The DEA Is Using A Law Created To Give It Access To Landline Records To Gather Data From Encrypted Messaging Services

from the more-things-change,-the-more-they-remain-the-same dept

Everything old is new again. New and still abusable. Thomas Brewster reports for Forbes that the Drug Enforcement Agency (DEA) is taking advantage of a nearly 40-year-old law to obtain information about WhatsApp users.

In Ohio, a just-unsealed government surveillance application reveals that in November 2021, DEA investigators demanded the Facebook-owned messaging company track seven users based in China and Macau. The application reveals the DEA didn’t know the identities of any of the targets, but told WhatsApp to monitor the IP addresses and numbers with which the targeted users were communicating, as well as when and how they were using the app. Such surveillance is done using a technology known as a pen register and under the 1986 Pen Register Act, and doesn't seek any message content, which WhatsApp couldn’t provide anyway, as it is end-to-end encrypted.

Sadly, most people won't care. First, the targets are foreigners, which diminishes (but doesn't completely remove) constitutional protections. Second, the targets are suspected of trafficking in counterfeit drugs, which makes them as good as guilty in the general public's mind. Third, the orders ask for communication metadata, not the communications themselves -- something Brewster points out would be impossible to obtain no matter how the DEA asked for it.

But there are reasons to be concerned. The law is outdated. It was put in place when the primary means of communication was landlines. Since telcos needed connection information for billing, the law assumed phone users were fully aware their communications metadata (which was far more limited in those days) was being collected so they could be billed correctly for phone service.

Technology has changed but the law hasn't. People communicate far more frequently than they did back in the days when it required more of an effort. And yet the law remains unchanged, allowing law enforcement to avoid having to approach anything resembling probable cause to collect metadata on communications.

And it's not just a one-time collection. Orders can be handed out that require companies like WhatsApp to "trap and trace," i.e., collect all metadata from targeted users for weeks or months on end. Law enforcement doesn't have to provide the courts with much to obtain permission to do this. All it needs to do is show it has an interest in the targets and that the information is a third-party record -- something that falls outside of the Fourth Amendment's protections for the most part.

But users of messaging apps likely aren't aware these platforms are collecting data on communications. They may assume entities like WhatsApp collect no info, given that they've been assured the content of their communications are encrypted.

Here's all the government needs to hand over to secure a pen register order:

In the Ohio pen register application, the government wrote explicitly that it only needs to provide three facts to get approval to use a pen register, none of which provide any background on the relevant investigation. They include: the identity of the attorney or the law enforcement officer making the application; the identity of the agency making the application; and a certification from the applicant that “the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.”

If this were a lawsuit, a court would admonish the plaintiff for making these sorts of conclusory statements without offering any support for them. But since it's a pen register order, conclusory, unsupported statements are all that are needed to start rooting around in people's metadata.

And while metadata may be far less revealing than the content of communications, it's an absolute lie to say metadata is harmless and unrevealing. The first clue is the government's interest in it. If it was useless data, the DEA wouldn't be trying to obtain it. Gather enough communications metadata and you can start making plenty of inferences about social circles and daily habits. There's an expectation of privacy in this data -- one people assume already exists but has never been recognized by a US federal court. And when asked directly, courts tend to punt on the issue, assuming that if Congress meant to protect people from this level of government intrusion, surely it would have done so already.

The government still loves this law and has no desire to see it taken off the books or neutralized by Supreme Court precedent. And so it continues to exist, demanding nothing more from law enforcement than the ability to copy-paste boilerplate into a pen register request. The (drug) cops have it easier than they claim in public. Nothing stands between them and this metadata, and no one with the power to change it is in any hurry to do so.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, dea, encryption, landlines, pen register, wiretapping