If you think clearing your web browsing history on your iPhone or Mac is going to make your online habits permanently disappear, you'd be wrong. Very wrong.
According to the CEO of Russian hacking tool creator Elcomsoft, Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory.
Elcomsoft chief Vladimir Katalov told the iPhone maker kept a separate iCloud record, titled "tombstone," in which deleted web visits were stored, ostensibly for syncing across devices. Katalov told me he came across the issue "by accident" when he was looking through the Safari history on his own iPhone. When he took Elcomsoft's Phone Breaker software to extract data from the linked iCloud account, he found "deleted" records going back a year. (Apple calls them "cleared" in Safari, not "deleted"). "We have found that they stay in the cloud, probably forever," Katalov claimed.
Your reporter tried clearing his Safari (version 10.0.2 on Mac OS X) history and then ran the Phone Breaker tool on his iCloud account. It returned nearly 7,000 "deleted" records going back to 27 November 2015. They were accompanied by a visit count as well as the date and time the history item was deleted. There were also Google searches, the full terms of which were visible in the Elcomsoft control panel. Fresh Safari activity that I hadn't cleared was given the status "actual."
The expert, who asked to remain anonymous, found the Elcomsoft Phone Breaker tool recovered 125,203 browsing history records going back to the same 2015 date, even though the Safari cache had been cleared. The expert also found Notes they'd supposedly deleted, but the Notes went back only a short period, less than 30 days, indicating Apple was purging them regularly.
It's unclear just how or why Apple is storing cleared browsing history for such a long period. It would appear to be a design issue rather than anything suspicious, and is likely to do with the syncing mechanism between iOS, Mac OS X and Apple servers. Consumer cloud services like iCloud, by their nature, require records of delete requests to remain accessible for stretches of time, as users may have devices turned off that need to come alive again before they can sync and remove the browsing history. The fact that Apple didn't hide the deleted records indicates it wasn't a purposeful data retention effort, but an oversight, according to the forensics expert. Effective encryption and a different design would help hide the information from both Apple and probing tools like Elcomsoft's Phone Breaker, the source added.
Jay Stanley, senior policy analyst at the American Civil Liberties Union (ACLU), said companies had to be very careful to follow best practice and delete users' data when requested. "Overall, assuming this was a mistake, it's a reminder that storing and retention of data is the default as a technical matter," Stanley said.
"Browsing history is a very sensitive set of data. It reveals people’s interests, concerns, worries and in many cases their every fleeting thought, as well as health information, information on their sexuality. "It's vital that people are able to trust that they can be in control of that kind of information. It's one reason we advise using search tools that don’t store your history."
There's no evidence law enforcement has been able to access such data, if the feds even knew they could get it in the first place. And remote attacks by criminals would be difficult: Phone Breaker requires the hacker to have access to a target's iCloud login credentials or an authentication token stored on the victim's device. Katalov's disclosure, ironically, will also lead to the imminent redundancy of the very Phone Breaker feature that came from his discovery, which went live only this morning.
Not that he appears that bothered. "Money is not the main thing we work for," said Katalov, in our email correspondence. "But we are still going good. There are enough features in our products that are quite useful for many customers, from consumers to law enforcement, that do not rely on vulnerabilities. And finally, quite a lot of research is in progress - we will always find something new."
Elcomsoft is best known not for aiding any law enforcement activity, but for a salacious episode in the history of Apple hacks: reports alleged it was used by snoops who stole celebrities' nude pictures stored in the iCloud. The so-called "Fappening" attacks saw images belonging to the likes of Jennifer Lawrence and Kate Upton leaked online, and the perpetrators sentenced to prison.
Apple in patch mode... and an easy fix
Apple declined to comment on Elcomsoft's findings. But a source with knowledge of the matter told me Apple has updated iOS and Safari to make it harder. Starting with Safari 9.1 and iOS 9.3, when users delete browsing history, the URLs are turned into hashes -- that's when plaintext is represented by a collection of digits and letters after being put through an algorithm. That goes some way to stopping any potential snoops looking at the data, though it hasn't prevented Elcomsoft's tool from grabbing the information from the latest versions of Safari.
Expect Apple to continue plugging holes that Elcomsoft finds, though, as it has done with other recent public disclosures by Katalov. In cases such as this, the user won't need to do a thing, as the fixes will be done on Apple's servers. Nevertheless, as the Cupertino giant recommends, using the most recent software versions will keep customers' safer from privacy invasions.
In the meantime, it's possible to turn Safari syncing off to avoid the problem altogether. Apple has a good guide about how to turn iCloud features on and off here. Shortly after publication, FORBES was contacted by Katalov and another source, who claimed that their old records were disappearing. It appears, they said, that Apple is purging. There was no update from Apple, however.