Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services
from the plenty-of-data-but-content-not-so-much dept
There is no "going dark." Consecutive FBI heads may insist there is, but a document created by their own agency contradicts their dire claims that end-to-end encryption lets the criminals and terrorists win.
Andy Kroll has the document and the details for Rolling Stone:
[I]n a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.
The document [PDF] shows what can be obtained from which messaging service, with the FBI noting WhatsApp has plenty of information investigators can obtain, including almost real time collection of communications metadata.
WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”
The FBI can obtain this info with a pen register order -- the legal request used for years to obtain ongoing call data on targeted numbers, including numbers called and length of conversations. With a warrant, the FBI can get even more information. A surprising amount, actually. According to the document, WhatsApp turns over address book contacts for targeted users as well as other WhatsApp users who happen to have the targeted person in their address books.
Combine this form of contact chaining with a few pen register orders, and the FBI can basically eavesdrop on hundreds of conversations in near-real time. The caveat, of course, is that the FBI has no access to the content of the conversations. That remains locked up by WhatsApp's encryption. Communications remain "warrant-proof," to use a phrase bandied about by FBI directors. But is it really?
If investigators are able to access the contents of a phone (by seizing the phone or receiving permission from someone to view their end of conversations), encryption is no longer a problem. That's one way to get past the going darkness. Then there's stuff stored in the cloud, which can give law enforcement access to communications despite the presence of end-to-end encryption. Backups of messages might not be encrypted and -- as the document points out -- a warrant will put those in the hands of law enforcement.
If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.
This is a feature of cloud backups -- a way to retrieve messages if something goes wrong with someone's phone or their WhatsApp account. It's also a bug that makes encryption irrelevant. The same goes for Apple's iMessage service. Encryption or no, backups are not encrypted by service providers. In the case of Apple's iMessage, warrants for iCloud backups will give law enforcement the encryption key needed to decrypt the stashed messages.
On the other side, there are truly secure options that the FBI considers dead ends, starting with Signal. Signal retains no user info, which means there's nothing to be had no matter what paperwork the feds produce. But, for the most part, even encrypted messaging and email services generate metadata that can be obtained without a warrant. If investigators want more, warrants can actually result in investigators obtaining a great deal of information about users, their interactions, and their communications. And, as is noted directly above, it can also grant access to communications users mistakenly believed were beyond the reach of law enforcement.
But not everyone using encrypted services is a criminal, no matter what FBI directors say in public. Communications metadata being only a subpoena or pen register order away is concerning, especially for those who use encrypted services not only to maintain their own privacy, but to protect those they communicate with.
“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.
Those who truly understand the protocols and platforms they use for communications will understand the tradeoffs. For everyone else, there's this handy tip sheet, compiled by none other than the FBI, which explains exactly what each service retains and what each service will hand over in response to government paperwork.
It also shows that encryption isn't keeping law enforcement from pursuing investigations. In rare cases, investigators may have zero access to communications. But every communications platform or service creates a digital paper trail investigators can follow until they find something that breaks the case open. "Going dark" -- the idea that law enforcement is helpless in the face of increased use of encryption -- is a lie. And the FBI knows it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, encryption, fbi, going dark, lawful access, subpoena, warrant
Companies: apple, facebook, meta, whatsapp
Reader Comments
Subscribe: RSS
View by: Time | Thread
Shocked, shocked I tell you!
You mean to tell me that the FBI LIED about "going dark" and that they in fact have plenty of tools available to track down suspects? Well I'd never!
Seriously, we live in what many experts call the "Golden Age Of Surveillance".
[ link to this | view in chronology ]
Sorry, I first read that as...
[ link to this | view in chronology ]
FBI is a pen-pal of Whatsapp. Go figure.
[ link to this | view in chronology ]
But nothing warrants suspicion about the FBI?
[ link to this | view in chronology ]
The other thing is, how much communication access do they really ned for most things? Seriously. i'm pretty sure this is what they spend their time doing when they basically have nothing, and no matter what, they always will have nothing, because they don't target the right people for investigation in the first place.
[ link to this | view in chronology ]
Re:
In fact, this is a flood of information, for very little effort, compared to what they used to do. Go read the FBI file for Paul Erdős as a point of comparison. "[...] believed by the informant to be presently a Professor of Mathematics at the University of Kansas" ... "It was ascertained that subject ERDOS has not been employed on the faculty of the University of Kansas, and has not been enrolled at any time in the University" ... "the Bureau is requested to authorize direct inquiries to be made of [REDACTED] and other sources [...] to ascertain the names of subject's acquaintances".
They thought this guy might be a cold-war spy, and it took them like 5 months and a lot of interviews and paperwork just to figure out who he was talking to.
[ link to this | view in chronology ]
When your head is up your ass, everything looks dark.
[ link to this | view in chronology ]
Known problem with a known solution.
Imessage has always been known to be insecure. If one signs on on a new device the previous message history and message threads are displayed. That's not secure.
Whatsapp has been known to be insecure for at least the last five years. The fact that the message content is insecure AND they're willing to 'play ball' with Jackboot LEO thugs without a warrant just adds fuel to a long-burning fire.
Thus far Whisper Systems' Signal is the only e2e encrypted app that provides a functionality equivalent to what it says -- your message content is yours and the recipients' to deal with... not Signal, not LEOs, and not pen register/taps.
The CDT opined on pen registers in the Internet age 21 years ago... and yet.. not only has no responsive legislation been passed (or even proposed) but the Internet companies aren't fighting them.
https://cdt.org/wp-content/uploads/security/000404amending.shtml
Workaround 1: Use Signal instead of WhatsApp, Apple proprietary broken apps, or anything else that reveals content you didn't want revealed.
Solution 1: exhort your congress critters to do something useful to update the laws to respect our constitutional rights, including the 4th and 5th amendments. As such, no "without a warrant" sharing of information mandate, and no penalties for ignoring [what should be] unlawful fishing expeditions using a pen trace.
E
[ link to this | view in chronology ]
Re: Known problem with a known solution.
Unfortunately, Apple has decreed that no message app may replace the default message app.
[ link to this | view in chronology ]
Re: Re: Known problem with a known solution.
Then replace Apple.
[ link to this | view in chronology ]
That thing where they will cry state secrets or tipping their hand to the "bad guys" but shouldn't the DoJ or Congress be demanding accurate reports of what these powers are being used for & whom they are deployed against?
Yes it is because I don't trust them, but after they used Terrorism Fusion Centers to deep dive & surveil grandmas & peaceful protestors exercising their alleged rights there is a big deficit in trust for their claims & actions.
[ link to this | view in chronology ]
I think you are right, we all were facing same...
[ link to this | view in chronology ]
The best part of that page? "Session" isn't even on it. Oh, and last time I checked, Signal still wanted your phone number to use it...
[ link to this | view in chronology ]