[COMMENT] Data Retention from Central Servers

[zoracon]

If the central server is able to learn the identity of the device reporting an accessory or the identity of the owner requesting the location of an accessory, then it can infer information about that accessory's behavior.

Outlining a retention period from the central server could also help mitigate this issue with the listed technical solutions (Oblivious HTTP) in the doc. It could also help limit dragnet warrants by law enforcement.

[ekr]

I agree that this is a good recommendation. How much it helps depends on the threat model. I.e., if the attacker is the central server, they can claim to delete the data but not actually do so. If the central server is trying to minimize its attack surface from outside then this can reduce it significantly.