Apple threat notifications

FAQ: Access Now’s Digital Security Helpline and Apple threat notifications

This FAQ addresses what we at Access Now know about ongoing Apple threat notifications sent to people who may have been targeted by state-sponsored attacks aiming to remotely compromise their devices. These attacks include the use of spyware technology. We also explain Access Now’s relationship to these notifications. 

Supporting civil society actors who have received threat notifications, and investigating spyware infections, is just one aspect of our Digital Security Helpline’s work. Visit the Digital Security Helpline’s webpage to learn more.

1. What is Access Now’s Digital Security Helpline?

Access Now is an international human rights organization whose mission is to defend and extend the digital rights of people and communities at risk. Read more information about us and our funding.

Our Digital Security Helpline is a dedicated team providing direct technical assistance and support to civil society groups and human rights defenders around the world. This includes forensic analysis of malware targeting civil society and uncovering abuses of surveillance technology around the globe. Access Now has been involved in investigations that have exposed a range of cases, including the first instance of spyware used in warfare during the Azerbaijan-Armenia conflict, the targeting of Putin’s critics, and the widespread use of spyware against journalists and activists worldwide, from El Salvador to Jordan

2. What are Apple threat notifications?

According to Apple, threat notifications inform and assist people using Apple devices who may have been targeted with spyware by states or state-sponsored attackers. Apple sends such notifications by email and iMessage to the registered addresses and phone numbers across all devices associated with a person’s Apple ID. The notification is also displayed at the top of the page after the person has signed in to 

In every wave, notifications are sent to people using Apple devices in different countries. According to Apple, since 2021, they have sent such notifications to people in nearly 150 countries. Such countries have included Armenia, Dominican Republic, El Salvador, India, Latvia, Mexico, Poland, Thailand, and other countries.

3. Does Access Now play a role in Apple’s threat notifications? 

Access Now plays no role in identifying or sending out Apple’s threat notifications. Access Now’s Digital Security Helpline is mentioned in the notifications as an independent external resource for civil society organizations and individuals, while other external resources including the Consumer Reports Security Planner — a tool for staying safe online — and other digital security help desks are listed by Apple on their website. While Apple points to our Digital Security Helpline as a resource to ensure targeted members of civil society can access help, Access Now has no additional information about Apple’s notifications, which are sent out exclusively by Apple’s Security Engineering & Architecture Team. 

Civil society groups and activists, media organizations, journalists, and human rights defenders who receive Apple threat notifications, or who have other digital security concerns, can approach Access Now’s Digital Security Helpline free of charge, 24/7, for support in nine languages. 

4. Does receiving an Apple threat notification mean that you have been infected with spyware? 

While Access Now’s Digital Security Helpline only serves civil society, media and journalists, and human rights defenders, we urge anyone who has received an Apple threat notification to take it seriously, as it indicates that their device was selected for targeting with spyware.

In the majority of cases that Access Now’s Digital Security Helpline has been able to examine, we — and partners — have found that attempts to infect the devices were successful. However, as more people who use Apple update their devices and turn on Apple Lockdown Mode, we are also seeing more unsuccessful attempts to target their devices. 

5. Do we know who the attacker behind Apple threat notifications is?

The language in Apple’s notifications does not typically indicate what attacker or technology the company detected. Receiving an Apple threat notification should trigger an effort to investigate and determine who may be responsible. In the past, such investigations have identified mercenary spyware such as Pegasus on devices that received notifications. 

Even in situations where it may be possible to identify the specific spyware used (e.g. NSO Group’s Pegasus) to infect a device, it can be challenging to attribute the infection to a specific governmental operator, as spyware manufacturers purposefully design spyware to obfuscate the origin of the technology and frustrate attribution. This investigative task can require a combination of technical, circumstantial, and other forms of evidence.

Given the asymmetrical power that spyware companies enjoy, it is important for governments to join civil society and tech platforms in the fight against the pernicious spyware sector. Furthermore, governments are under an obligation to be transparent on any past or current dealings with spyware vendors. And we believe that all governments must commit to a ban on commercial spyware.