Your Phone Sends All Your Call Records To Apple When iCloud Is Turned On

Image courtesy of William Hook

You’ve got a computer in your pocket that works as a camera, a video recorder, an internet connection, a game console, and everything else. And odds are good there’s some data on there that you want backed up safely, and that you use a cloud storage service to do just that. But your smartphone is, indeed, a phone — and your good old-fashioned calling records may be going places and getting stored in ways you do not intend.

The Intercept reports today that a digital security firm has discovered that Apple devices automatically send call history data — phone metadata — to Apple’s servers when iCloud is enabled.

Phone metadata is basically everything you think of as “phone records” from watching detective procedurals on TV. It’s a record of what numbers you called (or that called you), when, from where (for mobile phones), and for how long. Mostly, in recent years, it’s been heard in the context of maybe-legal, maybe-not, wide-scale federal data dragnets and AT&T’s data sales to law enforcement agencies.

It’s not just traditional voice calling data at stake here either, the security firm adds. Apple’s also collecting call data on audio and video calls made through FaceTime, going back to March 2015. The firm also reports that iOS 10 added the ability for Apple to log incoming missed calls made through Skype, WhatsApp, Viber, and other apps that use the Apple CallKit backend.

There are privacy laws in place regulating when your phone company can use, share, or allow access to that data. But those apply to your wireless carrier, which is the one you would expect to have and retain that information — not Apple, the device-maker.

“Well, of course iCloud syncs data,” you may be thinking. “That’s what it’s for!”

And yes, that is the point. But this particular data is not something Apple discloses it’s collecting, and it’s not part of the stated purpose of how iCloud is supposed to work. The data isn’t being stored securely for you; it’s being sent to them.

In all the product descriptions for iCloud, nowhere does Apple mention your voice calling history among the data it can back up — even while particularly stressing privacy and security.

Under the header “Privacy and security,” Apple writes:

Apple takes data security and the privacy of your personal information very seriously, and iCloud features are designed with your privacy in mind. All your iCloud content — like photos, documents, and contacts — is encrypted when sent over the Internet and, in most cases, when stored on our servers. If we use third-party vendors to store your information, we encrypt it and never give them the keys. And security enhancements like two-factor authentication help to ensure that the important information in your account can only be accessed by you, and only with your devices.

And the full list of features Apple mentions on the site includes backup for “important stuff like photos and videos”; Notes; iTunes and Apple Music; Mail, Calendar, Contacts, and Reminders; Safari browser history and passwords; Safari password keychain; and Find my [Device]. Nowhere is “call history data” mentioned.

The security firm that did the research says that Apple retains all the call data in your iCloud account for up to four months, meaning it’s there for anyone else to demand to see.

“Absolutely this is an advantage [for law enforcement],” a former FBI agent told The Intercept. “Four months is a long time [to retain call logs]. It’s generally 30 or 60 days for telecom providers, because they don’t want to keep more [records] than they absolutely have to. So if Apple is holding data for four months, that could be a very interesting data repository and they may have data that the telecom provider might not.”

As The Intercept also notes, any data that is collected isn’t just available through legal channels, but through illegal ones as well. iCloud accounts have been hacked in the past, and may well be again in the future.

That last big hack took place in 2014, before call data was part of the iCloud log. The next time someone worms their way in, they’ll be able to get that much more sensitive information along with all the photos and videos that made a big splash.

And yes, The Intercept confirmed: Apple knows they’re doing it, and it is intentional. “We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” a company spokesperson told The Intercept. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

So what can you do?

Well, you can disable many iCloud sync features individually… but call data’s not on the list. If you’re running iCloud, then your call data is beying synced whether or not you want it to be.

That means your only option, if you don’t want Apple collecting and storing all your call data, is to disable your iCloud connection altogether.

More: How disable iCloud on your iDevice

There are basically two steps to that:

1. Backup, download, or archive anything in your iCloud that you want to keep; here are Apple’s instructions for how to retrieve and save that content.

2. Disable iCloud on every device where you’re running it. On an iPhone or iPad, just go to the settings menu and scroll down to iCloud, then go all the way to the bottom and hit “SIGN OUT.” Here are Apple’s instructions for that, too, and this is how it looks on an iPad:

ipad_icloud_2

iPhones Secretly Send Call History To Apple, Security Firm Says [The Intercept]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.