Businesses like Apple that view data stored on customer devices should be explicit about their reasons for access

Out-Law News | 29 Jul 2014 | 4:18 pm | 2 min. read

Businesses like Apple should be explicit about the reasons why they access data stored on customer devices and should not simply rely on general permissions that do not specify the purposes for which the data accessed are used, an expert has said.

Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said the disclosure of additional purposes for data accessed from a customer device is normally necessary to ensure that data protection laws are complied with.

Earlier this week Apple admitted that its staff can access information stored on 'unlocked' devices. It did so after a researcher, Jonathan Zdziarski, revealed he had been able to simulate the processes Apple staff can use to retrieve personal data stored on his own iPhone, including photos, text messages, notes, address book contacts and geolocation data.

In response to the research, and according to a copy of its statement posted on Twitter by Financial Times journalist Tim Bradshaw, Apple said: "We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues."

"A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent. As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services," it said.

In a blog, Zdziarski accused Apple of "being completely misleading" by claiming its ability to access users' devices "is only for copying diagnostic data".

"If, by diagnostic data, you mean the user’s complete photo album, their SMS, notes, address book, geolocation data, screenshots of the last thing they were looking at, and a ton of other personal data – then sure… but this data is far too personal in nature to ever be needed for diagnostics," Zdziarski said. "In fact, diagnostics is almost the complete opposite of this kind of data. You will find some diagnostics data in the mix somewhere, but this service goes way beyond the data Apple has a need or a right to look through. And once again, the user is never prompted to give their permission to dump all of this data, or notified in any way on-screen."

"These services dish out data (and bypass backup encryption) regardless of whether or not 'Send Diagnostic Data to Apple' is turned on or off, and whether or not the device is managed by an enterprise policy of any kind. So if these services were intended for such purposes, you’d think they’d only work if the device was managed/supervised or if the user had enabled diagnostic mode. Unfortunately this isn’t the case and there is no way to disable these mechanisms. As a result, every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device," he said in an earlier blog.

Scanlon said that data protection authorities have been clear with organisations about their obligations of transparency with consumers in relation to personal data processing activities they carry out.

“Regulators at both EU level and within the UK have stressed the importance of ‘purpose limitation’ in terms of using personal data," Scanlon said. "If a business acquires data for one purpose it cannot simply assume that its employees can use that data for any other purpose. The focus, at least according to the ICO in its guidance on big data yesterday, should be on identifying ‘incompatible purposes’."

"If a business intends to use data for a purpose that is incompatible with the one for which it was acquired, it would need to determine whether it has a legal ground for using the data for that secondary purpose. Incompatible in this context would mean that the person whose data is processed wouldn’t in all likelihood contemplate the secondary use in question," he said.