A previously unreported FBI document obtained by Rolling Stone reveals that “private” messaging apps WhatsApp and iMessage are deeply vulnerable to law-enforcement searches
By ANDY KROLL
WASHINGTON — As Apple and WhatsApp have built themselves into multibillion-dollar behemoths, they’ve done it while preaching the importance of privacy, especially when it comes to secure messaging.
But in a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.
Facebook’s Mark Zuckerberg has articulated a “privacy-focused vision” built around WhatsApp, the most popular messaging service in the world. Apple CEO Tim Cook says privacy is a “basic human right” and that Apple believes in “giving the user transparency and control,” a philosophy that extends to the company’s wildly popular iMessage app. For journalists, activists, and government critics who worry about government mass surveillance and political retribution, secure messaging tools can mean the difference between doing their work safely or facing imminent danger.
While the FBI document raises no questions about the apps’ abilities to keep out hackers and snoops-for-hire, the paper does describe how law-enforcement agencies have multiple legal pathways to extract sensitive user data from the most popular secure messaging tools. The document — titled “Lawful Access” and prepared jointly by the bureau’s Science and Technology Branch and Operational Technology Division — offers a window into the FBI’s ability to legally obtain vast amounts of data from the world’s most popular messaging apps, many of which hype the security and encryption of their services.
The document, dated Jan. 7, 2021, is an internal FBI guide to what kinds of data state and federal law-enforcement agencies can request from nine of the largest messaging apps. Legal experts and technologists who reviewed the FBI document say that it’s rare to get such detailed information from the government’s point-of-view about law enforcement’s access to messaging services. “I follow this stuff fairly closely and work on these issues,” says Andrew Crocker, a senior staff attorney on the Electronic Frontier Foundation’s civil-liberties team. “I don’t think I’ve seen this information laid out quite this way, certainly not from the law-enforcement perspective.”
After the Cambridge Analytica controversy, when news outlets revealed that personal data from more than 50 million Facebook users was harvested without their permission to create psychological profiles of American voters, Zuckerberg sought to rebrand the social media giant as a tech company built around privacy. Facebook intended to make that vision a reality largely through the design choices it made with WhatsApp, which it had acquired in 2014 for $19 billion. Today, WhatsApp is the most popular messaging app in the world with more than 2 billion users. “I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever,” he wrote at the time. “This is the future I hope we will help bring about.”
In the view of the FBI, however, WhatsApp is a wellspring of private user data. According to the FBI’s “Lawful Access” document, WhatsApp will provide more practically real-time information about a user and their activities than nearly every other major secure messaging tool. A subpoena will yield only basic subscriber information, the FBI document says. Presented with a search warrant, WhatsApp will turn over address-book contacts for a targeted user as well as other WhatsApp users who have the targeted individual in their contacts, according to the FBI.
But WhatsApp is unique in how quickly it can produce data to law-enforcement agencies in response to a so-called pen register — a surveillance request that captures the source and destination of each message for a targeted individual. WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”
A WhatsApp spokeswoman confirmed the company’s near-real-time responses to a pen register. But the spokeswoman added that the FBI document omits important context, such as that pen registers for WhatsApp do not yield actual message content and only apply in a forward-looking, not retroactive, manner. The spokeswoman said the company uses end-to-end encryption for the content of users’ messages, which means law enforcement can’t directly access that content, and has defended that message encryption in courts around the world. “We carefully review, validate, and respond to law-enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports,” the spokeswoman said. The FBI document, she added, “illustrates what we’ve been saying — that law enforcement doesn’t need to break end-to-end encryption to successfully investigate crimes.”
Even without the ability to legally request message content from WhatsApp, however, the metadata provided by WhatsApp to law enforcement captures which users talk to one another, when they do it, and which other users they have in their address book. The handing over of that data can have serious consequences for people who seek truly secure and anonymous messaging, such as journalists working with a confidential source or activists who face government threats and punishment.
In 2017 and 2018, Buzzfeed News published a series of explosive stories about former Trump campaign chairman Paul Manafort, the Russian embassy in the U.S., and other high-profile figures that drew on a trove of confidential documents from the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. In early 2020, a former senior FinCEN adviser named Natalie Edwards pled guilty to leaking so-called Suspicious Activity Reports to an unnamed reporter, and Edwards later said she was a source for Buzzfeed’s reporting. A judge later sentenced Edwards to six months in prison. According to the FBI’s criminal complaint in the case and subsequent reporting, Edwards and a Buzzfeed reporter exchanged hundreds of messages on WhatsApp, which they believed to be a safe place to communicate. Instead, authorities would later use those WhatsApp messages to make their case against Edwards.
“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.
Experts stressed that the FBI guide isn’t the full scope of law enforcement’s snooping powers. The document, for instance, doesn’t touch on what happens when police or federal agents gain access to a person’s physical device. “For probably all of these platforms, if law enforcement gets its hands on somebody’s device, no amount of end-to-end encryption is going to protect the information on the device,” Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, says.
The other tech giant that can be compelled by law enforcement to hand over potentially large amounts of sensitive messaging data is Apple. iMessage, Apple’s text-message service, comes loaded on the iPhone and is used by 1.3 billion people worldwide. According to the FBI’s “Lawful Access” guide, if served with a court order or a search warrant, Apple must hand over basic subscriber information as well as 25 days’ worth of data about queries made in iMessage, such as what a targeted user looked up in iMessage and also which other people searched for that targeted user in the app. That doesn’t include actual message content or whether messages were exchanged between different users.
But the amount of data available to law enforcement is potentially far greater — greater even than the user data provided by WhatsApp — if a targeted user backs up their iMessage activity to iCloud, Apple’s online storage platform. If that’s the case, the FBI document says, then law enforcement can request back-ups of the target’s device, including actual messages sent and received in iMessage if they’re backed up in the cloud.
While Apple describes iCloud as an encrypted service, it comes with a giant loophole. Apple holds an encryption key that can unlock user data in iCloud, and so police departments or federal agencies can request that key with a search warrant or a customer’s consent to access certain user data. “You’re handing someone else the key to hold onto on your behalf,” says Mallory Knodel of the Center for Democracy and Technology. “Apple has encrypted iCloud but they still have the keys, and as long as they have the key, the FBI can ask for it.”
An Apple spokesman declined to comment on the record and referred Rolling Stone to Apple’s legal-process guidelines, which describe the kinds of data the company hands over to law enforcement under certain circumstances.
Daniel Kahn Gillmor, the ACLU senior staff technologist, says Apple has the ability to implement end-to-end encryption for iCloud. But the company reportedly abandoned plans to do so after federal law-enforcement agencies put pressure on Apple, saying fully encrypting iCloud backups would interfere with the government’s investigative abilities. “For cloud-based backup providers, they could if they want to lock themselves out of their users’ data,” Gillmor says. “iCloud has not made that choice for iMessage backups.”
There are several messaging apps listed in the FBI document for which minimal data is available to law enforcement without the actual device in hand. Signal will provide only the date and time someone signed up for the app and when the user last logged into the app. Wickr will give law enforcement data about the device using the app, when someone created their account, and basic subscriber info, but not detailed metadata, the FBI document says.
But the number of users on Signal and Wickr, while growing, pales in comparison to WhatsApp and iMessage, which the FBI’s own guide describes as two of the most permissible secure-messaging apps in existence.
And that imbalance raises questions about the complaints from law-enforcement agencies about secure and encrypted messaging apps interfering with their ability to investigate crimes. Wessler of the ACLU says the FBI’s “Lawful Access” should act as a reality check the next time police officers or FBI officials insist that encrypted messaging hampers their work. “As we can see, [those complaints are] completely overblown and not representative of how much information they continue to have access to even from these encrypted communication platforms,” he says.
Property of the People, a Washington, D.C.-based nonprofit transparency group, received the document via a Freedom of Information Act request and shared it with Rolling Stone. “Privacy is essential to democracy,” says Ryan Shapiro, Property of the People’s executive director. “The ease with which the FBI surveils our online data, mining the intimate details of our daily lives, threatens us all and paves the way for authoritarian rule.”