Thanks to a Freedom of Information Act request, a document from the FBI details how the FBI can access messages sent through various messaging apps. The document describes the messaging apps that the FBI has access to, how to access those messages, and the amount of information they can get from those apps.
The gist?
The FBI can get to the messages on many messaging platforms, as well as other relevant information on users. This means most other law enforcement agencies could as well. The FBI report only looks into the apps they can access from their point of view. It could still violate a user’s privacy or security in other ways, even if the FBI cannot access your information. An app in a nation that scans all messages may not hand over that information to the FBI, but will share it with their local government.
It reveals what many of us already knew: most “secure” messaging platforms aren’t very secure at all. However, some, with a dedication to privacy, came through without revealing users’ messages or important information on their users. Basically? The FBI just told us which messaging platforms we should use, and which we should avoid.
In This Article:
Getting Into Apps
The document, provided by the FBI to the Property of the People organization via a Freedom of Information Act request, shows what information the FBI can get from each messaging service and how to get it. Some provide far more information to the FBI than others. While some can simply hand over registration information, others might give the FBI other communication vectors to explore, like email address and phone number. A few of these services, despite being end to end encrypted, will provide ways for the FBI to access all messages and information sent or received.
While Apple claims to be the pinnacle of privacy, iMessage is one of the worst services on the list. This is because Apple refuses to lock themselves out of their customers’ iCloud backups, and will provide those backups to the FBI upon request. This gives them access to all messages and even more content. WhatsApp (Facebook, Instagram, Meta) is giving up more information than users are likely comfortable with as well. Meanwhile, some services may lock the FBI out, but are owned or operating in nations where data privacy is a myth, and the government has full access to any data.
Below is a summary of some of the most popular messaging options.
iMessage
The Good:
- Messages are encrypted end to end, FBI only can access them with a warrant and when the user has chosen to use iCloud backups and iMessage in the cloud
- Apple has no interest in your data, and doesn’t sell ads based on your usage
The Bad:
- The FBI still has a way to access every message for many users
- Because Apple refuses to protect backups, they also get far more information and relevant information from other apps thanks to the decrypted iCloud backups
WhatsApp (Possibly Facebook and Instagram as well)
The Good:
- Encrypted end to end messages mean the FBI needs permission to view anything
The Bad:
- WhatsApp is the only service to give real-time reports to the FBI upon request with their “pen register”
- FBI can get limited message access
- It’s the most popular app in the world, and, seemingly, one of the least secure, at least from the perspective of protecting content from the FBI’s prying eyes
- WhatsApp, along with Facebook Messenger and Instagram, are owned by Meta (aka: Facebook). Facebook collects and aggregates user data for the purpose of selling ads. It’s possible that Facebook could use on-device topic recognition to serve up ads in-app. This wouldn’t be “reading” your messages, but it could lead to more targeted ads based on your communications, while still keeping your messages encrypted end-to-end.
Line
The Good:
- FBI needs a subpoena to get end to end encrypted messages
The Bad:
- Full message data for 7 days available, without multimedia sent
- Registration information available to FBI
The Good:
- FBI cannot get message content
- WeChat will not give up information on Chinese users (to the FBI, anyway)
The Bad:
- FBI can get account information on all non-Chinese users
- As a Chinese company, any data stored on it is available to the Chinese government
- It has had numerous issues with security and privacy, and is even banned in some nations.
Telegram
The Good:
- Tight encryption prevents FBI from getting message content
- FBI can only get user information with proof of terrorist activities
The Bad:
- Has a reputation for organizing illegal activities
- Not all communications are end to end encrypted
- Has had its encryption and storage hacked in the past
- Is based in Russia, a nation that doesn’t have the greatest history with data privacy and security. However, is also banned in nations specifically because it’s so hard to get any information from Telegram on its users.
Viber
The Good:
- FBI cannot get direct access to message content
The Bad:
- They can, however, get account registration data, message history, date, source number and destination numbers
Wickr
The Good:
- FBI cannot get message content directly
The Bad:
- FBI can get a wealth of other information, such as date and time of use, devices app is stored on, number of messages, last use, external IDs like phone number and email (though these may be hashed), avatar, changes to the account, and even the app version number
Threema
The Good:
- Can’t directly read message content
The Bad:
- With a subpoena, FBI can get push tokens, and potentially other information available through push messages
- FBI can get a user’s public key to decrypt messages sent to a third party, opening possibility of a man in the middle or targeted attack
- Hash of phone number and email address
Singal
The Good:
- Messages are encrypted end to end, FBI cannot access them
- Signal does not store messages or user data outside of registration date and date of last use
- Signal features screen lock and pin to make accessing messages, even with access to device, slightly more difficult to prevent snooping
- Has actively worked to make app hostile towards hackers
- Is a favorite of journalists, whistleblowers, and infamous NSA whisleblower Edward Snowden
The Bad:
- FBI can get when you signed up and when you last used the app. Which isn’t nothing, but it’s effectively nothing
The Best Choice?
If it’s not obvious, Signal seems to be the best choice. Between strong encryption, verification of users through their keys to prevent man-in-the-middle attacks, a screen lock to prevent snooping from friends or family using your device, automatic message deletion from devices, the hostility of the developers towards hacking groups that try to get in Signal, and the sheer lack of data stored on users, Signal comes out on top.
Signal is a communication app that put security first. In fact, long after other messaging apps had features like video chat, Signal was behind simply because they had to secure it first. That might be its biggest downside. It lacks the polish and fun other other apps. Even features like payments are coming slowly, and require use of a third party crypto exchange to cash out. Still, it’s good enough for basic chatting, video messages, and, most importantly to Signal users, protecting security and privacy.
Find What You’re Most Comfortable With
While Signal may come out on top, not everyone will be able to use it for all communication. You may want to insist on using it if you’re a whistleblower, leaking information about a company’s wrongdoings to the press, but if your mom likes to send you stickers on iMessage, that’s what you’ll have to use. While I love Signal, I also use plenty of other messaging apps. While I don’t use iCloud for iMessage or backups, encrypting my own backups, my messages to others are likely open for anyone at Apple or the FBI to read. I also use Facebook messenger, Instagram, Discord, Slack, and many other forms of communication.
You’ll have to compare the security of each platform, but also meet your friends and family where they are. If you’re looking to protect yourself, Signal seems to be the best bet. But for messaging “Happy Thanksgiving!” to your aunt? Maybe Facebook Messenger will work just fine. Measure your risk and use what makes sense to you.
Sources:
- Andy Kroll, Rolling Stone
- Mike Peterson, Apple Insider
- Property of the People