By Kit Klarenberg, an investigative journalist exploring the role of intelligence services in shaping politics and perceptions. Follow him on Twitter @KitKlarenberg
An internal FBI report reveals how WhatsApp and iMessage happily hand over users’ data to the Feds, sometimes providing the source and destination of messages every 15 minutes.
The sensitive Federal Bureau of Investigation paper, unearthed by the transparency group Property of the People, spells out in concise yet shocking detail the Bureau’s ability to secure messaging app content and associated metadata via warrants and subpoenas – and shows that WhatsApp and Apple’s iMessage turn over the most information to authorities.
Dated January 7, 2021, and prepared by the FBI’s Science and Technology Branch and Operational Technology Division, it lists a number of popular messaging apps, the methods by which information can be extracted from them, and what data can be secured by investigators.
The file notes that a subpoena submitted to WhatsApp owner Meta delivers “basic” user records, a court order gives “information like blocked users,” and a search warrant provides “address book contacts and WhatsApp users” whohave the “target” saved as a contact. A surveillance request known as a “pen register” will result in WhatsApp providing the FBI with the source and destination of a user’s messages every 15 minutes.
The actual content apparently won’t be disclosed – although even without access to messages themselves, knowing who has been texting who, and when, is still highly revealing, and could be crucial in identifying the source of leaked information within an organization, for example.
In any event, WhatsApp messages can be accessed by the Bureau if that user is using an iPhone and has enabled iCloud backups. This is facilitated by Apple maintaining a policy of turning over iCloud encryption keys in response to FBI warrants, which also grant the agency access to iMessages. Data requests filed under 18 US Code § 2703 turn up “25 days of iMessage lookups to and from a target number.”
Nonetheless, WhatsApp is the only messaging platform listed that offers close-to real-time disclosure of data – the guide, presumably with some chagrin, records how the slow pace with which other apps provide information “may impact investigations due to delivery delays.”
Comparatively, the amount of data that can be accessed from other messaging apps is trifling. For instance, investigators can access certain information on users of Signal – much-vaunted by privacy advocates despite being developed with US government funding – including the date and time a user registered, and the last time they were active on the app. Telegram’s strict policy of not cooperating with court orders, apart from “confirmed terrorist investigations,” in which the app may disclose IP addresses and phone numbers to relevant authorities, is also noted.
It’s a rare insight into the systematic manner in which US authorities can access private information, and can only cast significant doubt on the publicly avowed positions of Apple and Facebook/Meta in respect of user privacy. It was only in September that the former’s CEO boldly declared that his company “[believes] privacy is a basic human right” and “one of the most consequential issues of our time,” boasting of how its app store had recently implemented a privacy “nutrition label” system, outlining to users what information apps collect on them and why.
“We’re all about giving the user transparency and control… It sounds simple, but it’s a profound change. We’re working for the user. It’s not about a marketing slogan or a way to sell things. It’s a core value of ours,” he claimed.
That such noises were absolutely just a “marketing slogan” was heavily implied in January 2020, when it was reported Apple had jettisoned plans to allow iPhone users to fully encrypt backups of their devices on iCloud two years prior, due to direct FBI pressure. Similarly, Meta chief Mark Zuckerberg’s lengthy March 2019 op-ed for the New York Times outlining his “privacy-focused vision for social networking” was somewhat hard to swallow given that nine years earlier, he’d proclaimed privacy was no longer a “social norm”.
Still, the Facebook founder spoke with apparent passion and approval of “the future of communication… increasingly [shifting] to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever,” a future “I hope we will help bring about.” He specifically cited “the way we’ve developed WhatsApp” – which he acquired in 2014, and is now the world’s most popular messaging platform – as instructive for how all the company’s social media assets would be made “as secure as possible.”
Even if that stated vision was at all sincere at the time, in the wake of dubious ‘whistleblower’ Frances Haugen going public about her alleged concerns over the threat posed to US national security by Meta in its present form, and widely repeated demands that Western governments be granted greater powers of surveillance, censorship, and control of social media and the internet more widely, it may simply no longer be feasible.
Facebook arguably already acts as an effective arm of US state power, or is at least subordinate to it – in 2020, it complied with 89% of Washington’s requests for user data. Its Threat Intelligence division, from which Haugen hails, is a veritable den of spies, counting numerous former CIA and NSA operatives among its staff. Coincidentally, several of these individuals have contributed to the ongoing wall of negativity surrounding end-to-end encryption.
The newly released FBI file raises all manner of questions about the true rationale behind this long-running anti-encryption push. After all, with such an array of sensitive information so easily discoverable via standard legal procedures, why would greater access be required?