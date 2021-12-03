Apple’s WhatsApp and iMessage have built multibillion-dollar empires by setting themselves up as champions of privacy – especially when it comes to securing user messages – however one unpublished document ofFBI (Federal Bureau of Investigation) reveals the vulnerability of these apps and the possibility for the feds, in the presence of certain conditions required by law, to have access to significant amounts of data.

“Lawful Access“: The FBI and WhatsApp data

It is not the first time that WhatsApp raises important questions in terms of privacy, but this time it is not leaked information, but an unpublished document that comes directly fromFBI and that highlights the ease with which the feds, in the presence of a warrant or subpoena, may have access to service data Whatsapp of Facebook (now Meta) e iMessage from Apple. According to Mallory Knodel, chief technology officer at the Center for Democracy and Technology, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most forgiving“.

Facebook’s Mark Zuckerberg spoke on several occasions about the vision “privacy-focused“Pivoting on WhatsApp; for his part, Apple CEO Tim Cook described privacy as a fundamental human right and the philosophy of the Cupertino company, also extended to iMessage, which believes in offering users transparency and control. These are laudable and shareable statements, as long as they are reflected in reality. For journalists, activists and holders of critical positions towards the government who deal with mass surveillance and the remuneration of politicians, the safety or otherwise of the messaging services alternatively translates into being able to work safely or in constant exposure to situations of risk.

The document in question, entitled “Lawful Access“And edited by the Science and Technology Branch and the Operational Technology Division of the FBI, it does not raise questions about the ability of apps to guarantee security against hackers and malicious people, but also talks about how law-enforcement have at their disposal various routes provided by the law for extract sensitive user data from popular messaging services, even if advertised as secure and encrypted.

This document, dated 7 January 2021, is one internal guidance of the FBI on what data state and federal law enforcement agencies may request a nine of the largest messaging services. Andrew Crocker, a senior staff attorney with the Electronic Frontier Foundation’s civil-liberties team, said: “I follow these events closely and work with these issues. I don’t think I’ve ever seen this type of information provided in this way, certainly not from a law enforcement perspective“.

With regard to Whatsapp, “Lawful Access” highlights how the service, more than any other competitor, can provide information practically in real time about a user and his activities. While with a subpoena only basic information could be obtained, in the presence of a search mandate, WhatsApp gives access to the contacts list of a particular user and of those who have the user targeted among your contacts. The uniqueness of the case of WhatsApp relates to the speed with which it provides data in the presence of a so-called pen register (a surveillance request that touches the source and recipient of every message from a user targeted): determined metadata are provided every 15 minutes. No other service delivers data with such little delay. A spokesperson for WhatsApp confirmed this situation, highlighting some omissions in the FBI document: first of all, the data does not include the content of the messages (and thanks to the end-to-end encryption they could not do it anyway); secondly, they are non-retroactive measures; each request is carefully evaluated and eventually accepted by WhatsApp according to the applicable law, therefore end-to-end encryption does not prevent investigations into crimes. Yes, because the metadata that WhatsApp provides allow you to know who a particular user is talking to, when and to know their contact book.

The repercussions this has on people who want true security and anonymity, such as journalists working with confidential sources and activists, are important and the events of Buzzfeed News and Natalie Edwards clearly demonstrate this: Edwards and a Buzzfeed reporter had exchanged hundreds of messages. on WhatsApp believing it to be a safe service, but those messages were then used by the authorities in the trial against the former senior adviser of FinCEN.

Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union (ACLU) described the fact that WhatsApp offers access to all this information as devastating to a reporter working with confidential sources. The FBI guide does not cover the case in which a state or federal agent physically gains access to a user’s device, in which case even end-to-end encryption is not enough to keep their data safe.

Apple’s iMessage does even worse

iMessage is the proprietary messaging service that arrives pre-installed on the devices of the bitten apple and is currently used by over 1.3 billion users. According to the guide “Lawful Access“By the FBI, in the presence of a judge’s order or search warrant, Apple provides basic information and data of searches carried out on iMessage in the last 25 days (what the user targeted searched and which other users did the same search in the same time period).

This does not include the content of the messages, nor the possible exchange of messages between various users, however the situation changes radically in case of backup of the iMessage activity on iCloud: in this case the police can obtain access to backup carried out in the cloud, complete with content of messages sent and received.

At the basis of this arises the very nature of iCloud: as Mallory Knodel of the Center for Democracy and Technology recalls, although the service is described by Apple as encrypted, one of the keys remains in the availability of Apple, which can provide it to the authorities who do. request. An Apple spokesperson declined a request for comment from colleagues at Rolling Stone, confining itself to referring to the official guidelines.

According to ACLU’s Daniel Kahn Gillmor, Apple has the resources to implement end-to-end encryption on iCloud, but has come under pressure from law enforcement agencies to shelve that project.

Other messaging services

The FBI document also contains references to other messaging services, which, unless you physically have access to the device, offer very little data to law enforcement.

Signal only provides the registration date and time of a user and those of the last login. Wickr indicates the device used to access the app, the date the account was created and other basic information, but not detailed metadata.

Of course, despite growing numbers, those of Signal and Wickr are not even remotely comparable to those of WhatsApp and iMessage. This very difference and the possibilities highlighted by “Lawful Access,” according to Wessler of the ACLU, should be taken into consideration whenever law enforcement complains that encrypted messaging services would be in the way of their work.

The transparency group Property of the People, based in Washington, DC, received the document in question through a request under the Freedom of Information Act and shared it with Rolling Stone. Property of the People Executive Director Ryan Shapiro said: “Privacy is essential to democracy. The ease with which the FBI oversees our data online, undermining intimate details of our daily lives, threatens us all and paves the way for authoritarian rule.“.