The FBI, CIA and NSA are some of the most advanced intelligence and espionage agencies in the world. Every great power has multitudes of hackers and spies dedicated to obtaining as much information as possible from anywhere. Messaging applications are one of the most used means of communication, and if not properly protected, they can lead to improper access. And a new leaked FBI document shows which apps are easiest to spy on.
This has been published by the Rolling Stone media, which has exclusively accessed a leaked FBI document that shows how easy it is for the agency to obtain WhatsApp and iMessage data if it obtains a court order for it. Both of these messaging applications are the most used worldwide, and they are also the most permissive when it comes to data collection.
iMessage and WhatsApp, the ones that give the most data
In the past, WhatsApp had vulnerabilities that people like Edward Snowden or Pavel Durov directly described as back doors. The reality is that they did not need them either, since the backup copies of the chats stored in the cloud (iCloud or Google Drive) were not encrypted. With this, a judge could force Google to give access to those files, and be able to read all the messages of the users.
However, these vulnerabilities have been used to spy on journalists, activists or critics of the government in many countries. Therefore, using a 100% secure instant messaging service is literally a matter of life and death.
And if it is life or death, it is better not to use WhatsApp or iMessage, and to use alternatives such as Telegram or Signal. Although in the document we can read that all apps have mechanisms to protect against hackers and espionage, it also details how agencies have legal channels to extract sensitive information from the applications.
In fact, the document is called “Lawful Access”, or Legal Access. It is dated January 7, 2021 and details the situation as of November 2020, so it is quite up to date. One of the few changes we’ve seen since then is the introduction of encryption in WhatsApp backups that we store in the cloud, although that encryption is optional.
Of all the apps, only WhatsApp is the only one that offers real-time information about a user. A court summons can offer basic information on users, but with a search warrant, WhatsApp will offer the list of all the contacts of that user, as well as of other users who have the investigated among their contacts.
WhatsApp allows you to know the sender and receiver
In addition, WhatsApp knows the sender and receiver of messages at all times, and in real time. The rest of the apps cannot do this, and those that allow it, offer that information with a long delay, which affects the investigations. WhatsApp argues that allowing access to this data shows that it is not necessary to break end-to-end encryption in messages, something that the FBI has been advocating for years to do.
However, these metadata give the FBI a lot of information, since they allow us to know who each user talks to, when they do it, and what contacts they have added on their mobile, so we are dealing with an app that, although it protects messages, is far away to be anonymous. For example, they can get to know confidential sources of journalists, or end up with networks of activists.
In early 2020, Natalie Edwards, a former FinCEN worker , was sentenced to six months in jail for leaking documents to a journalist . The FBI learned that she had exchanged hundreds of messages with that journalist through WhatsApp because the application gave that data. Both parties believed that the app was safe, but this shows that it is not.
Use only secure apps for sensitive information
With iMessage , Apple must provide basic user information , and 25 days of user data in the app , including wanted people. However, no messages are transferred or with which users they were exchanged. However, the messages stored in iCloud are not encrypted, and the FBI can, by court order, access all of them, since the encryption key is held by Apple.
The rest of the apps are quite safe. The best of all is Signal, where the FBI can only know the date and time a user registered, and the last date the user connected to the app. In the case of Telegram, the app only gives the IP and the phone number to authorities in the event that those investigated are confirmed terrorists.
Interestingly, neither Instagram Direct nor Facebook Messenger appear on the list, probably due to the fact that neither of the two apps uses encryption in messages. Therefore, the FBI can access all the content without problem, hence it is recommended that you avoid using them for private communications, and use others such as Signal or Telegram.