The DEA Is Using A Law Created To Give It Access To Landline Records To Gather Data From Encrypted Messaging Services
from the more-things-change,-the-more-they-remain-the-same dept
Everything old is new again. New and still abusable. Thomas Brewster reports for Forbes that the Drug Enforcement Agency (DEA) is taking advantage of a nearly 40-year-old law to obtain information about WhatsApp users.
In Ohio, a just-unsealed government surveillance application reveals that in November 2021, DEA investigators demanded the Facebook-owned messaging company track seven users based in China and Macau. The application reveals the DEA didn’t know the identities of any of the targets, but told WhatsApp to monitor the IP addresses and numbers with which the targeted users were communicating, as well as when and how they were using the app. Such surveillance is done using a technology known as a pen register and under the 1986 Pen Register Act, and doesn't seek any message content, which WhatsApp couldn’t provide anyway, as it is end-to-end encrypted.
Sadly, most people won't care. First, the targets are foreigners, which diminishes (but doesn't completely remove) constitutional protections. Second, the targets are suspected of trafficking in counterfeit drugs, which makes them as good as guilty in the general public's mind. Third, the orders ask for communication metadata, not the communications themselves -- something Brewster points out would be impossible to obtain no matter how the DEA asked for it.
But there are reasons to be concerned. The law is outdated. It was put in place when the primary means of communication was landlines. Since telcos needed connection information for billing, the law assumed phone users were fully aware their communications metadata (which was far more limited in those days) was being collected so they could be billed correctly for phone service.
Technology has changed but the law hasn't. People communicate far more frequently than they did back in the days when it required more of an effort. And yet the law remains unchanged, allowing law enforcement to avoid having to approach anything resembling probable cause to collect metadata on communications.
And it's not just a one-time collection. Orders can be handed out that require companies like WhatsApp to "trap and trace," i.e., collect all metadata from targeted users for weeks or months on end. Law enforcement doesn't have to provide the courts with much to obtain permission to do this. All it needs to do is show it has an interest in the targets and that the information is a third-party record -- something that falls outside of the Fourth Amendment's protections for the most part.
But users of messaging apps likely aren't aware these platforms are collecting data on communications. They may assume entities like WhatsApp collect no info, given that they've been assured the content of their communications are encrypted.
Here's all the government needs to hand over to secure a pen register order:
In the Ohio pen register application, the government wrote explicitly that it only needs to provide three facts to get approval to use a pen register, none of which provide any background on the relevant investigation. They include: the identity of the attorney or the law enforcement officer making the application; the identity of the agency making the application; and a certification from the applicant that “the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.”
If this were a lawsuit, a court would admonish the plaintiff for making these sorts of conclusory statements without offering any support for them. But since it's a pen register order, conclusory, unsupported statements are all that are needed to start rooting around in people's metadata.
And while metadata may be far less revealing than the content of communications, it's an absolute lie to say metadata is harmless and unrevealing. The first clue is the government's interest in it. If it was useless data, the DEA wouldn't be trying to obtain it. Gather enough communications metadata and you can start making plenty of inferences about social circles and daily habits. There's an expectation of privacy in this data -- one people assume already exists but has never been recognized by a US federal court. And when asked directly, courts tend to punt on the issue, assuming that if Congress meant to protect people from this level of government intrusion, surely it would have done so already.
The government still loves this law and has no desire to see it taken off the books or neutralized by Supreme Court precedent. And so it continues to exist, demanding nothing more from law enforcement than the ability to copy-paste boilerplate into a pen register request. The (drug) cops have it easier than they claim in public. Nothing stands between them and this metadata, and no one with the power to change it is in any hurry to do so.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, dea, encryption, landlines, pen register, wiretapping
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hope Hitler is satisfied with what they're doing! Dont suppose the rest of the Nazi policies will be far behind!
[ link to this | view in chronology ]
No. The targets are thought to be in a foreign nation. While there is a good chance they are foreigners, that is by no means certain. DEA claims not to know their identities.
The IP address does not characterize the user. Didn't we learn this in the RIAA torrent wars?
[ link to this | view in chronology ]
Information not given.
"DEA investigators demanded the Facebook-owned messaging company track seven users based in China and Macau. The application reveals the DEA didn’t know the identities of any of the targets, "
USA DEA has little to do in other countries. But they Can report actions into the USA To those other countries agencies.
But a strange question comes to mind.
"suspected of trafficking in counterfeit drugs"
Who in the USA would care about this? There are so many Miracle Cures on FB, its abit ridiculous.
Would wonder Who gave those numbers to the DEA, or how they got them. Unless they know of the receiver, thats selling it.
Or, it could be the Pharma are abit upset about someone.
Is the USA still upset with Canada and generic drugs? They locked down the distribution of a common Diabetic drug to the USA.
[ link to this | view in chronology ]
Ok choir.
Let's sing one more chorus, shall we?
Opening your files
They're hiring some spies to see
You're just a poor pleb, you'll get no sympathy
Because the government
never met
a data it
didn't like
Any way the trail goes
They will see what it reveals, reveals
[ link to this | view in chronology ]
Tim, perhaps you're too young to remember, but that's not really a valid justification. Local calls were neither billed nor (normally) tracked in 1986, and in fact were essentially untraceable before caller ID—which was regarded by some as a huge privacy invasion when it debuted in 1993. (Did you ever see those old movies where tracing a call was an elaborate time-consuming task? Not quite true by 1986, in areas with digital switches, but it wasn't invented by scriptwriters to add tension.)
The "pen registers" referred to were often physical devices that had to be physically attached to the suspect's line, and collected information the phone company often did not otherwise collect.
[ link to this | view in chronology ]
Someone get a pen register on Lindsey Grahams phone for the meta data from Grindr, then the law will get fixed.
[ link to this | view in chronology ]
Re:
How's that saying go, something along the lines of 'the quickest way to overturn a law is to enforce it totally'? If politicians had to deal with the laws they pass the same way that everyone else does things would be very different, of that I have no doubt.
[ link to this | view in chronology ]
Re:
Those records (assuming you mean a government-issued phone) are probably subject to FOIA, in theory, though the government may make things difficult.
[ link to this | view in chronology ]