CloudDatacentreMobilitySecurityWorkspace

iCloud Retains Deleted Browsing Records, says ElcomSoft

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Apple’s cloud service held browsing data for more than a year after users had deleted it, find researchers

Researchers confirmed that Apple has begun purging old user data from its servers, after it was revealed that the company had held users’ browsing histories on its iCloud service more than a year after the information had supposedly been deleted.

ElcomSoft, which makes forensic tools investigators can use to recover evidence from computer devices, smartphones and servers, said it had found Apple was holding browsing data on iCloud long after users had deleted it.

apple-launch-tim-cook-2

‘Deleted’ browsing records

“Apple may hide your browsing history but still keep your records in the cloud, and someone… could eventually download your browsing history,” ElcomSoft chief executive Vladimir Katalov said in an advisory. “Deleting browsing history from iCloud is nearly impossible for the user.”

Apple’s iPhone by default synchronises data such as browsing and call history, contacts and favourites between devices connected to its servers with the user’s Apple ID.

Unlike cloud backups, the synchronisation occurs in near-real time, meaning it is synced within minutes or seconds.

Moreover, sychronisation is rarely switched off, because users often aren’t aware it is occurring, and there is no clear way to disable it, ElcomSoft said.

“Moreover, disabling cloud sync would require disabling iCloud services, which has severe impact on device usability,” Katalov stated.

Year-old records

Researchers found that while deleted records disappeared from synced devices fairly quickly, they were only hidden from view on iCloud, and not deleted until much later.

Forensic tools were able to recover detailed information on deleted Safari browsing records from more than a year earlier, including indications of the date and time each site was visited and when the user had supposedly deleted it.

“While many users disable iCloud backups for privacy reasons, those same users are commonly unaware of privacy implications that arise of those cloud syncs,” ElcomSoft’s Katalov said.

The company confirmed that after the initial publication of its advisory Apple began purging older records from its servers.

For most iCloud accounts only two weeks’ worth of data is now available – but deleted records within those two weeks are still accessible using forensic tools. 

‘Lax’ deletion practices

Katalov praised Apple for the move on privacy grounds, but added, “we would like to get an explanation”.

Apple didn’t immediately respond to a request for comment.

The company’s legal process guidelines – informing investigators of the steps necessary to take if they want to access a user’s records – state that user connection logs are retained for 30 days.

The guidelines make no specific reference to records deleted by the user.

Katalov said Apple has proven “somewhat lax” in the past about deleting data from iCloud within the period stated in its policies.

In August 2016 ElcomSoft found deleted photos were being stored on iCloud much longer than the official period, a problem that has since been fixed.

In November, the company found iCloud was storing users’ call histories without informing them, an issue that has also been fixed.

What do you know about the iPad, as it turns seven? Try our quiz!