An FBI training chart that was included in a Freedom of Information Act (FOIA) request has made clear exactly how much access American law enforcement agencies have to secure messaging apps. The chart explains what can be had from nine of the biggest messaging services, including iMessage, Signal and Telegram.
In general, law enforcement does not have access to end-to-end encrypted (E22E) messages sent via these services. However, they do have a workaround: messages that are backed up to cloud storage services may have an encryption key attached and may be fair game for agents with a warrant.
Law enforcement can retrieve messages via Google / iCloud backups
The chart shows that subpoenas will not grant access to message content for six of the nine secure messaging apps. The three that do give up “limited” content are iMessage, Line and WhatsApp.
In the case of Line, law enforcement only has access to messages if the user has opted to turn off E2EE. If they have, a maximum of seven days of text chats can be requested. However, attachments such as video and pictures are not supposed to be disclosed.
Law enforcement access to iMessage and WhatsApp’s encrypted messages comes through associated cloud services. If the user is backing up messages to iCloud or Google Drive, the backups can be turned over. Messages that are backed up to iCloud from Apple devices have a copy of the encryption key stored with them, which law enforcement can also help itself to.
Though this was previously known, Apple devices are set to sync and back up messages in this way by default and is not something that is necessarily apparent to the average device user.
Subpoenas also return differing amounts of user registration from different secure messaging apps, likely depending on how much information the app collects in the first place. For example, Line gives up quite a bit: email address, profile image, date of registration and profile image among other items. Signal only provides the user’s registration date and the last time that they connected. Telegram discloses absolutely nothing unless law enforcement can demonstrate it is investigating a confirmed terrorist via court order, and then it will provide an IP address and phone number. WeChat does accept subpoenas from US law enforcement agencies, and provides basic information comparable to what Line offers, but cannot provide any information for accounts that were created in China.
WhatsApp users should also be aware that their name could be disclosed to law enforcement even if they are not the subject of an investigation; agents can request the names of anyone who has an investigation subject in their address book.
The document appears to be fairly recent, dated January 7 2021 and stating that these capabilities are current as of November 2020. It is not recent enough to include Keybase, however, an E2EE messaging service that was acquired by Zoom in 2020 and has gained in popularity as of late. It also does not address Facebook Messenger, the most commonly used messaging service in the United States. Facebook is in an ongoing process of rolling out E2EE in the messaging service, with calls currently protected and full deployment expected for 2023.
Secure messaging apps largely protect E2EE messages, but cloud storage subject to subpoenas
When law enforcement retrieves backup messages from iCloud or Google Drive, they are serving the subpoena directly to those companies rather than the secure messaging apps. Apple’s linkage of iMessage and iCloud makes this process much easier; messages transferred to Google Drive can be kept secure if encrypted all the way through.
Messages moved from iMessage to iCloud are relatively easy to access since a copy of the encryption key is included for recovery purposes, as per Apple’s policies. Messages stored with E2EE in Google Drive are something of a different story. WhatsApp recently added the ability to extend messaging E2EE to cloud backups, in which case a subpoena to either service would not help in accessing the contents.
While much of this information about secure messaging apps was previously available by sifting through each company’s “information for law enforcement” page (often buried somewhere in a general FAQ), it was often both not easy to find and couched in legal jargon not easy for the average person to fully understand. Certain items, such as WhatsApp sharing user names based on address book contents, are not found in these disclosures. And users may not be aware that Apple discloses 25 days worth of queries in iMessage when served with a subpoena, as well as the identity of any users that searched for the user being investigated.
The chart illustrates that secure messaging apps are not necessarily 100% private and secure, even if they employ E2EE by default. Small items such as the “backup loophole” could easily be overlooked by an end user, and the amount of metadata about accounts and messaging that law enforcement has access to is also often underestimated.