a recent press release from Facebook outlining that company's policies for providing customer information to government agencies, as well as providing aggregate numbers for information requests it has received.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGoogleMicrosoftsecuritywashington postFacebook

More about AppleFacebookFaceTimeGoogleMicrosoftNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Frakes

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place