Are Apple iMessages and Facetime Chats Really Secure From Government Spying?

An iPhone

Photo by Sean Gallup/Getty Images

Can you thwart government spying by using Apple chat services iMessage and Facetime? Apple has suggested that might be the case—but it’s worth remaining skeptical about the company’s claims.

In the past fortnight, leaked documents have shed light on secret National Security Agency surveillance programs involving the collection of phone records and eavesdropping on Internet communications. Apple was one of several major companies linked to an Internet spying system called PRISM, which is reportedly used by the NSA as a sort of portal through which it obtains emails, photos, videos, chats, and other data under the Foreign Intelligence Surveillance Act.

But now Apple has launched a privacy offensive, affirming that is committed to protecting users’ data and denying that it provided the government with any “direct access” to sift through private information stored on its servers. Of particular note, the company said in a statement Monday that its chat services iMessage and FaceTime “are protected by end-to-end encryption so no one but the sender and receiver can see or read them,” adding that “Apple cannot decrypt that data.” This implies that communications sent over these services cannot be snooped on by the government, but the reality is a little more complex and unclear.

Earlier this year, the DEA put out an internal memo claiming it was struggling to monitor iMessages because of the encryption. But the agency appeared to be having the problem because it was attempting to obtain the iMessages directly from the network provider—like Verizon Wireless—in the same way that it would obtain text messages. Carriers cannot intercept iMessages because they’re encrypted and routed over Apple servers—and the same thing applies to Facetime.

However, if the government were to go directly to Apple, it may be possible to pressure the company, in secret, to make services like iMessage and Facetime wiretap compliant. Indeed, that appears to be exactly what happened with Skype, which claimed to be encrypted peer-to-peer, yet at the same time apparently provided the NSA with access to communications.

The question, then, is whether Apple has done the same thing: Can it circumvent the encryption to facilitate surveillance when presented with a court order or search warrant? Security experts have previously said that they believe Apple has access to “master keys” that can be used to decrypt and access data stored using its iCloud service, which raises the possibility that this is also feasible for its other services. I contacted Apple and asked the company to confirm whether it had any way of accessing keys for communications sent using iMessage or Facetime, but it had not responded at the time of publication. I’ll update this post if and when I receive any answer.

Either way, communicating using iMessage or Facetime is probably moderately more secure than sending a normal text message or making a call on a cellphone or landline. But it is still a gamble and requires having a level of blind faith in Apple’s “cannot decrypt” claim, which it is not possible to independently verify. Unfortunately, the existence of secret surveillance programs that can use gag orders to force companies into silent compliance means it is unwise to make decisions on the basis of trust alone. If you are a journalist or an activist with a serious need for secure communications—or just a average citizen concerned about arbitrary invasions of privacy—it is always best to opt for open-source, peer-reviewed encryption tools. There are plenty options available, if you have the time and patience to learn how to use them.