by Andrea O’Sullivan at Reason
Most message apps tout their privacy features in some way. It is common to hear marketing language about “end-to-end encryption” and “private messaging” for basically every communications app out there.
While it’s great that encryption has become a selling point for the public, not every “encrypted messaging service” is made equally. Depending on how it is set up, your message app may leak metadata, contacts, and even message contents.
A recently uncovered FBI document obtained by a group called Property of the People and shared with Rolling Stone illustrates just how important your choice of private messenger can be. If you think popular options like Apple’s iMessage and the Meta company formerly known as Facebook’s WhatsApp are FBI-proof, think again. The nation’s top cops can obtain a host of message information on many popular options including some mix of “subscriber data, message sender-receiver data, device backup, IP address, encryption keys, date/time information, registration time data, and user contacts.”
The document, put out a day after the brouhaha of January 6, describes methods that the FBI can legally use (as of November 2020) to procure evidence in the course of a criminal investigation. This is not a “warrantless wiretapping” kind of scenario, although these tools could of course be used in improper ways.
Nine popular messaging applications are included in the document: Apple’s iMessage; Line, a Japanese message app; Signal, an open source encrypted chat platform popularized by Edward Snowden; Telegram, which originated in Russia and is now based in Dubai; Threema, a paid encryption chat (that I used to use) with servers based in Switzerland; Viber, which was developed in Cyprus and then bought by the Japanese conglomerate Rakuten; the Chinese Swiss army knife app WeChat; Meta’s WhatsApp; and Wickr [Me], which is a chat service that Amazon Web Services apparently owns.
The bottom line: of the most popular apps, iMessage and WhatsApp are particularly susceptible to FBI snooping. Telegram and Signal score far better according to the FBI documents. (Line and Viber are also relatively bad picks, and my formerly favored Threema likewise fares more poorly than I’d have expected, but since they aren’t as popular this probably isn’t relevant for you.)
Here’s what the FBI can get from iMessage, in the order listed by the document: basic subscriber information, device backup (!), message sender-receiver data, contacts, date and time information, registration time data, and encryption keys. In other words, the whole list.
(I made sure to list these items in the order presented by the document. The ordering for each app does not match the ordering of the key at the bottom. This could be by rank of “strength” or effectiveness, or it could be totally random. Either way, worth noting.)
The “device backup” bit is an eye-catcher both for how it cuts against popular perception of platform security as well as the breadth of data it could possibly unlock. No other messaging app is listed as giving such access to the FBI. This is because iMessage is unique in that it is part of the iPhone ecosystem—the others are not tied to a particular OS.
Here is the problem: if your iPhone automatically backs up iMessage data on iCloud, which is the default, the FBI can obtain communications in a roundabout way by asking Apple to decrypt the backup on iCloud. To Apple’s credit, it did try to allow users to enjoy fully encrypted backups with no company key that could decrypt data for any third party in iCloud. However, the company had to abandon plans when the FBI objected. If you’re worried about this kind of thing, you can turn off iMessage backup on iCloud, and in fact you should probably look more into what data is stored in iCloud in general.
Actually, if you are an iPhone owner that uses WhatsApp, you should probably check your iCloud settings for that app as well. The document notes that “if target is using an iPhone and iCloud backups (sic) enabled, iCloud returns may contain WhatsApp data to include message content.”
In addition to that asterisk on WhatsApp, the FBI can obtain, in the order listed: subscriber data, registration time data, message sender-receiver data, user contacts, and data and time information. What’s unique about WhatsApp is that it can get information to the FBI within only a few minutes; Rolling Stone describes it as “practically real time.” According to the document, WhatsApp can provide metadata every 15 minutes in response to what is called a “pen register,” or way to trace things like who is talking to whom, when, and for how long. WhatsApp can’t crack the encryption on the content of messages, but it can tell the feds that suspect A was talking to suspect B every day for several months, or whatever the case may be. That can reveal a lot in the course of an investigation.
Now to the encryption winners. It’s no surprise that Signal fared well against favored FBI methods. It’s open source, independent (albeit with some surprising partnerships), and touted by public personalities with privacy-focused bonafides. Still, I would have expected the FBI to have access to more metadata than they apparently do. Way to go, Signal.
Telegram especially surprised me for scoring so well…
Continue Reading