Court Order Shows DEA Demanding Tons Of Data From WhatsApp And Bunch Of Other Service Providers

from the routing-around-encryption dept

Encryption may be posing problems for law enforcement investigations, but the problems are not as insurmountable or widespread as certain encryption critics are portraying them. Enormous amounts of data are created by cellphone app users every time they communicate. While the content of communications is often of more evidentiary value, there's still a wealth of information investigators can obtain that isn't protected by encryption.

As investigators are getting more creative, they're also getting more careless. Thomas Brewster of Forbes reports the US government is trying to force WhatsApp to turn over information it has no right to demand from the company -- which also includes information WhatsApp may not even have.

[T]he order, unsealed on New Year’s Eve, asked for information WhatsApp wouldn’t ever provide. That included the identity of other WhatsApp accounts that were created using the same IP address, recovery email, telephone number “or other identifiers”. Investigators at the DEA also wanted the “identity of all accounts that are linked to the account by cookies,” —cookies being little programs that keep track of people’s use of different applications. Then they demanded “IP addresses of any websites or other servers to which the cellphone device or devices connected.” And finally they wanted “post-cut-through dialed digits”—the numbers hit by the user once a call is started.

WhatsApp told Forbes it doesn't collect much of the information being sought here. As for the "post-cut-through dialed digits," those could be considered communications content in certain cases, meaning the trap/trace request being used here is insufficient under the Fourth Amendment. A warrant is required to obtain communications but it appears no warrant has been served to WhatsApp. However, a footnote in the order says the government will make no "affirmative investigative use" of any post-cut-through digits determined to be content. But that puts everyone in the position of trusting an agency known for its liberal use of parallel construction to launder evidence it has questionably obtained.

Investigators aren't limiting themselves to WhatsApp. The search for a Mexican meth dealer runs through a number of other tech companies that might be linked to the WhatsApp user the government is targeting.

[T]he order went further still, telling not only WhatsApp, but also Google and a host of telecom providers or “any other provider of any wire or electronic communications service” to provide a range of more detailed data on any accounts tracked by Facebook’s encrypted chat apps. That included names, addresses, email addresses and credit card numbers.

The data demands were also made of a number of other companies -- data the DEA wanted 24/7 access to as it was gathered. From the proposed order [PDF]:

The United States further requests, pursuant to 18 U.S.C. § 2703(c) and (d), that WhatsApp Inc., Cingular Wireless, Sprint Nextel Corporation, Leap Wireless Communications, Inc., Cricket Communications, T-Mobile USA, Cellco Partnership d/b/a Verizon Wireless, AT&T Wireless, Google, and/or any other provider of wire communications service, provide subscriber information as defined in 18 U.S.C. § 2703(c)(2) pursuant to this Order for the accounts revealed by the pen-trap devices to the DEA.

Along with the always-on access, the DEA demanded 24/7 silence from all targeted companies for one year. The silence didn't last, though. WhatsApp challenged the gag order and managed to get this proposed order (which was granted by the judge) unsealed.

The order is broad and it affects a number of service providers. And the order has no end date, allowing the government to harvest metadata and personal info on an ongoing basis in perpetuity. It appears the order was approved the same day the application was made, which strongly suggests the judge did not ask for anything to be modified by the DEA.

Encryption works. It keeps communications secure. But just because there's a wealth of data being generated doesn't mean the government is entitled to all of it. The order shows the DEA has an undercover agent in communication with the target so it's not as if the government is locked out of all communications. The digital playing field has resulted in altered strategies but it did not throw out the rulebook. The loss of a wiretap option doesn't grant permission to operate a data dragnet.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, communications, dea, encryption, warrant
Companies: facebook, whatsapp