Two-and-a-half years ago, I concluded a post with this bluster:
“Listen, Amazon, Apple, Microsoft and all the other companies collecting vast volumes of our data through intelligent agents, apps and social networking sites, you must afford us a ready means to see and repatriate our data. It’s not enough to let us grab snatches via an unwieldy item-by-item interface. We have legal duties to meet, and if you wish to be partners in our digital lives, you must afford us reasonable means by which we can comply with the law when we anticipate litigation or respond to discovery. You owe us that. Alexa, are you listening?”
Amazon hasn’t listened; but, Apple lately gave users the ability to download our data. Credit for this awakening goes to the European Union’s Global Data Protection Regulation (GDPR) that went into effect on May 25.
Data takeout capabilities are essential to protecting civil liberties and meeting legal duties. Google’s given users a simple, effective means to repatriate data (including Gmail and calendar data) for five years, although search histories have only been supplied for two. Twitter’s supported robust data takeout for five years; and eight years ago, Facebook became the first big social media site to offer its users the ability to download contributed content.
Apple is late to the party but it didn’t come empty-handed. The Apple takeout is extensive and can be huge. My download comprised 63GB in 26 compressed Zip archive files. It took Apple five days to assemble the data and make it available for download; then, I had to download each file, one-by-one. There’s no way to download them all, leaving the distinct impression that Apple doesn’t want takeout to be too easy. In fairness, had I opted to have Apple deliver my data in 25GB chunks (the largest chunk option) instead of the 5GB file limit I specified, it would have been easier.
In my case, almost all the volume were photos replicated in iCloud. Notably absent was my messaging, which Apple can’t archive and thus can only be obtained from the iPhone or a backup of same (see my post Mobile to the Mainstream).
Apple states that the following information may be downloaded:
- Your Apple ID account details and sign-in records.
- Data that you store with iCloud such as contacts, calendars, notes, bookmarks, reminders, email, photos, videos, and document.
- App usage information, as it relates to use of iCloud, Apple Music, Game Center and other services.
- A record of the items you have purchased or downloaded from the App Store, iTunes Store, and Apple Books, as well as your browsing history in those stores.
- Records of your Apple retail store and support transactions.
- Records of marketing communications, preferences, and other activity.
E-Discovery Impressions
Perusing my downloaded data, much jumps out as potentially relevant for purposes of preservation and search. Depending upon a user’s settings, the downloaded collection of photos will be more complete than the photo collection on the phone. The download includes deleted photos and all photos downloaded were the full-sized image, where the phone may optimize storage by retaining only thumbnail-sized images. The photos in the download contained all of the EXIF geolocation data present in the source.
The evidentiary value of calendars, contacts and documents seems clear, and I found a call history log buried in a folder called “Apple features using iCloud” inside a Zip file innocuously named “Other data.” From the standpoint of locating sources of discoverable information, the Device Information file holds a list of the user’s Apple devices. The download is also rich with information that would assist a forensic investigation, in particular the iCloud Usage Data Set serves as a veritable map of a user’s travel between cities.
Apple sets an example for e-discovery by supplying content in its original native formats or in near-native standard formats like .csv, .json, .vcf and .eml that, while easy to read, preserve the functional, delimited character of the data. No .TIFF files, thank heavens!
So, we have one more Cloud source of discoverable data where there’s little burden and no specialized software or technical prowess to preserve it (a few clicks, authentication and a free download). Still, custodians need our guidance as to when to act, what to select for preservation and how to preserve it against alteration or corruption. The archive download link Apple supplies is only active for two weeks; obviating preservation in place. Moreover, cloud companies take up to a week to compile these archives, and the download of big files takes time. If the data’s needed for early case assessment or to respond to outstanding discovery, initiating the request and following up on its collection needs to be high on the discovery to-do list.
Ball in your Court 
Jeff Kerr said:
Craig, this is great news, and thanks for sharing. Apple data will help to resolve disputed factual issues in many kinds of cases. And you’ve shown that cost is not an issue — so there goes that argument!
LikeLiked by 1 person
craigball said:
Since when has an argument lacking merit prevented a lawyer paid by the hour from making it?
LikeLike
Jeff Kerr said:
Since never. Even when responding to a request for data should be the most straightforward thing in the world, some silly argument inevitably gets made.
LikeLike
Matthew said:
Excellent work. Its quite interesting that there are these other avenues to explore that could be outside of corporate control, but could contain vital data. I guess MDM (Mobile Device Management) systems would have a potential to shut down this avenue, however its interesting as its another potential backup like via iTunes, but potentially broader in scope – that is if the client has happened to pay for iCloud storage if they have exceeded the 5GB(?) free cap.
LikeLike
craigball said:
I don’t see MDM having much impact here leastwise not if photos, call logs and geolocation are potentially relevant.
Some of the information stored isn’t subject to the free 5GB cap.
LikeLike
Pingback: See the Data Apple Has Collected on You — Via Ball in your Court | Oregon Law Practice Management
Pingback: Digital Forensics—Vishing, Cloud Takeouts, Metadata, and More