Before the elections, the cybersecurity team of U.S. vice president and then-presidential candidate Kamala Harris reached out to Apple asking for help, according to Forbes, after a tool that’s designed to detect spyware on iPhones flagged anomalies on two devices belonging to campaign staffers. Apple declined to forensically analyze the phones, per Forbes.
The company’s response is no surprise to the digital defenders working with at-risk populations often targeted by spyware.
In the last few years, Apple has been sending notifications to targets and victims of government spyware, alerting them that they may have been hacked, and directing them to get help. Crucially, Apple doesn’t tell the targets to get in touch with its own security engineers, but with the nonprofit Access Now, which runs a digital helpline for people in civil society who suspect they have been targets of government spyware.
“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple Account,” reads a recent alert, which Access Now shared with TechCrunch. “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”
While it may look like Apple is abdicating its responsibility to protect its users, cybersecurity experts who work with human rights defenders, journalists, and dissidents generally agree that Apple’s approach in alerting victims to spyware attacks is the right one.
Contact Us
Do you have more information about government spyware and its makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
“These notifications have been a game changer for spyware accountability research,” said John Scott-Railton, a senior researcher at the Citizen Lab, a nonprofit that investigates spyware and is housed at the University of Toronto Munk School of Global Affairs & Public Policy.
“When I look back over the past few years, I see so many of the most important cases that we know about — Poland, Thailand, so many others — began with an Apple notification,” said Scott-Railton.
For people who investigate spyware, Apple sharing spyware notifications with victims represented a turning point. Before the notifications, “We were just like in the dark, not knowing who to check,” according to Access Now’s legal counsel Natalia Krapiva.
“I think it’s one of the greatest things that’s happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware,” Krapiva told TechCrunch.
Now, when someone or a group of people get a notification from Apple, they are warned that something potentially anomalous is happening with their device, that someone is targeting them, and that they need to get help. And Apple tells them exactly where to get it, according to Scott-Railton, who said Access Now’s helpline is the right place to go because “the helpline is able to do good, systematic triage work and support.”
Krapiva said that the helpline is staffed by more than 30 people, supported by others who work in other departments of the nonprofit. So far in 2024, Krapiva said Access Now received 4,337 tickets through the helpline.
Scott-Railton, Krapiva, and security expert Runa Sandvik, who runs her own digital security consultancy Granitt for at-risk people and has been protecting journalists for a decade, all agree Apple should stop short of investigating individual attacks after notifying the victims.
“Big tech companies don’t want to get into the business of doing forensics on people’s devices or accounts,” Sandvik told TechCrunch. “I think that should remain separate.”
Eva Galperin, the director of cybersecurity at the nonprofit Electronic Frontier Foundation, who has been investigating surveillance on the internet for more than a decade, said that Apple could still do more to combat spyware.
“[Apple] could write more detailed reports and file more lawsuits. These are the things that take massive amounts of money NGOs don’t have and telemetry NGOs don’t have,” Galperin told TechCrunch.
In its official page about mercenary spyware, last updated in October, Apple says that since 2012 it has sent notifications to users in more than 150 countries.
Apple spokesperson Nadine Haija told TechCrunch that the “vast majority of users will never be the victims of such attacks, we sympathize deeply with the small number of users who are, and we continue to work tirelessly to protect them,” and reiterated that there are no known cases of mercenary spyware on Apple devices with Lockdown Mode. “Our security teams are constantly working to track mercenary spyware attackers, and we send threat notifications to inform and assist users who we believe were individually targeted.”
For anyone alerted by a notification, Apple tells those targets and victims of spyware to update their iOS software and all their apps. Apple also suggests the user switches on Lockdown Mode, an opt-in iOS security feature that has stopped spyware attacks in the past by limiting device features that are often exploited to plant spyware. Apple said last year that it is not aware of any successful spyware infection against someone who used Lockdown Mode.
Scott-Railton called Lockdown Mode “a game changer in increasing the security of people’s devices, especially people who are at risk.”
All the experts TechCrunch spoke with strongly recommend turning on Lockdown Mode if you think you may be a target, especially if you are a journalist, human rights defender, or dissident.
And if you get a notification from Apple, take it very seriously.