IR-01-25-19896
12 June 2025
Cooper O'Neil
[FYI request #31117 email]
Tēnā koe Cooper
Request for information
Thank you for your Official Information Act 1982 (OIA) request of 27 May 2025 where you
requested:
The fol owing information relating to the New Zealand Police’s communications with
and data requests to Apple Inc. (including but not limited to Apple Legal or Apple Law
Enforcement Operations):
•
Processes and Procedures
Please provide any internal guidelines, policies, standard operating procedures,
training materials, or documentation that detail the process the NZ Police follow
when making legal requests to Apple for user data or other information.
•
Templates and Forms
Please provide any templates, forms, or boilerplate documents used when
submitting requests to Apple Legal.
•
Correspondence and Agreements
Please provide any memoranda of understanding (MOUs), agreements, or formal
correspondence between the NZ Police and Apple Inc. that outline how such legal
requests are to be handled.
•
Statistical Information
Please provide a breakdown (by year, from 2018 to the present) of:
The number of data or information requests submitted by the NZ Police to Apple;
The nature or categories of those requests (e.g. device information, iCloud
content, metadata, etc.), if available; The number of requests that were granted,
denied, or resulted in no data being returned.
My response to each part of your request can be found below.
Police National Headquarters 180 Molesworth Street. PO Box 3017, Wellington 6140, New Zealand.
Telephone: 04 474 9499. 04 498 7400. www.police.govt.nz
“Processes and Procedures
Please provide any internal guidelines, policies, standard operating procedures,
training materials, or documentation that detail the process the NZ Police follow
when making legal requests to Apple for user data or other information.”
Apple provides an online reference document; “Legal Process Guidelines for Government
and law Enforcement outside the United States” at:
https://www.apple.com/legal/privacy/law-enforcement-guidelines-outside-us.pdf
New Zealand Police have summarised the relevant sections into a document for
investigators. That content is attached below as Appendix A.
“Templates and Forms
Please provide any templates, forms, or boilerplate documents used when
submitting requests to Apple Legal.”
New Zealand Police do not have any templates, forms, or boilerplate documents used
when submitting requests to Apple Legal.
Apple provide a template for Government / Law Enforcement Information requests:
https://www.apple.com/legal/privacy/gle-inforequest.pdf.
They also provide a template for Emergency Requests:
https://www.apple.com/legal/privacy/le-emergencyrequest.pdf.
These templates wil likely change over time.
“Correspondence and Agreements
Please provide any memoranda of understanding (MOUs), agreements, or formal
correspondence between the NZ Police and Apple Inc. that outline how such
legal requests are to be handled.”
There are no memoranda of understanding (MOUs), agreements, or formal
correspondence between the New Zealand Police and Apple Inc. outside of the
previously referred Legal Process Guidelines that outline how such legal requests are to
be handled.
Accordingly, this part of your request is refused under section 18(e) of the OIA; that the
document alleged to contain the information requested does not exist or, despite
reasonable efforts to locate it, cannot be found.
“Statistical Information
Please provide a breakdown (by year, from 2018 to the present) of:
The number of data or information requests submitted by the NZ Police to Apple;
The nature or categories of those requests (e.g. device information, iCloud
content, metadata, etc.), if available; The number of requests that were granted,
denied, or resulted in no data being returned.”
2
New Zealand Police do not centrally manage requests to providers and have no visibility
of the organisational breakdown of emergency requests, production orders, or
preservation requests sent to Apple between 2018 and 2025. In particular, New Zealand
Police do not maintain records of the number of requests made or the outcome of those
requests. Accordingly, your request is refused under section 18(e) of the OIA; that the
document alleged to contain the information requested does not exist or, despite
reasonable efforts to locate it, cannot be found.
Apple do publish a transparency report (although dated) that reports on the information
they do provi
de: https://www.apple.com/legal/transparency/nz.html. This provides details
of requests in 6 monthly blocks up until June 2024. Data is available from 2024 back to
2013. It also has links on that page to Account Requests and Emergency Requests.
I trust this information is satisfactory in answering your request. If you are not satisfied
with the way I have responded to your request, you have the right to seek an investigation
and review by the Ombudsman. Information about how to make a complaint is available
at www.ombudsman.parliament.nz or freephone 0800 802 602.
Nāku iti noa, nā
Greg Dalziel
Detective Senior Sergeant
Cybercrime Unit
3
Appendix A
Apple
Quick Reference
Request Type Available C ontact/Portal
Emergency
Yes
http://www.apple.com/legal/privacy/le-
Request
emergencyrequest.pdf
Email completed PDF to:
[email address]
Production
Yes
[email address]
Order
Preservation
Yes
[email address]
Request
MAR
Yes
Mutual Assistance Requests
Notification :
Apple do not provide assistance to Law Enforcement to unlock devices.
Apple wil advise the customer of any request made by law enforcement (unless explicitly
directed not to by Court order) and they wil ‘deliver the narrowest set of information possible'.
Apple states that the geolocation of its devices and communications using either iMessage or
FaceTime applications are end-to-end encrypted so the content cannot be decrypted by Apple.
Background
Apple Inc. is an American multinational corporation headquartered in Cupertino, California. It
designs, develops, and sells consumer electronics, computer software, online services, and
personal computers.
Information Required
Al information requests must be submitted via email on Apple's "Government/Law Enforcement
Information Request" form available her
e: https://www.apple.com/legal/privacy/gle-
inforequest.pdf You must include the fol owing information in your request:
Apple Device Serial/IMEI Number
Apple ID
Email Address
Phone Number
4
Physical Address
Name
Please note, Apple device serial numbers contain a minimum of 10 alpha numeric characters.
Additional y, Apple device serial numbers do not contain the letters “O” or “I,” rather Apple
utilizes the numbers 0 (zero) and 1 (one) in serial numbers. Requests for serial numbers with
either the letter “O” or “I” wil yield no results.
If you have provided an IMEI and/or MEID identifier, Apple is only able to search its systems with
a 15 digit IMEI and/or a 14 digit MEID.
An ESN and/or IMSI number is not a search parameter in Apple's systems.
Information Available
Basic subscriber Information :
Name
Address
Email and phone
Customer Service records
Apple store transactions
Apple.com order details
Gift Card information (apple store or iTunes)
Apple Pay transactions*
IP address and connection Logs (18 months)
MAC addresses
*Apple requires the Device Primary Account Number (DPAN) used for the transaction. The DPAN
is 16 digits and can be obtained from the issuing bank.
Al requests from government and law enforcement agencies outside of the United States for
content, with the exception of emergency circumstances must comply with applicable laws,
including the United States Electronic Communications Privacy Act (ECPA). A request under a
Mutual Legal Assistance Treaty or under an Executive Agreement under the Clarifying Lawful
Overseas Use of Data Act (“CLOUD Act Agreement”) is in compliance with ECPA. Apple wil
provide customer content, as it exists in the customer's account, only in response to such legal y
valid request
5
Content:
Email content
iCloud Content
My Photo stream content
iCloud Photo Library
Contacts
Calendar/s content
Bookmarks and safari browsing history
Maps Search history
Messages
IOS device backups
Device location services information is stored on each individual device and Apple cannot retrieve
this information from any specific device. Location services information for a device located
through the Find My feature is customer facing and Apple does not have content of maps or
alerts transmitted through the service
Where your legal request contains full credit/debit card data, Apple store gift card data, Apple
pay transactional data
For data security purposes, data should be transmitted in a password-protected/encrypted
document (.PDF and editable format, example Numbers, Excel, Pages or Word document) to
[email address] and the password should be transmitted in a separate email.
Additional y Apple wil not download legal request documents through any link provided in an
email due to system security standards.
If you are requesting information in regards to an Apple media service (e.g Apple Music, Apple
TV, Apple Podcats etc)
Requests for Apple Media Service data must include the Apple device identifier (serial number,
IMEI, MEID, or GUID) or relevant Apple ID/account email address. If the Apple ID/account email
address are unknown, it is necessary to provide Apple with Apple Media Service customer
information in the form of full name and phone number, and/or full name and physical address in
order to identify the subject Apple Media Service customer account. Government or law
enforcement officers may also provide a valid Apple Media Service order number or a complete
debit or credit card number associated with the Apple Media Service purchase(s). A customer
name in combination with these parameters may also be provided, but customer name alone is
insufficient to obtain information
6
Emergency Requests
All Emergency Disclosure Requests to Apple must be completed on the official form which can be
downloaded fr
om here.
The completed PDF form can be emailed t
o [email address] with the words “Emergency
Request” in the subject line.
Preservation Requests
Information requests to Apple must be completed on the official for
m Government & Law
Enforcement Information Request template and must be accompanied with the appropriate
Production Order, both addressed to:
[email address].
Contact Information
Portal Details
https://www.apple.com/privacy/government-information-requests/
Physical Address for Court Orders:
Apple Pty Ltd
located at Level 3, 20 Martin Place,
Sydney
New South Wales 2000
AUSTRALIA
General Contact for enquiries
0800 692 7753 (0800-MY-APPLE)
Additional Information
Data retention
This providers policies and processes surrounding data retention are unknown.
Apple End-to-End Encryption / Advanced Data Protection (ADP)
Apple released global y since IOS 16.3 (January 2023) the Advanced Data Protection (ADP)
feature, an opt-in feature that applies end-to-end encryption to iCloud Backup, Notes, Photos,
and certain other categories of iCloud data.
7
By default, Apple stores encryption keys for some iCloud data types on its servers to ensure that
users can recover their data if they lose access to their Apple ID account. If a user enables ADP
feature, the encryption keys are deleted from Apple's servers and stored on a user's devices
only, preventing Apple, law enforcement, or anyone else from accessing the data, even if iCloud
servers were to be breached.
https://support.apple.com/en-gb/HT202303
How ADP works:
Users who opt in to ADP wil cause certain categories of their iCloud data to become end-to-end
encrypted, including iCloud Backup, Notes, Photos, iCloud Drive, and Safari Bookmarks (the full
list is availabl
e here). Data encrypted with ADP wil be accessible to users from all of their trusted
devices.
Apple wil not be able to decrypt any data encrypted with ADP and, as a result, wil not produce it
pursuant to LE requests.
Users can disable ADP at any time. Apple can’t remotely disable ADP on a user’s account.
Users are required to set up at least one alternative recovery method (up to five “recovery
contacts” or a recovery key) which they can use to recover their iCloud data if they lose access to
their account.
Apple expects that it wil be able to notate in legal process returns whether ADP is enabled on a
target account. It isn’t yet clear whether Apple wil be able to identify the ADP recovery method
(including the identity of any recovery contacts) or dates when ADP was enabled or disabled by
the user.
What’s NOT impacted by the ADP rollout:
Pre-existing Law Enforcement Requests: Apple emphasized that its compliance team has made
efforts to ensure that the rol out of ADP did not impact its ability to preserve and/or produce
data subject to preservation and data requests received before Wednesday (December 7).
Accounts that haven’t enabled ADP.
Managed (enterprise) and child accounts don’t support ADP.
Categories of data not affected by ADP: Contacts, iCloud Mail, Calendar and some metadata and
usage information stored in iCloud. To check the what metadata information is not affected by
ADP, check the section
"Encryption of certain metadata and usage information" on this
link.
Of note: for iCloud Backup, ADP should not prevent LE from obtaining the name/model/serial of
the associated device, and a list of apps and file formats that are included in the backup.
Guidance/Steps you can take:
Send in your preservation requests ASAP for any Apple account data you think is important to
your case because users may soon be opting in to ADP (and, if intending to serve legal process to
obtain that data, be sure to serve it before the associated preservation/extension request
expires).
Continue to be diligent about serving Apple with preservation requests. Those users who do not
enable ADP during the initial rol outs in their country may do so at any time thereafter.
8
If you learn through legal process that a target account has enabled ADP, consider checking again
throughout an investigation. Users who enable ADP can disable this feature at any time and, if
they do, al existing ADP-encrypted data wil be decrypted using the user’s key and then
encrypted using standard data protection (Apple retains the key and regains the ability to
produce a decrypted version to LE).
The most important takeaway is that preservation requests should be submitted to Apple as soon
as possible for any account data that might later be sought with legal process.
9
