What Is a Data Request?
A data request, in its simplest form, is a request from – and an exchange of – specific information held or managed by a body – be a private company or nation state.
What Information Requests Are Issued By the Australian Government?
As laid out in Apple’s regular half-yearly transparency report, each year numerous countries – including Australia – issue various data requests, which exist to serve a number of purposes – including fraud investigations, sham transactions, halting accounts used for unlawful purposes, and more.
Data Request Categories
The following categories are included and reported on in each report:
- Device requests
- Financial identifier requests
- Account requests
- Account preservation requests
- Account restriction/deletion requests
- Push token requests
- Emergency requests
How Can Data Requests Be Made?
All law enforcement agencies and government bodies can make requests to Apple via email provided the requests come from official email addresses – rather than a personal one, like a Gmail account. Apple also provides non-US government and law enforcement bodies with an official information request template.
All requests, with the exception of emergency requests, must comply with both the request nation’s laws as well as with the United States Electronic Communications Privacy Act 1986 (ECPA).
Customer Alerts
Whenever a data request is made regarding an Apple customer, Apple’s stated policy is to notify their customer that a request has been issued in relation to them and their personal data. The only times Apple will not notify their customers is where they’ve been explicitly prohibited from doing so by a legal process, court order, “or applicable law”.
Emergency Requests – Exceptions Provided
As mentioned, emergency requests get treated slightly differently, and require that a government or law enforcement agency provide “satisfactory confirmation” that the emergency request they’ve issued confirms the likelihood of:
- Physical danger or imminent chance of death
- State security being endangered
- The security of critical infrastructure of installations being violated
Requests and Challenges
Apple has a legal team that reviews each request to ensure that it has a valid legal basis. If it is felt that there is no valid basis – due to being unclear, too broad or lacking in specificity, or inappropriate, then Apple would “object, challenge, or reject the request”.
Geofencing Requests
On occasion, Apple also receives requests for geofencing (data relating to latitude and longitude coordinates), and states in the Government and Private Party Requests subsection of the Apple Transparency Report that “Apple does not have any data to provide in response to geofence requests”.
Alternative Data Request Methods
Apple’s transparency report notes that requests can be made in a variety of formats, including “subpoenas, court orders, warrants, and other valid legal requests”.
Data Request Types in Australia
As stated in the Apple transparency report, the types of requests available in Australia include the following:
- Device Requests: device data, such as an international mobile equipment identity (IMEI) or a serial number
- Financial Identifier: data related to financial transactions, like the purchase of a gift card or the use of a credit card
- Account: account identification information, such as an email address or an Apple ID
- Push Token: data related to Apple’s push notification service tokens
- Emergency: data sought due to a real and verifiable emergency
Types of Data
It is worth noting that there exists in the context of data requests two types of data that can be requested: context data and non-context data.
Context Data: includes things like photos, emails, contacts, or even personal calendars.
Non-Context Data: things like account connections, transactional information, and IP connection history.
Essentially, non-content data is information that reveals a bit about a person’s activity without disclosing any specific or visual information about them, whereas content is what Apple customers “create, communicate, and store” on or through Apple’s offered services.
Australia Data Statistics
Between January and December of 2023, the Australian government made 1,668 requests for data – encompassing both content and non-content data.
Of those requests:
- 424 content requests were accepted and fulfilled
- 317 non-content requests were supplied
- 77 account requests were challenged in part or in full
- 10 emergency requests were challenged and had no data provided
Interestingly, of the 351 push token requests made by governments worldwide in 2023, not a single one was made by Australia.
Key Takeaways
To ensure that non-content and content data are provided to law enforcement agencies and nation states for legitimate and legally-acceptable purposes, Apple forces each request to undergo the same rigorous review protocol – and will challenge or reject spurious requests. By enforcing a high legal standard, Apple ensures the rights of their customers are never unlawfully violated.
