FBI Document Shows How Popular Secure Messaging Apps Stack Up

Choosing which secure messaging software to use can be difficult. Fortunately, a recently released document purportedly written by the FBI’s Science and Technology Branch and Operational Technology Division makes it simple to discover what types of information different services can supply in response to requests for user data.

According to Rolling Stone, the leaked document was produced on January 7. It’s called “Lawful Access,” and it describes “FBl’s Ability to Legally Access Secure Messaging App Content and Metadata,” according to the header. The document is unclassified, but it is labeled “For Official Use Only” and “Law Enforcement Sensitive” on different occasions. “The FBI’s ability to legally access secure content on leading messaging services as of November 2020 is represented here, including details on accessible information based on the applicable legal process,” it states. “With the exception of WhatsApp, the return data provided by the companies listed below are essentially logs of latent data that are provided to law enforcement in a non-real-time manner and may influence investigations due to delivery delays.” Some of the information in the document isn’t very revelatory. It was already common knowledge that Apple could supply law enforcement with full texts sent via iMessage if those communications were saved up to iCloud, and that many services can gather metadata even if they can’t disclose the contents of a message.

The document’s specificity is new, as is the FBI’s revelation that WhatsApp is the only popular secure messaging software that responds to law enforcement demands in near-real-time.

According to the document:

  • Content of Message: Limited*
  • Subpoena: This can be used to create a simple subscriber record.
  • Subpoenas must be returned, as well as information such as barred users, according to a court order.
  • Address book connections and WhatsApp users who have the target in their address book contacts are provided with a search warrant.
  • Each message’s source and destination are provided in the Pen Register, which is sent every 15 minutes.

“If the target is using an iPhone and iCloud backups are enabled, iCloud returns may contain WhatsApp data to include message content,” according to the footnote on the “limited” message content field. (The need for that workaround should be avoided thanks to WhatsApp’s end-to-end encrypted backups, which were introduced after this paper was written.)

“We thoroughly analyze, validate, and react to law-enforcement requests based on applicable legislation,” WhatsApp told, “and are transparent about this on our website and in frequent transparency reports.” The document also “illustrates what we’ve been saying — that law enforcement doesn’t need to crack end-to-end encryption to successfully investigate crimes,” according to the company, which also acknowledged that it provides near-real-time data in response to pen register requests. Some people believe that having end-to-end encrypted communications is sufficient protection, and that the amount of metadata sent to law enforcement is irrelevant. However, those who wish to keep their information secret, such as journalists who don’t want to reveal their sources, now have a greater understanding of the metadata that these apps can share with the FBI.