Questions? Feedback? powered by Olark live chat software

iPhone thief's identity revealed by Apple GDPR tool

Might Apple know who stole your iPhone? Apple's Data and privacy tool revealed the identity of my iPhone's thief, even without it being locked to iCloud.

Theft of iPhones dropped significantly five years ago after the introduction of Apple's iCloud-based Activation Lock. This mechanism allows users to remotely track or disable Apple equipment, so long as they have configured their iPhones, iPads or Macs with their Apple ID. Nearly a billion users have signed up for an iCloud account since the service's launch, and for practical purposes, it means many phones are protected in this way.

However, not every user protects their iPhone with an Apple ID, and in some cases thieves are able to partially disable the Activation Lock on stolen equipment. iPhones still get stolen though, not least as some buyers are as unaware as the thieves are.

Back in 2016, I had the misfortune of having an iPhone 6s stolen. The theft was reported to the City of London Police, and they took the device's serial number and details from our device registry. I was in the process of switching between iPhones at the time, and the thief was lucky enough to steal the phone when it didn't have Activation Lock enabled.

As one might expect, being able to find that someone has stolen a device doesn't necessarily help, and the risk of such likely makes it a thief's first priority to get rid of the stolen goods as soon as possible. Once we'd filed the police report and spoken with the officer, I didn't expect to hear anything about the phone again.

Can you catch a thief with GDPR?

At Reincubate we're focused on helping people access their data on iOS and in the iCloud, so Apple's response to the European GDPR legislation has been of great interest to us. We've been analysing how they respond to information requests on either side of the law's introduction.

Apple have built on their already-stellar privacy tools with the introduction of a new Data and Privacy site. This allows Apple customers to request a copy of their personal data, as held by Apple, and within a few days to receive a simple export of it. As American journalist Jefferson Graham found, Apple stores relatively little data on its customers and users, and that's a good thing.

It's easy for regular users to make a similar request. Once the information is ready, Apple sends a notification email, advising users they can return to the Data and Privacy site to access their data. The site then shows what is available:

Apple's Data and Privacy site showing some of what's available
Apple's Data and Privacy site showing some of what's available

User data can then be downloaded in a series of zip files, which expand into collections of CSV files:

What's in your AppleCare data?
What's in your AppleCare data?

Digging into our data has been interesting, and the AppleCare data has been particularly curious. Looking at the export of my AppleCare repair history, I was able to see my stolen phone was brought into Apple for repair... a full year after it was stolen! And guess what: included in that data are also the contact details of whoever took the device in for repair.

The Data and Privacy site reveals Apple has details on the holder of the stolen device
The Data and Privacy site reveals Apple has details on the holder of the stolen device

How did this come about? It's pretty simple: just like everyone else, people with stolen iPhones occasionally break them. And with the money saved from stealing or buying a stolen phone, they've all the more money to spend on iPhone repairs at an Apple Store.

The device wasn't associated with my iCloud account, but my details were still on file with Apple as the device's purchaser. It'd be pretty risky for the person holding the device to provide their details to Apple for the repair, but they need some way for Apple to contact them. Bingo: Apple stores my details for their repair record, but overwritten with a few of theirs, including their email address.

All of a sudden, what was an unrecoverable stolen device is now potentially recoverable with a few police follow-ups and information requests. Thanks Apple! 🚨

How can I see this data for myself?

You can make a request through Apple's Data and Privacy site. It is all self-explanatory, and you'll need to use your Apple ID to do so. Data typically takes a few days to arrive.

Users outside of the EU may find the data tool isn't available to them yet, although Apple to plan to roll it out worldwide in due course.

Those users should make a request using the privacy contact form and select "Privacy Issues". Explain that you're requesting a copy of your personal data and submit the form. Within a few days, you'll receive an email from Apple beginning as follows, and requesting some identifying information:

Thank you for contacting Apple's privacy team.

At Apple, we take the privacy and security of your personal information very seriously. We design our products and services with this in mind.

We can arrange for a report of your account details as controlled by Apple. Please note that if the country of your Apple account is in the European Union, or is Iceland, Liechtenstein, Norway or Switzerland and you would like access to your data, please visit directly privacy.apple.com and do not provide the information below.

Respond to that email, and they'll send you your data.

How to secure your iPhone and protect yourself

Apple's security record with the iPhone is unparalleled, and they provide excellent tools to help users protect themselves. As the FT quoted one security firm CEO as saying:

Ten years of iPhone and no major malware? That’s unheard of.

Apple provide guidance on how to activate their Find My iPhone and Activation Lock services, and we strongly recommend users do this.

Whilst we're on the subject, we also strongly recommend enabling Apple's two-factor authentication for their Apple ID. This simple change dramatically increases the security one has over their iPhone and iCloud data. You can read more on how to do this here.

You might find the following resources helpful:

Submit a comment

Aidan Fitzpatrick

by Aidan Fitzpatrick

© 2008 - 2018 Reincubate Ltd. Registered in England and Wales #5189175, VAT GB151788978. Built with ❤️ in London.

Reincubate is a registered trademark. All rights reserved. Terms & conditions. Privacy Policy. It's your data, not ours. We recommend 2FA.