iMessage and the Secret Service

I was struck by this section of a report by Politico’s Eric Geller involving the deletion of Secret Service messages related to the January 6 insurrection at the U.S. Capitol:

The phone resets occurred as the Secret Service was implementing a new mobile device management (MDM) platform, a technology that employers use to centrally manage and preserve emails, photos and other data stored on employees’ phones. Apple’s iMessages cannot be backed up by this system, because they are encrypted and stored on users’ devices, unlike regular text messages.

This explanation seemed off to me, because while iMessage data is end-to-end encrypted in transmission and not stored by Apple as a part of the transmission process, it’s not actually encrypted on the device itself. Which is why iCloud backups, which are unencrypted, can contain the entire contents of iMessage conversations. (This is a workaround that has been used by law enforcement to obtain iMessage records in numerous occasions.)

Geller goes on:

Because of this issue, the Secret Service couldn’t store iMessages in a central location the way it managed its email system and other technologies. Thus, when individual agents failed to manually back up their data before their phones were erased and reconfigured for the new management system, the only copies of those iMessages were lost.

This portion seems to suggest that this is more an issue about a failure of backing up phones before wiping them, rather than the encrypted nature of iMessage itself. I ran it by Tom Bridge, Principal Product Manager at JumpCloud and co-host of the MacAdmins podcast, in the Six Colors Discord, and here’s what he had to say:

iMessage histories may be device specific and limited, and if they were not utilizing iCloud Backup (for Federal Government Cloud Reasons) it is possible that when the devices were wiped and setup anew with the MDM — so that the devices are supervised by the new MDM — the previous history was lost.

In short, I suspect they were prohibited from using any iCloud service because iCloud isn’t FedRAMP certified for security, and when they wiped the device to set them up with the new MDM service, they could not restore even a local on-disk backup, because those backups would’ve stored the supervision identity and the MDM enrollment from the previous MDM service.

There would be a way to do this, but it would’ve been a pain in the butt to organize because it requires that you swap handsets with your nearest other handset. (Local backups CAN be restored if the device UDID is different, because the supervision identity and MDM enrollment are entangled with the hardware.)

We ran into this with a healthcare startup I used to support. When they swapped MDMs, their text history was not preserved because they did not believe iCloud’s security was adequate for their HIPAA requirements. (They later changed their mind.)

Is it possible that this was, in fact, malicious? 100% yes. Is it possible that this was, actually, unintentionally caused? Also 100% yes.

My thanks to Tom for picking through the technical details of what might have gone on here.

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.