We Now Know What Information the FBI Can Obtain from Encrypted Messaging Apps – Just Security

Posted on by

What user data can U.S. federal law enforcement obtain from providers of encrypted messaging services? A recently disclosed January 2021 document from the Federal Bureau of Investigation (FBI) supplies a concise summary with respect to nine different secure messaging apps. It shows that with legal process, the FBI can get various types of metadata, and in some cases even stored message content. Exactly whats available, though, varies widely by app. The one-page document should give useful guidance to privacy-conscious people including journalists, whistleblowers, and activists while also helping to dispel misconceptions about the FBIs surveillance capabilities (or lack thereof) in the encrypted messaging context. Kudos to government-transparency nonprofit Property of the People (POTP), run by FOIA guru Ryan Shapiro and indefatigable lawyer Jeffrey Light, for obtaining this record under the Freedom of Information Act.

Dated Jan. 7, 2021, the document states that it reflects FBI capabilities as of November 2020. The apps included in the chart are iMessage, LINE, Signal, Telegram, Threema, Viber, WeChat, WhatsApp (owned by Meta, fka Facebook), and Wickr (which was acquired by AWS in June). Most of these appsiMessage, Signal, Threema, Viber, WhatsApp, and Wickrend-to-end encrypt messages by default. As for the rest, Telegram uses default end-to-end encryption (E2EE) in some contexts, but not others. E2EE is on by default in newer versions of LINE, but it may not be turned on in older clients. And WeChat, owned by Chinese giant Tencent, does not support end-to-end encryption at all (just client-to-server encryption). This variance may explain why the document refers to the apps as secure instead of E2EE.

What User Data Can the FBI Get?

The chart illuminates the variation in how much data different services collect and retain about users and their communicationsand consequently, what data theyll provide to law enforcement given a valid warrant, subpoena, or court order. (Think, for example, about a warrant asking for all records in a providers possession pertaining to a user: the more information it retains about its users, the more it can be required to provide to law enforcement.) This ranges from the minimal information available from Signal and Telegram, to the basic subscriber information and other metadata that several services disclose to the FBI, and even limited stored message content from three of the nine apps: LINE (which, as said, still supports non-E2EE chats), iMessage, and WhatsApp.

That last part may come as a surprise to some iMessage and WhatsApp users, given that were talking about E2EE messaging. True, E2EE renders users messages inaccessible to law enforcement in transit, but its a different story for cloud storage. If an iMessage user has iCloud backups turned on, a copy of the encryption key is backed up along with the messages (for recovery purposes) and will be disclosed as part of Apples warrant return, enabling the messages to be read. WhatsApp messages can be backed up to iCloud or Google Drive, so a search warrant to one of those cloud services may yield WhatsApp data including message content (although a search warrant to WhatsApp wont return message content). (WhatsApp recently started rolling out the option to E2EE message backups in the cloud, rendering the FBI chart slightly out-of-date.)

While its possible to piece together some of the information in the chart by scouring app makers public documentation and courts criminal dockets, the FBI conveniently pulled it into one at-a-glance page. It might be old news to you, if you happen to be familiar with both the law governing electronic communications privacy and the technical nuances of your encrypted messaging app(s) of choice. That may describe a lot of Just Security readers and government surveillance beat reporters, but it probably doesnt reflect the average users mental model of how an E2EE messaging service works.

The chart also reveals details that app makers dont talk about forthrightly, if at all, in their public-facing guidelines about law enforcement requests. With a warrant, WhatsApp will disclose which WhatsApp users have the target user in their address books, something not mentioned on WhatsApps law enforcement information page. And Apple will give 25 days worth of iMessage lookups to and from the target number irrespective of whether a conversation took place, which is described in Apples law enforcement guidelines but takes a little digging to understand since neither the FBI nor Apple explains what that means in plain English. In each case, the company is disclosing a list of its other users that happen to have the target users contact info, whether or not the target communicated with them. (If other messaging services make a practice of disclosing similar information, its not reflected in the chart.) These details underscore the broad sweep of U.S. electronic surveillance law, which lets investigators demand any record or other information pertaining to a [target] subscriber in response to a 2703(d) order or search warrant. While Apple and Meta have both fought for user privacy against overreaching government demands, the law nevertheless renders a lot of user data fair game.

Popular Misperceptions of Messaging Privacy

In short, its no easy task for the average person to accurately understand precisely what information from their messaging apps could wind up in the hands of federal investigators. Not only do different apps have different properties, but app makers dont have much of an incentive to be straightforward about such details. As the FBI chart demonstrates, the market of free, secure messaging apps is a gratifyingly crowded and competitive field. Providers want to give current and would-be users the impression that their app is tops when it comes to user security and privacy, whether the user is concerned about malicious hackers, governments, or the provider itself. Providers have learned to be wary of overstating their services security properties, but theyre betting that marketing copy will get more attention than technical whitepapers or transparency reports.

In this regard, app makers incentives are aligned with those of the FBI. Given the FBIs years-long campaign against encryption, it makes a strange bedfellow to the encrypted service providers it has condemned by name in public speeches. But service providers and the FBI both benefit from a popular misconception that underestimates the user data available to investigators from certain E2EE services. That misapprehension simultaneously maintains the providers image in the eyes of privacy-conscious users while upholding the FBIs narrative that its going dark in criminal investigations due to encryption.

Although this misunderstanding may help law enforcement investigators, it can have significant consequences for their targets. Not just garden-variety criminals, but also journalists and their sources, whistleblowers, and activists have a lot riding on their choice of communications service. As noted in Rolling Stones article about the FBI chart, WhatsApp metadata was key to the arrest and conviction of Natalie Edwards, a former U.S. Treasury Department official who leaked internal documents to a reporter with whom she exchanged hundreds of messages over WhatsApp. Edwards (and presumably also the reporter, who owed Edwards an ethical duty of source protection) believed that WhatsApp was safe for journalist/source communication. That misunderstanding cost Edwards her freedom.

The Reality Behind the Myth

Thanks to FOIA and its zealous disciples at POTP, the public can now see the internal FBI document that neatly summarizes the reality behind the myth. It shows that despite its going dark claims, the FBI can obtain a remarkable amount of user data from messaging apps that collectively have several billion global users. (The ability to test the governments public claims against its internal statements is one of the reasons why public access to government records, POTPs raison dtre, is so crucial.) It shows the role that cloud storage and metadata play in mitigating end-to-end encryptions impact on real-time communications surveillance. And it shows which popular E2EE messaging services truly do know next to nothing about their users.

If users think the encrypted apps they use dont keep much information about them, the FBI chart shows that belief to be largely false. With some exceptions, many major E2EE messaging services hand over all kinds of data to federal law enforcement, and cloud backups can even enable the disclosure of stored messages sent on two of the biggest E2EE messaging apps. Even if little or none of whats in the document is truly news, its still helpful to see it laid out so succinctly in a single page. If you are concerned about messaging privacy, use this chart (together with privacy and security guides specific to your situation, such as for journalism or protests) to help you decide which app is best for youand share it with the people you chat with, too. That way, you can make a more informed decision about which app(s) to keep (and which to leave behind) as we enter the new year.

Apple, Digital Surveillance, Encryption, FBI, FOIA, Law enforcement, Privacy, Stored Communications Act, Technology, WeChat, WhatsApp

See the original post:
We Now Know What Information the FBI Can Obtain from Encrypted Messaging Apps - Just Security

Related Posts
This entry was posted in $1$s. Bookmark the permalink.