FBI admits to having worldwide access to WhatsApp data

We already know that US security agencies have access to user data worldwide. But an internal document now lays out how the FBI legally obtains this data.

Privacy is one of Apple’s main selling points. But Facebook, now Meta, also advertises end-to-end encrypted messages on WhatsApp. Alternative messengers, such as Signal and Telegram, make no secret of courting users who are looking for more privacy than they get with WhatsApp. But what do all these companies have in common? The answer is simple: neither WhatsApp nor any other service is safe from the US Federal Bureau of Investigation (FBI).

FBI explains how it gains access to WhatsApp data

In early 2021, the FBI published an internal document that has now leaked to the outside world. It appeared on the site of “Property of the People,” a Washington, D.C.-based nonprofit transparency group. It was first reported by the Rolling Stone media portal. In the document, the security agency clearly summarizes how it can legally access nine different messaging services. Also included is the amount of data and metadata that the FBI can access. According to this, it is easiest for the agency to access this data at Apple and WhatsApp. But not all user data is safe from law enforcement on other services like Signal, Telegram, Threema, Viber, WeChat, Line and Wickr.

Also interesting: message from WhatsApp – what’s behind the “security number”?

With WhatsApp and Apple, almost nothing is safe from the FBI

The document discloses the legal processes required for the FBI to obtain Messenger data. The processes range from a subpoena to a court order to a search warrant. With a subpoena (Latin for “under penalty”), a judge can request information about evidence. This allows the FBI to obtain basic information about user accounts from Apple and WhatsApp, for example. A court order allows the FBI to demand additional data from WhatsApp, including the list of blocked contacts. The strongest tool is the Search Warrant, which is equivalent to a search warrant. This allows the FBI to gain access to contacts in the address book and obtain data about WhatsApp users who have the target among their contacts.

With regard to Apple, the search warrant is even more effective. Here, the FBI can access backups on the target device. If the target uses iCloud backup, the FBI can even see messages stored there, as it can request the encryption key from Apple. By the way, this also applies to WhatsApp messages if they are stored in iCloud as a backup.

WhatsApp is also the only messaging service that provides the FBI with a log of metadata in real time. All others send the logs to the authority only after some time delay after request. Also, only WhatsApp releases an accurate log of the origin and destination of all messages. All a court has to do is order a wiretap called Pen Register. WhatsApp then sends the log to the FBI every 15 minutes – but only currently and not retroactively, as the company told Rolling Stone.

Other services give less user data than WhatsApp to the FBI

With other messaging services, user data is much more secure than with WhatsApp and Apple. With the exception of these two services and the South Korean competitor “Line”, no other messengers release messages to the FBI. However, that doesn’t mean all information is hidden from the agency.

  • Signal: The FBI can query data such as the date and time of account creation as well as the last login date
  • Telegram: Even with a court order, Telegram does not give out contact information to the FBI. Only in confirmed terrorist investigations can Telegram share IP addresses and phone numbers.
  • Threema: By court order, the service gives out data such as phone number and mail address, provided users have given them. The FBI can also get push notifications if they are enabled. In addition, Threema passes on the date of account creation and the last login. Interestingly, the FBI can also request the public key for message encryption. However, the private key of a Threema user is also required to actually decrypt the messages. However, the service does not provide this key.
  • Viber: The FBI can obtain data about the account (usually the phone number), registration and IP address at the time of setup. Additionally, there is message history metadata, including date and source and destination numbers.

Sources

  • Internal FBI infographic on Property of the People
  • Rolling Stone