Court Order Shows DEA Demanding Tons Of Data From WhatsApp And Bunch Of Other Service Providers
from the routing-around-encryption dept
Encryption may be posing problems for law enforcement investigations, but the problems are not as insurmountable or widespread as certain encryption critics are portraying them. Enormous amounts of data are created by cellphone app users every time they communicate. While the content of communications is often of more evidentiary value, there’s still a wealth of information investigators can obtain that isn’t protected by encryption.
As investigators are getting more creative, they’re also getting more careless. Thomas Brewster of Forbes reports the US government is trying to force WhatsApp to turn over information it has no right to demand from the company — which also includes information WhatsApp may not even have.
[T]he order, unsealed on New Year’s Eve, asked for information WhatsApp wouldn’t ever provide. That included the identity of other WhatsApp accounts that were created using the same IP address, recovery email, telephone number “or other identifiers”. Investigators at the DEA also wanted the “identity of all accounts that are linked to the account by cookies,” —cookies being little programs that keep track of people’s use of different applications. Then they demanded “IP addresses of any websites or other servers to which the cellphone device or devices connected.” And finally they wanted “post-cut-through dialed digits”—the numbers hit by the user once a call is started.
WhatsApp told Forbes it doesn’t collect much of the information being sought here. As for the “post-cut-through dialed digits,” those could be considered communications content in certain cases, meaning the trap/trace request being used here is insufficient under the Fourth Amendment. A warrant is required to obtain communications but it appears no warrant has been served to WhatsApp. However, a footnote in the order says the government will make no “affirmative investigative use” of any post-cut-through digits determined to be content. But that puts everyone in the position of trusting an agency known for its liberal use of parallel construction to launder evidence it has questionably obtained.
Investigators aren’t limiting themselves to WhatsApp. The search for a Mexican meth dealer runs through a number of other tech companies that might be linked to the WhatsApp user the government is targeting.
[T]he order went further still, telling not only WhatsApp, but also Google and a host of telecom providers or “any other provider of any wire or electronic communications service” to provide a range of more detailed data on any accounts tracked by Facebook’s encrypted chat apps. That included names, addresses, email addresses and credit card numbers.
The data demands were also made of a number of other companies — data the DEA wanted 24/7 access to as it was gathered. From the proposed order [PDF]:
The United States further requests, pursuant to 18 U.S.C. § 2703(c) and (d), that WhatsApp Inc., Cingular Wireless, Sprint Nextel Corporation, Leap Wireless Communications, Inc., Cricket Communications, T-Mobile USA, Cellco Partnership d/b/a Verizon Wireless, AT&T Wireless, Google, and/or any other provider of wire communications service, provide subscriber information as defined in 18 U.S.C. § 2703(c)(2) pursuant to this Order for the accounts revealed by the pen-trap devices to the DEA.
Along with the always-on access, the DEA demanded 24/7 silence from all targeted companies for one year. The silence didn’t last, though. WhatsApp challenged the gag order and managed to get this proposed order (which was granted by the judge) unsealed.
The order is broad and it affects a number of service providers. And the order has no end date, allowing the government to harvest metadata and personal info on an ongoing basis in perpetuity. It appears the order was approved the same day the application was made, which strongly suggests the judge did not ask for anything to be modified by the DEA.
Encryption works. It keeps communications secure. But just because there’s a wealth of data being generated doesn’t mean the government is entitled to all of it. The order shows the DEA has an undercover agent in communication with the target so it’s not as if the government is locked out of all communications. The digital playing field has resulted in altered strategies but it did not throw out the rulebook. The loss of a wiretap option doesn’t grant permission to operate a data dragnet.