Skip navigation
The Habeas Citebook: Prosecutorial Misconduct - Header
× You have 2 more free articles available this month. Subscribe today.

The Feds Are Monitoring Messaging Apps, and Some Are Shockingly Unsecure

by Anthony W. Accurso

On January 7, 2021, the FBI published a document entitled “Lawful Access,” detailing what information is available from various online messaging platforms and providing guidance to various law enforcement agencies on how such data can be obtained through procedures already authorized for investigative purposes.

The document was obtained through a Freedom of Information Act (“FOIA”) request initiated by Property of the People—a D.C.-based nonprofit government watchdog group—and released to Rolling Stone magazine.

It lists nine messaging apps—Apple’s iMessage, Meta’s WhatsApp, Line, Threema, Viber, Wickr, Telegram, Signal, and the predominantly Chinese WeChat—while providing the details about what data can be obtained through subpoena, warrant, or wiretap authorization.

It is en vogue right now for providers of such applications to advertise their commitment to user privacy, and all of the listed apps provide at least end-to-end encryption, which keeps casual snoopers from seeing the content of messages. However, as will be detailed below, this does not mean law enforcement cannot obtain the content of user messages in certain circumstances.

When Facebook (now Meta) bought WhatsApp in 2014 for $19 billion, CEO Mark Zuckerberg used the newly acquired app’s reputation for privacy as part of Facebook’s attempt to rehabilitate its own image, which was tarnished after the Cambridge Analytica scandal in which data on 50 million Facebook users was compromised.

“I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever,” wrote Zuckerberg during the acquisition. “This is the future I hope we will help bring about.”

It’s clear now that Zuckerberg gave up on this hope, at least where it applies to snooping by police, as WhatsApp not only provides a significant amount of user data to authorities upon request, but will also provide near real-time updates on WhatsApp message metadata when police obtain a wiretap authorization—the only app on the list which does so. Under this authority, police get updates—every 15 minutes—including “which users talk to one another, when they do it, and which other users they have in their address book,” according to Rolling Stone. This is in addition to providing subscriber details and registration information on their users.

While the wiretap doesn’t grant the police historical metadata—only metadata going forward and for the duration of the warrant—being able to discover who is talking to whom can be used to suppress legitimate speech, such as when police abuse their authority to target protesters or journalists.

“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.

Apple’s iMessage is also shockingly unsecure with regards to law enforcement access. While police cannot get the real-time metadata, they can get 25 days of historical metadata “to and from a target number.”

Even more disturbing is that Apple may store copies of the content of user messages and can provide this data to police when presented with a warrant. While public-key encryption is used to secure messages end-to-end between users—and even secure a user’s data stored on Apple’s iCloud service—Apple also maintains a universal key that can decrypt files stored on iCloud.

This means that users who choose to backup iMessage content to iCloud (the default setting) can have their message content surrendered by Apple to police. Also, since iPhone users can opt to backup WhatsApp message content to iCloud, this loophole applies to WhatsApp as well (though only for iPhone users).

The smaller services—Line, Threema, Viber, and Wickr—provide user profile details, and two (Line and Viber) will also provide some historical metadata to police.

Two apps on the list disclose the least amount of information to authorities. Telegram began as a Russian messaging app but is now based in Dubai. It provides no information to law enforcement, with the sole exception of providing a user’s last known IP address “for confirmed terrorist investigations,” though how this is confirmed is unclear. However, while messages between individual users is protected by encryption, this does not apply to “broadcasts” on Telegram, as these are unencrypted and susceptible to surveillance by anyone.

Signal could be considered the most secure, as it provides only the date/time the account was created and the last date of a user’s connectivity to the service. This is unsurprising since “[i]t’s open source, independent (albeit with some surprising partnerships), and touted by public personalities with privacy-focused bona fides,” according to Reason magazine.

Finally, just because U.S.-based police may be able to get limited subscriber details from WeChat, this limitation likely does not apply to Chinese authorities, though Chinese citizens likely expect this level of surveillance from a China-based company.

For users concerned with security and privacy, they should be aware of what data these apps record and furnish to police upon request. The combined userbase of WhatsApp and iMessage—an estimated 2.2 and 1.3 billion users, respectively—should be on notice that these apps are not as secure as Meta and Apple would like users to believe.

One final note of caution applies to nearly every app, not just the messaging apps listed in this document, is that end-to-end message encryption is no protection against law enforcement accessing a person’s device in an unencrypted state. According to Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, “[f]or probably all of these platforms, if law enforcement gets its hands on somebody’s device, no amount of end-to-end encryption is going to protect the information on the device.” 



As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login



The Habeas Citebook Ineffective Counsel Side
PLN Subscribe Now Ad 450x450
The Habeas Citebook: Prosecutorial Misconduct Side