When high-profile targets—including political campaign staffers—suspect their iPhones have been compromised by state-sponsored surveillance, Apple routinely declines to perform forensic investigations. Instead, the tech giant directs users to Access Now, a nonprofit organization specializing in digital security for at-risk populations.
The Strategy Behind the Referral
Recent reports highlight that even campaigns for high-level U.S. officials have faced barriers when seeking Apple’s direct forensic assistance. Rather than analyzing devices in-house, Apple has standardized a protocol: it sends threat notifications to users identified as targets of “mercenary spyware” and provides a direct link to the Access Now digital helpline.
The standard notification warns: “Apple detected that you are being targeted by a mercenary spyware attack… This attack is likely targeting you specifically because of who you are or what you do.”
Why Security Experts Support This Approach
While some may view Apple’s refusal to conduct private forensics as an abdication of duty, cybersecurity experts—including researchers from the Citizen Lab—argue this separation is necessary.
“These notifications have been a game changer for spyware accountability research,” says John Scott-Railton, a senior researcher at Citizen Lab. He notes that many of the most significant global investigations into spyware, including cases in Poland and Thailand, originated from these Apple alerts. For investigators, the notification serves as the critical “patient zero” signal that allows them to begin their work.
The Role of Access Now
Access Now provides the systematic triage that big tech companies are often unwilling or unable to perform. Natalia Krapiva, legal counsel at the nonprofit, notes that the helpline has already processed over 4,300 tickets in 2024 alone. By offloading the investigative burden to specialists, Apple ensures that victims receive support from experts who understand the nuances of civil society threats.
Can Apple Do More?
While the notification system is praised, some experts suggest the company should increase its offensive efforts. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), argues that Apple could provide more detailed technical reports and pursue more aggressive litigation against spyware vendors—tactics that require resources and telemetry data that NGOs often lack.
Protecting Your Device
Apple maintains that it has sent notifications to users in over 150 countries since 2012. For those who receive an alert, or for high-risk individuals like journalists and dissidents, the company and security experts strongly recommend the following steps:
- Enable Lockdown Mode: This opt-in feature restricts device functionality to block common exploit vectors. Apple currently has no record of a successful spyware infection on a device where this mode was active.
- System Updates: Ensure that iOS and all installed applications are running the latest versions to patch known vulnerabilities.
- Seek Professional Help: If you receive a threat notification, do not ignore it. Reach out to verified security organizations like Access Now for professional forensic triage.
As security expert Runa Sandvik puts it, keeping the investigation of individual attacks separate from the manufacturer’s operations remains the most effective path for user protection. Ultimately, for those in the crosshairs of digital surveillance, the Apple notification is the first line of defense—and it should be treated with the highest level of urgency.