Apple GDPR Data Export

Apple GDPR Data Export

After the European Union put in march the implementation of the GDPR law, thousands of people started to exercise their data exportability rights by requesting different companies to send them an archive with all the information that they have collected from them.

The General Data Protection Regulation (GDPR) (EU) 2016679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

I’ve decided to sum myself up to the list of people requesting their data, and this time I did so with Apple. The process was painless but took quite some time and at the end, I got an archive with data that I didn’t expect them to have about me. The first step was to visit the Privacy Enquiries page and fill-in the information in the form, below is an example:

Two days later they replied asking for some information to verify my identity.

MIME-version: 1.0
To: [email protected]
Subject: Re: GDPR Data Request
Return-Path: <[email protected]>
Delivered-To: [email protected]
Date: Fri, 05 Jan 2018 16:21:42 +0000 (PDT)
X-AuditID: 11873e13-822ff70000001def-67-5afd937e6d41
From: Apple Privacy Enquiries <[email protected]>
Received: from ramsons.apple.com (ramsons.apple.com [17.171.2.65])
Received: from nwk-sonarp-lapp76.corp.apple.com ([10.152.162.78])
  by ramsons.apple.com (Oracle Communications Messaging Server 8.0.2.2.20180403
  64bit (built Apr  3 2018)) with ESMTP id <[email protected]>
  for [email protected]; Fri, 05 Jan 2018 16:21:42 +0000 (PDT)
Date-warning: Date header was inserted by ramsons.apple.com

Follow-up: 883098910

Dear Yorman,

Thank you for contacting Apple’s privacy team.

At Apple, we take the privacy and security of your personal information very seriously. We design our products and services with this in mind. We can arrange for a report of your account details as controlled by Apple. However, to ensure security of your personal information, we need to confirm your identity. Could you please send me the following information associated with the account, where available:

  • full name
  • Apple ID if known
  • email address
  • street address
  • telephone number
  • a registered product serial number
  • AppleCare support case number, or date and time of AppleCare support chat

Please do not send any sensitive information such as credit card details or passwords. If you have any questions about Apple’s Privacy policy, please visit www.apple.com/privacy

Kind regards,
Jan Deterling
Apple Privacy

Roughly 20+ days later, I received a mail with a link to download an encrypted Zip archive and a separate mail with the password. The mail says that the link can be downloaded 5 times and will automatically expire in 30 days after receiving this message.

Follow-up: 883098910

Dear Yorman,

I refer to your request for any personal data held by Apple in relation to you.

We are complying with your request in full and are not refusing access to any personal data held on a relevant filing system in relation to you. The attached password protected file provides the data to you that is not otherwise available to you in your account. We have also included a description of the fields in the document that may not otherwise be apparent. We have not included information contained within your account, if any, such as calendar contents, email contents, iTunes content etc. If you use iCloud you will note that we have extremely short retention periods for how long we store such data and we have provided all data that was available to us at the time at which we processed your request on our systems.

I would also like to highlight the attached from our recent message on Customer Privacy: “For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.”

Your reports can be downloaded from the following link as an encrypted ZIP file.

You can download them only 5 time(s).

The file(s) will be available from Jan 25, 2018 to Feb 25, 2018.

A separate email will be sent containing the password for the linked file. This is an encrypted ZIP file which may be opened on macOS, Windows and other systems. Our privacy policy sets out the categories of personal data in our control, our purposes of processing and the circumstances in which personal data may be disclosed to third parties. We are, of course, available to provide any further clarifications or answer any queries in relation to your data that you may have.

Kind regards,
Jan Deterling
Apple Privacy

The download link is constructed with the following format:

https://attache.apple.com/AttacheWeb/gdl | GDPR download server
?id=a038c269-cb5a-4e75-8257-a8aca57d2753 | Zip archive UUID
&ek=hGf7hMe486+71xUYMUdkCD==             | Hashed secret key

The password was generated using alpha-numeric characters in lowercase and uppercase combined with special characters like the arroba and percentage symbols among others. Here is an example: [email protected]%O37sZQaM

The first 5 HTTP requests returned the following headers:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Disposition: attachment; filename="Yorman.zip"
Content-Length: 595456
Content-Type: application/octet-stream; charset=UTF-8
Host: attache.apple.com
Server: Shield
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block

The 6th and subsequent HTTP requests returned the following headers:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html;charset=ISO-8859-1
Host: attache.apple.com
Server: Shield
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block

Without the password, it is still possible to list the content of the archive:

$ unzip -l Yorman.zip 
Archive:  Yorman.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  01-25-2018 15:13   Yorman/
     5142  01-25-2018 07:08   Yorman/97935364801_AccountDetails.xlsx
   234256  01-25-2018 07:52   Yorman/97935364801_MailLogs.xlsx
   531390  01-25-2018 07:52   Yorman/97935364801_iCloudLogs.xlsx
     1082  01-25-2018 00:23   Yorman/AOS Orders.csv
     3087  01-25-2018 00:23   Yorman/CRM AppleCare Case Header.csv
      588  01-25-2018 00:23   Yorman/CRM Installed Product.csv
      410  01-25-2018 00:23   Yorman/CRM Warranty.csv
    92974  01-25-2018 00:23   Yorman/DS Signons.csv
     4234  01-25-2018 07:52   Yorman/FaceTime.xlsx
    13027  01-25-2018 07:52   Yorman/IDS_QueryLogs.xlsx
      502  01-25-2018 00:23   Yorman/Marketing Contact.csv
    48021  01-25-2018 00:23   Yorman/MyAppleId and iForgot.csv
    14863  01-25-2018 15:12   Yorman/Yorman Data Definitions.xlsx
     7155  01-25-2018 00:23   Yorman/iTunes Downloads.csv
    96087  01-25-2018 00:23   Yorman/iTunes Updates.csv
---------                     -------
  1052818                     16 files

Note: 97935364801 represents the DS ID.

Do you have a project idea? Let's make it together!