Having end-to-end encryption may not be enough cover for privacy when using popular encrypted messaging applications, because law enforcement can access your data when they want to.
A Federal Bureau of Investigation (FBI) document prepared on January 7 has provided the kinds of user data various secure messaging apps can share at the request of law enforcement agencies.
Titled “Lawful Access,” the one-page document detailed the “FBl’s ability to legally access secure messaging app content and metadata.”
The “unclassified” document designated as “for official use only” and “law enforcement sensitive” was prepared by the FBI’s science and technology branch and operational technology division.
According to Rolling Stone, which first reported on it, the document was obtained by a group called Property of the People through an FOIA request.
It is an internal guide to how the FBI can snoop on targets using data requested from nine companies and their services: Apple’s iMessage, Line, Signal, Telegram, Threema, Viber, Tencent’s WeChat, Meta’s WhatsApp and Wickr.
Information accessible include subscriber data, messenger sender-receiver data, device backup, IP address, encryption keys, date/time information, registration time information and user contacts. All but one (IP address) of iMessage can be accessed by the FBI.
For WhatsApp, Line and iMessage, the access to message content is limited, while in the remaining, the FBI said it has no access to message content.
Only the information on the last date of a user’s connectivity and the date and time a user registered can be accessed for Signal. Telegram provides only registration time data, but for confirmed terrorist investigation, it “may disclose IO address and phone number to relevant authorities.”
“As of November 2020, the FBI’s ability to legally access secure content on leading messaging applications is depicted below, including details on accessible information based on the applicable legal process,” the document read.
“Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”
Some of the information in the document is not new. For one, Apple could provide full texts sent via iMessage to law enforcement if they are backed up to iCloud.
Likewise, many social networks can collect metadata even if they can not share the contents of a message, according to PC Magazine.
Nonetheless, the document is a watershed on the long debate between privacy and security.
On one hand, there are those who feel content with end-to-end encrypted communications, irrespective of third party backend access. On the other are journalists and whistleblowers who need confidentiality to stay safe.
The FBI’s revelation showed that WhatsApp is the only popular secure messaging app that provides near-real-time data in response to law enforcement requests. WhatsApp confirmed this to Rolling Stone.
“If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data to include message content,” the document’s footnote on the “limited” message content field indicates read.
WhatsApp might have provided a workaround for this, however.
In September, WhatsApp introduced the end-to-end encryption backups which enable users to store their data in a Backup Key Vault built based on a component called a hardware security module (HSM), a specialized, secure hardware, other than “cloud-based services like Google Drive and iCloud” which “WhatsApp does not have access to (as) they are secured by the individual cloud-based storage services.”
“We carefully review, validate, and respond to law-enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports.” WhatsApp told Rolling Stone.
“[The document] illustrates what we’ve been saying — that law enforcement doesn’t need to break end-to-end encryption to successfully investigate crimes.”
PT