Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services

from the plenty-of-data-but-content-not-so-much dept

There is no “going dark.” Consecutive FBI heads may insist there is, but a document created by their own agency contradicts their dire claims that end-to-end encryption lets the criminals and terrorists win.

Andy Kroll has the document and the details for Rolling Stone:

[I]n a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.

The document [PDF] shows what can be obtained from which messaging service, with the FBI noting WhatsApp has plenty of information investigators can obtain, including almost real time collection of communications metadata.

WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”

The FBI can obtain this info with a pen register order — the legal request used for years to obtain ongoing call data on targeted numbers, including numbers called and length of conversations. With a warrant, the FBI can get even more information. A surprising amount, actually. According to the document, WhatsApp turns over address book contacts for targeted users as well as other WhatsApp users who happen to have the targeted person in their address books.

Combine this form of contact chaining with a few pen register orders, and the FBI can basically eavesdrop on hundreds of conversations in near-real time. The caveat, of course, is that the FBI has no access to the content of the conversations. That remains locked up by WhatsApp’s encryption. Communications remain “warrant-proof,” to use a phrase bandied about by FBI directors. But is it really?

If investigators are able to access the contents of a phone (by seizing the phone or receiving permission from someone to view their end of conversations), encryption is no longer a problem. That’s one way to get past the going darkness. Then there’s stuff stored in the cloud, which can give law enforcement access to communications despite the presence of end-to-end encryption. Backups of messages might not be encrypted and — as the document points out — a warrant will put those in the hands of law enforcement.

If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.

This is a feature of cloud backups — a way to retrieve messages if something goes wrong with someone’s phone or their WhatsApp account. It’s also a bug that makes encryption irrelevant. The same goes for Apple’s iMessage service. Encryption or no, backups are not encrypted by service providers. In the case of Apple’s iMessage, warrants for iCloud backups will give law enforcement the encryption key needed to decrypt the stashed messages.

On the other side, there are truly secure options that the FBI considers dead ends, starting with Signal. Signal retains no user info, which means there’s nothing to be had no matter what paperwork the feds produce. But, for the most part, even encrypted messaging and email services generate metadata that can be obtained without a warrant. If investigators want more, warrants can actually result in investigators obtaining a great deal of information about users, their interactions, and their communications. And, as is noted directly above, it can also grant access to communications users mistakenly believed were beyond the reach of law enforcement.

But not everyone using encrypted services is a criminal, no matter what FBI directors say in public. Communications metadata being only a subpoena or pen register order away is concerning, especially for those who use encrypted services not only to maintain their own privacy, but to protect those they communicate with.

“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.

Those who truly understand the protocols and platforms they use for communications will understand the tradeoffs. For everyone else, there’s this handy tip sheet, compiled by none other than the FBI, which explains exactly what each service retains and what each service will hand over in response to government paperwork.

It also shows that encryption isn’t keeping law enforcement from pursuing investigations. In rare cases, investigators may have zero access to communications. But every communications platform or service creates a digital paper trail investigators can follow until they find something that breaks the case open. “Going dark” — the idea that law enforcement is helpless in the face of increased use of encryption — is a lie. And the FBI knows it.

Filed Under: , , , , , ,
Companies: apple, facebook, meta, whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services”

Subscribe: RSS Leave a comment
13 Comments
Anonymous Coward says:

The other thing is, how much communication access do they really ned for most things? Seriously. i’m pretty sure this is what they spend their time doing when they basically have nothing, and no matter what, they always will have nothing, because they don’t target the right people for investigation in the first place.

Anonymous Coward says:

Re: Re:

The other thing is, how much communication access do they really ned for most things?

In fact, this is a flood of information, for very little effort, compared to what they used to do. Go read the FBI file for Paul Erdős as a point of comparison. "[…] believed by the informant to be presently a Professor of Mathematics at the University of Kansas" … "It was ascertained that subject ERDOS has not been employed on the faculty of the University of Kansas, and has not been enrolled at any time in the University" … "the Bureau is requested to authorize direct inquiries to be made of [REDACTED] and other sources […] to ascertain the names of subject’s acquaintances".

They thought this guy might be a cold-war spy, and it took them like 5 months and a lot of interviews and paperwork just to figure out who he was talking to.

Ehud Gavron (profile) says:

Known problem with a known solution.

Imessage has always been known to be insecure. If one signs on on a new device the previous message history and message threads are displayed. That’s not secure.

Whatsapp has been known to be insecure for at least the last five years. The fact that the message content is insecure AND they’re willing to ‘play ball’ with Jackboot LEO thugs without a warrant just adds fuel to a long-burning fire.

Thus far Whisper Systems’ Signal is the only e2e encrypted app that provides a functionality equivalent to what it says — your message content is yours and the recipients’ to deal with… not Signal, not LEOs, and not pen register/taps.

The CDT opined on pen registers in the Internet age 21 years ago… and yet.. not only has no responsive legislation been passed (or even proposed) but the Internet companies aren’t fighting them.
https://cdt.org/wp-content/uploads/security/000404amending.shtml

Workaround 1: Use Signal instead of WhatsApp, Apple proprietary broken apps, or anything else that reveals content you didn’t want revealed.

Solution 1: exhort your congress critters to do something useful to update the laws to respect our constitutional rights, including the 4th and 5th amendments. As such, no "without a warrant" sharing of information mandate, and no penalties for ignoring [what should be] unlawful fishing expeditions using a pen trace.

E

That Anonymous Coward (profile) says:

That thing where they will cry state secrets or tipping their hand to the "bad guys" but shouldn’t the DoJ or Congress be demanding accurate reports of what these powers are being used for & whom they are deployed against?

Yes it is because I don’t trust them, but after they used Terrorism Fusion Centers to deep dive & surveil grandmas & peaceful protestors exercising their alleged rights there is a big deficit in trust for their claims & actions.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...