Apple's iMessage had a few security holes in March and April that potentially leaked photos and contacts, respectively. Though quickly patched, they are a reminder that the company faces a never-ending arms race to shore up its security to keep malicious hackers and government agencies out. But that doesn't mean they will always be able to keep it private. A report from The Intercept states that iMessage conversation metadata gets logged in Apple's servers, which the company could be compelled to turn over to law enforcement by court order. While the content of those messages remains encrypted and out of the police's hands, these records list time, date, frequency of contact and limited location information.
When an iOS user types in a phone number to begin a text conversation, their device pings servers to determine whether the new contact uses iMessage. If not, texts are sent over SMS and appear in green bubbles, while Apple's proprietary data messages appear in blue ones. Allegedly, they log all of these unseen network requests.
But those also include time and date stamps along with the user's IP address, identifying your location to some degree, according to The Intercept. Like the phone logs of yore, investigators could legally request these records and Apple would be obliged to comply. While the company insisted that iMessage was end-to-end encrypted in 2013, securing user messages even if law enforcement got access, Apple said nothing about metadata.
Apple confirmed to The Intercept that it does comply with subpoenas and other legal requests for these exact logs, but maintained that message content is still kept private. Their commitment to user security isn't really undermined by these illuminations — phone companies have been giving this information to law enforcement for decades — but it does illustrate what they can and cannot protect. While they resisted FBI requests for backdoor iPhone access earlier this year and then introduced a wholly redesigned file system with a built-in unified encryption method on every device, they can't keep authorities from knowing when and where you text people.