When a FaceTime call sits at the center of a case, attorneys often draft subpoenas to Apple expecting to recover the video itself. They will not. A FaceTime evidence Apple subpoena is, at most, a request for basic subscriber records; the FaceTime metadata that proves a call occurred requires a court order, and any stored content requires a search warrant. The retention window is also short: just 25 days for the invitation and connection logs that prove a session existed. This post walks through what Apple actually retains for FaceTime, which tier of legal process unlocks each category, and how to write a discovery request that asks for what Apple can hand over rather than what it cannot.

What Apple Stores (and Can Provide) for FaceTime

In the Apple “Legal Process Guidelines” under section “W. FaceTime”, the company explicitly lists the kinds of data that may be provided to law enforcement when valid legal process is served (search warrant, court order, or subpoena, depending on the data category). [1 ]

1. Call Metadata and Connection Logs

Apple retains a narrow set of FaceTime metadata: the fact that an invitation or session occurred, timestamps, and participant identifiers (Apple IDs or device identifiers) as available.

  • Per Apple’s Legal Process Guidelines: U.S. Law Enforcement (October 2025), FaceTime call invitation logs are retained for up to 25 days. [1 ]
  • Connection logs for Apple services are also retained for up to 25 days under Section U of the same guidelines. [1 ]
  • Metadata may include which Apple ID initiated or received the FaceTime, approximate timestamps, possible session duration, and the IP address or network connection log captured at the moment the call was established.
  • Apple emphasizes that the content of a FaceTime session is end-to-end encrypted and that the company cannot decrypt it for law enforcement. [2 ]

Counsel often conflates “subpoena” with “any legal process,” but Apple’s response depends entirely on which tier of the Stored Communications Act (SCA) the request invokes.

  • Subpoena. Returns basic subscriber information only (name, address, billing information, account creation date, registered email and phone numbers). Apple will not produce FaceTime invitation logs or connection metadata in response to a subpoena alone.
  • Court order under 18 U.S.C. §2703(d). Required to compel non-content records such as FaceTime invitation logs and connection logs. This is the right vehicle for FaceTime metadata.
  • Search warrant (probable cause). Required before Apple will produce stored content (for example, an iCloud Backup that may contain a screen recording of a FaceTime call, iMessage history, photos, or device backups). A subpoena is legally insufficient for content, even when the user voluntarily uploaded it.

The practical implication: a request labeled “subpoena for FaceTime records” is likely to come back with subscriber information only. To reach the metadata that proves a call occurred, counsel needs a §2703(d) order. To reach any captured content stored by a participant in iCloud, counsel needs a warrant.

3. Content of the Call (Video and Audio)

The actual video and audio of a FaceTime session is not stored on Apple’s servers for later retrieval. The service is end-to-end encrypted; only the participants can see and hear the call, and Apple cannot decrypt it. [3 ]

If counsel asks Apple for “video of a FaceTime call,” Apple will not produce that recording. The recoverable content lives on the participants’ devices, in their device or iCloud backups, or in any third-party recording that captured the session. Reaching that material from Apple still requires a search warrant; reaching it from the participants requires device-level forensics or consent.

4. Retention Periods and Limitations

  • FaceTime invitation logs and connection logs: up to 25 days. [1 ]
  • iCloud account information and backups follow separate retention and production rules under Apple’s iCloud sections.
  • Apple will provide data only to the extent the company still possesses it under its data retention policies; older requests routinely return “no responsive records.”

Key Forensic and Discovery Implications

Given the SCA tiers and the 25-day retention window, here are the practical implications for digital forensics and eDiscovery work.

What Apple Will and Will Not Produce

  • A subpoena alone returns subscriber information; a §2703(d) order is the right vehicle for FaceTime invitation and connection logs. The metadata can show when the call occurred, between which Apple IDs, for what duration, and (potentially) from what IP addresses.
  • To capture the actual video or audio content of a FaceTime session, counsel must rely on device extraction, an iCloud or local device backup, or a third-party recording. Apple will never provide the live call content; an iCloud-stored screen recording may be reachable, but only with a search warrant.
  • Because retention is short (25 days for invitation and connection logs), timing is critical. A preservation letter under 18 U.S.C. §2703(f) can lock the data for 90 days while counsel obtains the appropriate process.

Drafting the Request

  • When drafting the request, counsel should:
    • Identify the Apple ID(s) involved, the precise time window, and the specific service (FaceTime).
    • Match the legal vehicle to the data sought: subpoena for subscriber info, §2703(d) order for FaceTime metadata and connection logs, search warrant for content stored in iCloud.
    • Cite the relevant section of Apple’s Legal Process Guidelines (Section W for FaceTime; Section U for Connection Logs) so Apple’s legal team can scope the response.
    • Avoid asking for “content” under a subpoena; the request will be rejected and time will be lost.
  • Always verify against the latest version of Apple’s guidelines (October 2025 at the time of writing; section letters can shift between revisions). [1 ]
  • For cross-jurisdictional issues, where the account is outside the U.S. or devices are located internationally, the legal process can be more complex (MLAT, CLOUD Act). [1 ]

Typical Logging Workflow (Forensic View)

The metadata chain for a typical FaceTime session works like this:

  1. User A initiates a FaceTime call to User B.
  2. Apple’s FaceTime servers (or signaling infrastructure) establish the session. Metadata generated includes the initiating Apple ID, the target Apple ID, a timestamp, possibly a call session ID, IP addresses at the moment of connection establishment, and device type.
  3. After the call ends, invitation and connection metadata are retained for up to 25 days per Apple’s Legal Process Guidelines: U.S. Law Enforcement (October 2025).
  4. If a law enforcement request arrives within the retention window, Apple can respond with this metadata.
  5. If the request arrives outside the retention window, the metadata may be purged and unrecoverable from Apple.
  6. The video and audio stream itself never lands in Apple’s unencrypted infrastructure for retrieval, so only the participants and their devices and backups have access to it.

Sample Request Language for Discovery

Counsel drafting a subpoena or discovery request can adapt the following bullet phrasing:

  • “Produce all metadata related to FaceTime services for Apple ID [account_identifier] for the period from [date] to [date], including timestamps of call invitations, originating Apple ID, receiving Apple ID, call duration, device type, and IP address(es) at the time of connection.”
  • “Produce any connection logs maintained by Apple for FaceTime sessions involving Apple ID [identifier] during the same period.”
  • “State Apple’s internal retention period for FaceTime metadata and whether any logs within that timeframe have been deleted, purged, or otherwise rendered unavailable.”

Where the Content Actually Lives: Endpoint Evidence

Because Apple cannot decrypt FaceTime content, the recoverable artifacts of the call live almost exclusively on the participants’ devices. A forensic examiner working a FaceTime case should look in several specific places:

  • iOS unified logs and the CallHistory.storedata SQLite database, which often record FaceTime sessions alongside cellular calls.
  • Local iCloud backups (encrypted, but accessible with the device passcode or iCloud credentials and proper legal authority).
  • Screen recordings stored in the device’s Photos library, which are commonly created by participants who wish to preserve a call.
  • Third-party recording applications, voicemail transcripts, and any device that was in the same room and may have captured ambient audio.
  • Apple Watch and HomePod activity logs, which can corroborate the timing of a FaceTime session even when content is unavailable.

A FaceTime evidence Apple subpoena is worth pursuing, but only with the right scope and the right vehicle. A subpoena returns subscriber information; a §2703(d) order reaches the 25-day window of invitation and connection logs; a search warrant is required for any iCloud-stored content. The metadata window is short, so a §2703(f) preservation letter should go out the moment counsel anticipates the request. And the content itself, when it exists at all, lives on the endpoints, not on Apple’s servers. Counsel who write to that reality recover the evidence that exists; counsel who write to a Hollywood version of cloud surveillance recover nothing.

If you have a FaceTime session at the center of a case and need help framing the discovery request or extracting endpoint evidence, contact Lucid Truth Technologies for a consultation.

References

[1] Apple Inc., Legal Process Guidelines: U.S. Law Enforcement (October 2025), Sections W (FaceTime) and U (Connection Logs). [Online]. Available: https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

[2] “What Apple surrenders to law enforcement when issued a subpoena,” AppleInsider, 2020. [Online]. Available: https://appleinsider.com/articles/20/01/21/what-apple-surrenders-to-law-enforcement-when-issued-a-subpoena

[3] Apple Inc., Apple Platform Security: FaceTime security. [Online]. Available: https://support.apple.com/guide/security/facetime-security-secd1b3ec3d6/web

[4] 18 U.S.C. §2703 (Required disclosure of customer communications or records). [Online]. Available: https://www.law.cornell.edu/uscode/text/18/2703