Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services

from the plenty-of-data-but-content-not-so-much dept

There is no “going dark.” Consecutive FBI heads may insist there is, but a document created by their own agency contradicts their dire claims that end-to-end encryption lets the criminals and terrorists win.

Andy Kroll has the document and the details for Rolling Stone:

[I]n a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.

The document [PDF] shows what can be obtained from which messaging service, with the FBI noting WhatsApp has plenty of information investigators can obtain, including almost real time collection of communications metadata.

WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”

The FBI can obtain this info with a pen register order — the legal request used for years to obtain ongoing call data on targeted numbers, including numbers called and length of conversations. With a warrant, the FBI can get even more information. A surprising amount, actually. According to the document, WhatsApp turns over address book contacts for targeted users as well as other WhatsApp users who happen to have the targeted person in their address books.

Combine this form of contact chaining with a few pen register orders, and the FBI can basically eavesdrop on hundreds of conversations in near-real time. The caveat, of course, is that the FBI has no access to the content of the conversations. That remains locked up by WhatsApp’s encryption. Communications remain “warrant-proof,” to use a phrase bandied about by FBI directors. But is it really?

If investigators are able to access the contents of a phone (by seizing the phone or receiving permission from someone to view their end of conversations), encryption is no longer a problem. That’s one way to get past the going darkness. Then there’s stuff stored in the cloud, which can give law enforcement access to communications despite the presence of end-to-end encryption. Backups of messages might not be encrypted and — as the document points out — a warrant will put those in the hands of law enforcement.

If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.

This is a feature of cloud backups — a way to retrieve messages if something goes wrong with someone’s phone or their WhatsApp account. It’s also a bug that makes encryption irrelevant. The same goes for Apple’s iMessage service. Encryption or no, backups are not encrypted by service providers. In the case of Apple’s iMessage, warrants for iCloud backups will give law enforcement the encryption key needed to decrypt the stashed messages.

On the other side, there are truly secure options that the FBI considers dead ends, starting with Signal. Signal retains no user info, which means there’s nothing to be had no matter what paperwork the feds produce. But, for the most part, even encrypted messaging and email services generate metadata that can be obtained without a warrant. If investigators want more, warrants can actually result in investigators obtaining a great deal of information about users, their interactions, and their communications. And, as is noted directly above, it can also grant access to communications users mistakenly believed were beyond the reach of law enforcement.

But not everyone using encrypted services is a criminal, no matter what FBI directors say in public. Communications metadata being only a subpoena or pen register order away is concerning, especially for those who use encrypted services not only to maintain their own privacy, but to protect those they communicate with.

“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.

Those who truly understand the protocols and platforms they use for communications will understand the tradeoffs. For everyone else, there’s this handy tip sheet, compiled by none other than the FBI, which explains exactly what each service retains and what each service will hand over in response to government paperwork.

It also shows that encryption isn’t keeping law enforcement from pursuing investigations. In rare cases, investigators may have zero access to communications. But every communications platform or service creates a digital paper trail investigators can follow until they find something that breaks the case open. “Going dark” — the idea that law enforcement is helpless in the face of increased use of encryption — is a lie. And the FBI knows it.

Filed Under: , , , , , ,
Companies: apple, facebook, meta, whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services”

Subscribe: RSS Leave a comment

The other thing is, how much communication access do they really ned for most things? Seriously. i’m pretty sure this is what they spend their time doing when they basically have nothing, and no matter what, they always will have nothing, because they don’t target the right people for investigation in the first place.



The other thing is, how much communication access do they really ned for most things?

In fact, this is a flood of information, for very little effort, compared to what they used to do. Go read the FBI file for Paul ErdÅ‘s as a point of comparison. "[…] believed by the informant to be presently a Professor of Mathematics at the University of Kansas" … "It was ascertained that subject ERDOS has not been employed on the faculty of the University of Kansas, and has not been enrolled at any time in the University" … "the Bureau is requested to authorize direct inquiries to be made of [REDACTED] and other sources […] to ascertain the names of subject’s acquaintances".

They thought this guy might be a cold-war spy, and it took them like 5 months and a lot of interviews and paperwork just to figure out who he was talking to.

Ehud Gavronsays:

Known problem with a known solution.

Imessage has always been known to be insecure. If one signs on on a new device the previous message history and message threads are displayed. That’s not secure.

Whatsapp has been known to be insecure for at least the last five years. The fact that the message content is insecure AND they’re willing to ‘play ball’ with Jackboot LEO thugs without a warrant just adds fuel to a long-burning fire.

Thus far Whisper Systems’ Signal is the only e2e encrypted app that provides a functionality equivalent to what it says — your message content is yours and the recipients’ to deal with… not Signal, not LEOs, and not pen register/taps.

The CDT opined on pen registers in the Internet age 21 years ago… and yet.. not only has no responsive legislation been passed (or even proposed) but the Internet companies aren’t fighting them.

Workaround 1: Use Signal instead of WhatsApp, Apple proprietary broken apps, or anything else that reveals content you didn’t want revealed.

Solution 1: exhort your congress critters to do something useful to update the laws to respect our constitutional rights, including the 4th and 5th amendments. As such, no "without a warrant" sharing of information mandate, and no penalties for ignoring [what should be] unlawful fishing expeditions using a pen trace.


That Anonymous Cowardsays:

That thing where they will cry state secrets or tipping their hand to the "bad guys" but shouldn’t the DoJ or Congress be demanding accurate reports of what these powers are being used for & whom they are deployed against?

Yes it is because I don’t trust them, but after they used Terrorism Fusion Centers to deep dive & surveil grandmas & peaceful protestors exercising their alleged rights there is a big deficit in trust for their claims & actions.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it