image credit: Unsplash

WhatsApp and iMessage Give Large Amounts of User Data to the FBI: Leaked Document

November 30, 2021


Almost all instant messaging services on the market today make a big deal about their security and privacy policies. A recently leaked document has revealed just how much data the FBI can legally obtain from these services. The infographic shows details about iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp, and Wickr. The organization even rated the apps in a scorecard by various internal criteria. Let’s see just how much access to the content of encrypted messages the FBI can gain.

When “limited information” becomes a large amount of user data

An FBI document recently surfaced online, having been spotted by Rolling Stone and Property of the People. This document details exactly what kind of information the agency can obtain from various messaging apps, either through a warrant or a subpoena, i.e., legal and necessary actions. It seems that WhatsApp and iMessage top the list with the most information provided.

Although the two platforms were initially willing to share only “limited information” with the agency, they are now actually putting much more than publicly stated on the FBI’s plate. For example, compared to WhatsApp and iMessage, Signal, Telegram, Threema, Viber, WeChat, and Wickr don’t reveal the actual content of any of the messages. 

How WhatsApp and iMessage Share User Data With the FBI

On paper, WhatsApp will only disclose “record user numbers” via a subpoena, but with a search warrant, the FBI will actually be entitled to obtain the phone numbers and the phone books of users who have a contact of interest. Through a surveillance request (so-called pen register), WhatsApp will then send the agency information about the recipient and sender of the message every 15 minutes, although it will not send the actual content of the message.

However, if the target uses WhatsApp from an iPhone, the conversations are backed-up in an iCloud profile and the app will actually reveal the content of the messages because Apple is obliged by law and mandate to provide the encryption key to authorities.

According to Rolling Stone, a WhatsApp spokeswoman confirmed the company’s near-real-time responses to a pen register, but she added that the FBI document omits important context, such as that pen registers for WhatsApp do not yield actual message content and only apply in a forward-looking, not retroactive, manner. The spokeswoman said the company uses end-to-end encryption for the content of users’ messages, which means law enforcement can’t directly access that content, and has defended that message encryption in courts around the world. “We carefully review, validate, and respond to law enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports,” the spokeswoman said. 

iMessage only provides basic subscriber information, but a warrant can actually make developers disclose information about searches within the app gathered over 25 days. Even so, much like WhatsApp, authorities can get their hands on iCloud-saved copies of conversations, but they can’t find out who sent or received a message.

Telegram and Signal, the Toughest Nuts to Crack 

Telegram and Signal have evolved very nicely over time and are becoming increasingly practical, amassing millions of users. 

It’s interesting to see how both apps manage to avoid similar issues. The two platforms are much more limited when it comes to the number of permissions granted to the government agency. Telegram does not reveal the content of any messages, nor does it share contact information. However, according to the document, Telegram can provide IP addresses and phone numbers if the FBI is investigating “confirmed” acts of terrorism. Signal does not reveal message content, but it does provide information about the date and time a user registered or the last date it connected to the platform.

According to the document, Viber doesn’t reveal message content, but it provides the account (i.e., phone number) registration data and the IP address known at the time of creation. It can also provide authorities with message history: time, date, source number, and destination number.

Though it shows nothing new under the sun, the document gives us an overview of how our data is processed. Following the disclosure, new concerns have started to arise. After all, the handing over of that data can have serious consequences for people who seek truly secure and anonymous messaging, such as journalists working with a confidential source or activists who may face government threats and punishments.