After the European Union put in march the implementation of the GDPR law, thousands of people started to exercise their data exportability rights by requesting different companies to send them an archive with all the information that they have collected from them.
The General Data Protection Regulation (GDPR) (EU) 2016⁄679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
I’ve decided to sum myself up to the list of people requesting their data, and this time I did so with Apple. The process was painless but took quite some time and at the end, I got an archive with data that I didn’t expect them to have about me. The first step was to visit the Privacy Enquiries page and fill-in the information in the form, below is an example:
Two days later they replied asking for some information to verify my identity.
MIME-version: 1.0 To: [email protected] Subject: Re: GDPR Data Request Return-Path: <[email protected]> Delivered-To: [email protected] Date: Fri, 05 Jan 2018 16:21:42 +0000 (PDT) X-AuditID: 11873e13-822ff70000001def-67-5afd937e6d41 From: Apple Privacy Enquiries <[email protected]> Received: from ramsons.apple.com (ramsons.apple.com [18.104.22.168]) Received: from nwk-sonarp-lapp76.corp.apple.com ([10.152.162.78]) by ramsons.apple.com (Oracle Communications Messaging Server 22.214.171.124.20180403 64bit (built Apr 3 2018)) with ESMTP id <[email protected]> for [email protected]; Fri, 05 Jan 2018 16:21:42 +0000 (PDT) Date-warning: Date header was inserted by ramsons.apple.com
Thank you for contacting Apple’s privacy team.
At Apple, we take the privacy and security of your personal information very seriously. We design our products and services with this in mind. We can arrange for a report of your account details as controlled by Apple. However, to ensure security of your personal information, we need to confirm your identity. Could you please send me the following information associated with the account, where available:
- full name
- Apple ID if known
- email address
- street address
- telephone number
- a registered product serial number
- AppleCare support case number, or date and time of AppleCare support chat
Roughly 20+ days later, I received a mail with a link to download an encrypted Zip archive and a separate mail with the password. The mail says that the link can be downloaded 5 times and will automatically expire in 30 days after receiving this message.
I refer to your request for any personal data held by Apple in relation to you.
We are complying with your request in full and are not refusing access to any personal data held on a relevant filing system in relation to you. The attached password protected file provides the data to you that is not otherwise available to you in your account. We have also included a description of the fields in the document that may not otherwise be apparent. We have not included information contained within your account, if any, such as calendar contents, email contents, iTunes content etc. If you use iCloud you will note that we have extremely short retention periods for how long we store such data and we have provided all data that was available to us at the time at which we processed your request on our systems.
I would also like to highlight the attached from our recent message on Customer Privacy: “For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.”
Your reports can be downloaded from the following link as an encrypted ZIP file.
You can download them only 5 time(s).
The file(s) will be available from Jan 25, 2018 to Feb 25, 2018.
The download link is constructed with the following format:
https://attache.apple.com/AttacheWeb/gdl | GDPR download server ?id=a038c269-cb5a-4e75-8257-a8aca57d2753 | Zip archive UUID &ek=hGf7hMe486+71xUYMUdkCD== | Hashed secret key
The password was generated using alpha-numeric characters in lowercase and uppercase combined with special characters like the arroba and percentage symbols among others. Here is an example:
The first 5 HTTP requests returned the following headers:
HTTP/1.1 200 OK Accept-Ranges: bytes Connection: keep-alive Content-Disposition: attachment; filename="Yorman.zip" Content-Length: 595456 Content-Type: application/octet-stream; charset=UTF-8 Host: attache.apple.com Server: Shield Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-FRAME-OPTIONS: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block
The 6th and subsequent HTTP requests returned the following headers:
HTTP/1.1 200 OK Connection: keep-alive Content-Encoding: gzip Content-Type: text/html;charset=ISO-8859-1 Host: attache.apple.com Server: Shield Strict-Transport-Security: max-age=31536000; includeSubDomains Transfer-Encoding: chunked X-Content-Type-Options: nosniff X-FRAME-OPTIONS: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block
Without the password, it is still possible to list the content of the archive:
$ unzip -l Yorman.zip Archive: Yorman.zip Length Date Time Name --------- ---------- ----- ---- 0 01-25-2018 15:13 Yorman/ 5142 01-25-2018 07:08 Yorman/97935364801_AccountDetails.xlsx 234256 01-25-2018 07:52 Yorman/97935364801_MailLogs.xlsx 531390 01-25-2018 07:52 Yorman/97935364801_iCloudLogs.xlsx 1082 01-25-2018 00:23 Yorman/AOS Orders.csv 3087 01-25-2018 00:23 Yorman/CRM AppleCare Case Header.csv 588 01-25-2018 00:23 Yorman/CRM Installed Product.csv 410 01-25-2018 00:23 Yorman/CRM Warranty.csv 92974 01-25-2018 00:23 Yorman/DS Signons.csv 4234 01-25-2018 07:52 Yorman/FaceTime.xlsx 13027 01-25-2018 07:52 Yorman/IDS_QueryLogs.xlsx 502 01-25-2018 00:23 Yorman/Marketing Contact.csv 48021 01-25-2018 00:23 Yorman/MyAppleId and iForgot.csv 14863 01-25-2018 15:12 Yorman/Yorman Data Definitions.xlsx 7155 01-25-2018 00:23 Yorman/iTunes Downloads.csv 96087 01-25-2018 00:23 Yorman/iTunes Updates.csv --------- ------- 1052818 16 files
97935364801 represents the DS ID.