Two-and-a-half years ago, I concluded a post with this bluster:
“Listen, Amazon, Apple, Microsoft and all the other companies collecting vast volumes of our data through intelligent agents, apps and social networking sites, you must afford us a ready means to see and repatriate our data. It’s not enough to let us grab snatches via an unwieldy item-by-item interface. We have legal duties to meet, and if you wish to be partners in our digital lives, you must afford us reasonable means by which we can comply with the law when we anticipate litigation or respond to discovery. You owe us that. Alexa, are you listening?”
Amazon hasn’t listened; but, Apple lately gave users the ability to download our data. Credit for this awakening goes to the European Union’s Global Data Protection Regulation (GDPR) that went into effect on May 25.
Data takeout capabilities are essential to protecting civil liberties and meeting legal duties. Google’s given users a simple, effective means to repatriate data (including Gmail and calendar data) for five years, although search histories have only been supplied for two. Twitter’s supported robust data takeout for five years; and eight years ago, Facebook became the first big social media site to offer its users the ability to download contributed content.
Apple is late to the party but it didn’t come empty-handed. The Apple takeout is extensive and can be huge. My download comprised 63GB in 26 compressed Zip archive files. It took Apple five days to assemble the data and make it available for download; then, I had to download each file, one-by-one. There’s no way to download them all, leaving the distinct impression that Apple doesn’t want takeout to be too easy. In fairness, had I opted to have Apple deliver my data in 25GB chunks (the largest chunk option) instead of the 5GB file limit I specified, it would have been easier.
In my case, almost all the volume were photos replicated in iCloud. Notably absent was my messaging, which Apple can’t archive and thus can only be obtained from the iPhone or a backup of same (see my post Mobile to the Mainstream).
Apple states that the following information may be downloaded:
- Your Apple ID account details and sign-in records.
- Data that you store with iCloud such as contacts, calendars, notes, bookmarks, reminders, email, photos, videos, and document.
- App usage information, as it relates to use of iCloud, Apple Music, Game Center and other services.
- A record of the items you have purchased or downloaded from the App Store, iTunes Store, and Apple Books, as well as your browsing history in those stores.
- Records of your Apple retail store and support transactions.
- Records of marketing communications, preferences, and other activity.
Perusing my downloaded data, much jumps out as potentially relevant for purposes of preservation and search. Depending upon a user’s settings, the downloaded collection of photos will be more complete than the photo collection on the phone. The download includes deleted photos and all photos downloaded were the full-sized image, where the phone may optimize storage by retaining only thumbnail-sized images. The photos in the download contained all of the EXIF geolocation data present in the source.
The evidentiary value of calendars, contacts and documents seems clear, and I found a call history log buried in a folder called “Apple features using iCloud” inside a Zip file innocuously named “Other data.” From the standpoint of locating sources of discoverable information, the Device Information file holds a list of the user’s Apple devices. The download is also rich with information that would assist a forensic investigation, in particular the iCloud Usage Data Set serves as a veritable map of a user’s travel between cities.
Apple sets an example for e-discovery by supplying content in its original native formats or in near-native standard formats like .csv, .json, .vcf and .eml that, while easy to read, preserve the functional, delimited character of the data. No .TIFF files, thank heavens!
So, we have one more Cloud source of discoverable data where there’s little burden and no specialized software or technical prowess to preserve it (a few clicks, authentication and a free download). Still, custodians need our guidance as to when to act, what to select for preservation and how to preserve it against alteration or corruption. The archive download link Apple supplies is only active for two weeks; obviating preservation in place. Moreover, cloud companies take up to a week to compile these archives, and the download of big files takes time. If the data’s needed for early case assessment or to respond to outstanding discovery, initiating the request and following up on its collection needs to be high on the discovery to-do list.