A leaked FBI document lays out the information various secure messaging apps can share with law enforcement.

It can be hard to decide which secure messaging app to use. Luckily, a newly leaked document that was reportedly prepared by the FBI's Science and Technology Branch and Operational Technology Division makes it easy to see what kinds of information various services can provide in response to requests for user data.

Rolling Stone reports that the leaked document was prepared on Jan. 7. It's titled "Lawful Access," and according to its header, it describes the "FBl's Ability to Legally Access Secure Messaging App Content and Metadata." The document is unclassified, but it's alternately designated as "For Official Use Only" and "Law Enforcement Sensitive."

"As of November 2020, the FBI's ability to legally access secure content on leading messaging applications is depicted below, including details on accessible information based on the applicable legal process," it says. "Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays."

Some of the information contained within the document isn't revelatory. It was already well-known that Apple could provide full texts sent via iMessage to law enforcement if those messages are backed up to iCloud, for example, and that many services are capable of collecting metadata even if they can't share the contents of a message.

The document's specificity is new, however, as is the FBI's admission that WhatsApp is the only popular secure messaging app that provides near-real-time data in response to law enforcement requests. The document says:

Message Content: Limited*

Subpoena: Can render basic subscriber record

Court Order: Subpoena return as well as information like blocked users

Search Warrant: Provides address book contacts and WhatsApp users who have the target in their address book contacts

Pen Register: Sent every 15 minutes, provides source and destination for each message

The footnote on the "limited" message content field indicates that "if target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data to include message content." (WhatsApp's end-to-end encrypted backups, which debuted after this document was prepared, should prevent the use of that workaround.)

WhatsApp tells Rolling Stone that "We carefully review, validate, and respond to law-enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports." It also says the document "illustrates what we’ve been saying — that law enforcement doesn’t need to break end-to-end encryption to successfully investigate crimes," and confirmed it offers near-real-time data in response to pen register requests.

For some people, having end-to-end encrypted communications is enough protection, and the amount of metadata provided to law enforcement doesn't matter. But people looking to keep that information private—such as journalists who don't want to divulge their sources—now have a better idea of the metadata these apps can share with the FBI.


Comments