WhatsApp vulnerable to law enforcement searches

Share this Post:
Photo courtesy of WhatsApp
Photo courtesy of WhatsApp

The popular WhatsApp messaging system is especially vulnerable to searches by law enforcement agencies, according to an FBI document obtained by Rolling Stone and published on November 30.

The document, dated January 7, 2021, is reportedly an internal FBI memo on what kinds of data state and federal law enforcement agencies can request from popular messaging apps.

Entitled "Lawful Access," the document was prepared by the FBI's Science and Technology Branch and Operational Technology Division.

According to Rolling Stone, legal experts who reviewed the document said that it's unusual to get such a detailed look into the government's plans for surveillance of messaging services.

"I follow this stuff fairly closely and work on these issues," Andrew Crocker, a senior staff attorney on the Electronic Frontier Foundation's civil liberties team, told the magazine. "I don't think I've seen this information laid out quite this way, certainly not from the law enforcement perspective."

Ordinary hackers will still be defeated by the app's encryption, the FBI document says, but law enforcement agencies have multiple legal pathways to obtain user information.

Although WhatsApp is encrypted, "the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive," according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.

According to the document, the FBI sees WhatsApp is a wellspring of private user data. The agency believes that WhatsApp will provide more real-time information about a user and their activities than nearly every other major secure messaging tool.

A subpoena will yield only basic subscriber information, the FBI document says. Presented with a search warrant, WhatsApp will turn over address-book contacts for a targeted user as well as other WhatsApp users who have the targeted individual in their contacts, according to the FBI.

WhatsApp is unique in how quickly it can produce data to law-enforcement agencies in response to a so-called "pen register" — a surveillance request that captures the source and destination of each message for a targeted individual.

WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. Most messaging services do not or cannot do this, the FBI document explains.

"Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays," the document says.

A WhatsApp spokesperson confirmed the company's near-real-time responses to a pen register. But the spokesperson added that the FBI document omits important context.

For example, pen registers for WhatsApp do not yield actual message content, the spokesperson said, because the company uses end-to-end encryption for the content of users' messages.

"We carefully review, validate, and respond to law enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports," the spokesperson said. The FBI document, they added, "illustrates what we've been saying — that law enforcement doesn't need to break end-to-end encryption to successfully investigate crimes."