Apple fails to remove 'deleted' Safari web browser histories from iCloud
Apple is a company that puts a big focus on security and privacy. Unlike Google, the iPhone-maker does not make the majority of its money from advertising and harvesting user data. Heck, Tim Cook and company even famously fought a government request to help it break into an iPhone. Ultimately, if you value your privacy, Apple products can arguably be trusted a bit more than its competitors.
With all of that said, today, a bit of a failure was discovered on Apple's part regarding user privacy. You see, when an Apple user deleted their web browser history, they assumed it was gone forever -- and rightfully so. While the data no longer appeared on Apple devices, it has been discovered by ElcomSoft that it persisted on iCloud. To make matters worse, this data is easily recoverable.
"Our latest discovery concerns synced Safari history. While researching this sync, we discovered that deleting a browsing history record makes that record disappear from synced devices; however, the record still remains available (but invisible) in iCloud. We kept researching, and discovered that such deleted records can be kept in iCloud for more than a year. We updated Elcomsoft Phone Breaker to give it the ability to extract such deleted records from the cloud. Moreover, we were able to pull additional information about Safari history entries including the exact date and time each record was last visited and deleted!" says Vladimir Katalov, ElcomSoft.
Katalov further says, "Safari history is synced across devices. Once you delete a record on one device, it will disappear on all other devices in a matter of seconds (or minutes), provided that those devices are connected to the Internet. While those records can be retained in SQLite database for technical reasons, a flush or cleanup will purge them sooner or later (on an actively used device, this can happen in a few days or up to 2-3 weeks). However, those same records will be kept in Apple iCloud for much longer. In fact, we were able to access records dated more than one year back. The user does not see those records and does not know they still exist on Apple servers."
If you are worried about hackers or government agencies accessing this data, you shouldn't. As long as you properly secure your iCloud account with a strong password and two-factor authentication, the data is only accessible by you. The fear, of course, is that hackers or other actors could gain access to your account if they know your credentials or have access to your iPhone, iPad, or other Apple device. Wouldn't you know it, ElcomSoft has a product that can easily recover the data -- with login access to the iCloud account, of course.
Ultimately, yes, it seems Apple has made a big mistake by failing to properly purge this data, but as long as you properly secure your account, the impact should be minimal -- your surfing habits should be safe. Hopefully Apple will get this sorted soon.
[Update] As per ElcomSoft, Apple may be in the process of fixing this, as some accounts are now only showing two weeks worth of deleted records. It isn't clear why all records have not been purged.
There are still many unanswered questions -- it is unknown if it has been fixed on all accounts. BetaNews has reached out to Apple for comment on this matter