Skip to content
Naked Security Naked Security

Apple iMessage’s end-to-end encryption stymies US data request

Apple recently told a US court that it couldn't turn over to law enforcement messages that were sent between iPhones via Apple's iMessage system, which uses end-to-end encryption. And the crypto-wars rage on.

iMessage encryptionThe law enforcement community has been warning technology companies that encryption in their products could let criminals and terrorists off the hook, with little evidence to support that claim.

It turns out those warnings – from top law enforcers like FBI Director James Comey and former US Attorney General Eric Holder, and some elected officials in the US and UK – have some merit.

As the New York Times reported this week, Apple recently told a US court that it couldn’t comply with a wiretap order to turn over messages sent via Apple’s iMessage system, because they were encrypted.

This wasn’t the first case where government requests for messages sent by suspects in a criminal investigation have been denied due to encryption, the Times reports, citing several current and former law enforcement officials.

Some senior FBI and Department of Justice officials wanted to take Apple to court to force it to comply, according to the Times, but that plan was dropped – perhaps because Apple couldn’t decrypt the messages even if it wanted to.

The iMessage platform uses end-to-end encryption – so called because the messages are encrypted on the sender’s device and are only decrypted when they reach the intended recipient.

Texts and photos sent via iMessage (and videos sent via FaceTime) aren’t decrypted in transit, and can’t be accessed at either end without the user’s passcode.

As Apple says, not even Apple can decrypt the messages:

Apple has no way to decrypt iMessage and FaceTime data when it's in transit between devices. So unlike other companies' messaging services, Apple doesn't scan your communications, and we wouldn't be able to comply with a wiretap order even if we wanted to.

However, according to the Times, Apple did partly comply with the recent US court order and turned over some messages that were backed up to iCloud and stored (unencrypted) on Apple’s servers.

Without the encryption key, or a user’s passcode, law enforcement can’t read encrypted messages – nor is it realistic to break the encryption or brute force passcodes.

This has left agencies like the FBI and NSA in a bind, and they have been pressing companies including Apple and Google to provide law enforcement with backdoor access.

In the UK, Prime Minister David Cameron has proposed banning encrypted messaging apps like iMessage and WhatsApp.

That hasn’t entered the conversation in the US, but the Obama administration has been seeking a technical solution such as a shared master encryption key that would give law enforcement “front door” access to encrypted data.

So far, the technology companies aren’t playing along.

Since the bombshell revelations of NSA spying by leaker Edward Snowden, US companies have taken great pains to prove to consumers that they support strong privacy protections.

Apple CEO Tim Cook, in a letter to consumers upon the release of iOS 8 (which includes encryption by default), pledged that the company has never worked with any government agency to create a backdoor.

Cook’s letter also included the pledge that Apple never allows access to its servers – and “never will” – but that promise appears to have been broken if the Times report about Apple turning over messages stored in iCloud is accurate.

Nonetheless, Apple’s refusal to provide an encryption backdoor to the government has been hailed by pro-privacy group the Electronic Frontier Foundation.

Even US government officials have said that shared encryption keys probably wouldn’t work without introducing vulnerabilities that could be exploited by criminals or other nation states.

Last week, Terrell McSweeny, one of four appointed commissioners at the US Federal Trade Commission, wrote a column for the Huffington Post urging consumers and technology companies to use end-to-end encryption.

At this point, the pro-encryption forces seem to be winning the “crypto wars” – a policy dispute which goes back to the 1990s, when the US government required a weaker form of encryption (“export grade“) for products sold overseas.

It doesn’t look like this war will be ending any time soon.

Image of iPhone chat messages courtesy of


if the NSA can access your data, anyone can. This is the problem.


Also, if there’s a “shared master encryption key” that the gov’t (or anyone else, for that matter) has access to, then it’s only a matter of time before it leaks out and/or is abused.

At that point, the encryption protocol (no matter how strong it would otherwise be) becomes about as useful as taping a sign to your front door that says “Lock is broken, please do not enter without permission.”


Agreed. If it isn’t end-to-end encryption without any backdoor, it’s not encryption at all.

Wasn’t aware that iMessage doesn’t encrypt media files.


What’s to stop the same people from using any other form of encrypted media? even traditional snail mail with obfuscated text. The NSA/FBI/etc. are playing a losing game. Anyone with true motive will ALWAYS be able to bypass them. Regardless of the case, I bet if it’s a serious enough threat it can be stopped elsewhere. I mean, hasn’t that how it’s always been done? Isn’t that what they’re paid for?


I disagree that Apple broke its promise if it furnished iCloud data in response to a lawful court order. I don’t consider that providing access to a server; to me, providing access to a server is allowing someone else to log in at will or allowing them to monitor private network traffic. The initial Snowden reports made many people think NSA had their own general login accounts on Google’s and other servers – that is completely different than furnishing duplicates of specific data for a specific customer in response to a specific court order.



you misunderstood. they gave data, but its encrypted. NSA has it but can’t read it. I’m perfectly comfortable with this.


It says right in the article that iCloud data is not encrypted. To maintain privacy, users have to not put anything on the cloud.


If it helps foil terrorists and child molesters, let the security agencies do their job. They are not interested in who cheats on his wife!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!