An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.
This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:
-
Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.
-
Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).
-
Signal: date and time of account creation and date of last connection.
-
Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.
-
Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.
-
Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).
-
WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.
-
WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.
-
Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.
TL;DR Signal is the messaging system that provides the least information to investigators.
Takeaways:
- End-to-end encryption works.
- The only trustworthy computer is your computer. Don’t use cloud storage.
- The only trustworthy software is open-source software. Proprietary software serves the interests of the proprietor, not the user.
All of this was already well-known, of course, but it’s always nice to get confirmation.
And FYI, the info about Signal was confirmed as they received a subpoena a couple years back, and their response was part of the public court records.
Yeah, Signals response pointing to how their service works and than all the data consisting of only these two things war hilarious.
This is very useful information. People should be free to discuss ideas without the FBI glaring over their shoulder.
Well this made me download signal, thanks fbi
Telegram states at their site that: “To this day, we have disclosed 0 bytes of user data to third parties, including governments.”
But according to Spiegel this is false. I don’t know German, I read the article using google translate, correct me if I’m wrong.
Here is a quote from the article: “Contrary to what has been publicly stated so far, the operators of the messenger app Telegram have released user data to the Federal Criminal Police Office (BKA) in several cases.”
If this is true, the fact that they are lying is very worrying…
0 bytes of user data meaning message content, I suppose.
I don’t think this is what they mean. If you read the whole paragraph they also talk about “[…]the data that is not covered by end-to-end encryption”…
It says that they have nothing to give on Secret chats, and then: “To protect the data that is not covered by end-to-end encryption[…]” … “Thanks to this structure, we can ensure[…]” … “To this day, we have disclosed 0 bytes of user data to third parties, including governments.”
I mean, I would consider phone numbers, IPs, metadata, non-secret chats (I don’t know if that’s a thing, never used Telegram), to be “user data”.
I agree with you here, I’m simply playing devils advocate as to how Telegram can get away with this claim. I trust secret chats on Telegram and use them with my more… spicy acquaintances.
Ahhhh, that’s why furries use Telegram!
I distinctly remember Telegram having given a phone number and account creation date for someone to a government, they didn’t have anything else to provide allegedly.
So basically use signal because they can get the least amount of data.
Matrix isn’t on the list at all.
Discord as well though
Discord is not a secure chat app so it’s not listed. Basically, they can get everything from Discord.
I don’t think the list could have everything
Wasn’t heavily used at the time probably.
matrix doesnt encrypt any metadata at all pretty much, only message content and files uploaded to encrypted rooms are encrypted
In 2020.
Or Telegram, unless you’re a confirmed terrorist.
“I’m not a terrorist” - Subpoena DENIED
Terrorist can be a very broad term. In France the government is using anti terrorism laws against ecologist organisation.
They also incarcerated people from another organisation 3 years ago using the same antiterrorism law, they haven’t found anything against them so now they are accusing them of using signal for their communication and encryption on their phone and laptop.
It’s like a promotional flier for Signal.
Right? The data they can collect there is pretty much entirely useless unless they can also gather the location of last connection. But even then, not terribly helpful.
It seems like Signal, Telegram, and Threema are the best for now. Signal provides the least information, but for the majority of people, the stuff from Telegram are things the government already know, and I’m not sure how useful the Threema information is.
I read it as Threema being about as secure as Signal if you don’t give them your phone number & email and use the Libre version without Google push notifications.
Just BC tele doesn’t share data with FBI… Does mean they don’t share with fsb.
Whilst enlightening, it’s kinda also useless. Let’s be honest the majority of endusers use a particular app, in the main, because its most likely what everyone else in their friend group uses.
In my case WhatsApp, I’d struggle to get all my friends and family to change at this point.
In my case, I was running phone apps on an iPod Touch, and it couldn’t run WhatsApp. So I convinced a core group of friends to get on Signal back Snowden rec’d it. And the way networks operate, it spread out from there.
I feel very lucky and still somewhat skeptical that I was able to get friends and family onboard with Signal. Then I remember (1) most people don’t think twice about installing random apps and (2) most people are best suited for an easy onboarding experience like Signal offers.
You don’t “have to” use apps that compromise your security. If you really want to switch to better practices you can and can still thrive. I got and persuaded my whole company and friend groups off of bad apps. It’s possible.
Took me a moment, but I converted most close contacts to Telegram. Not Meta-infested and solid apps including desktop.
It gets easier the more you already have.
Did this as well. I got my mom over early, but my dad being kicked of Facebook (don’t ask, but you can probably guess) was what finally got everyone to move over in one fell swoop. Pretty much my whole family is, now
I just do it the easy way: I’m using Signal. If you want to text me or receives texts from me then use it.
Now it’s not just my friends but my neighbors now. SMS is straight garbage, I won’t use it.
Wonder what a difference it now makes with the iCloud “advanced Data protection” that provides end to end encryption for iCloud backups etc. in theory that should block the iCloud backup route.
Doesn’t matter if apple will just hand over the encryption keys.
How does apple hand over a key it doesn’t have?
You answered your own question
Yeah this infographic is now out of date with the iCloud changes
I guess if you enable it on your device you are safe, but if your content is on another device that doesn’t enable it (it’s an opt in option), your content will be available.
Advanced data protection is across your entire account, not per device. According to Apple’s documentation they rotate the keys locally on your devices and then delete them from their services so they no longer have a key to give.
Ah the infamous wizardry of the backdoor in encryption discussion.
Thanks for the great summary! Also a good reminder to people that storing your backups on a “as secure as we decide it is” service like iCloud isn’t ideal if you want to protect your data from government snooping.
Edited to remove pre-coffee salt and lack of nuance.
This perspective lacks nuance.
a service like iCloud is a bad idea if you care about your privacy
Like all security and privacy measures, you have to consider your threat profile. From whom are you trying to maintain privacy from? If it’s other people or companies, then using a service like this is perfectly okay. If you’re worried about state actors or governmental agencies coming after you, then you have a very different set of requirements and considerations than most people, and you should plan accordingly.
But saying that services like this aren’t for people who care about their privacy is a little disingenuous. As with all things, it’s a matter of degrees.
Fair point… and I’ll edit the comment to reflect that. Thanks for catching the lack of nuance… guess fasting for 24 hours has me both tired and salty.
Excellent reply to the classic “apple = bad” comment
It’s not so much Apple is bad as “commercial providers, including Apple, aren’t great at privacy.”
I (and many others) would argue Apple is great at privacy, unless you are trying to hide from subpoenas
I feel a lot of people get ‘dragnet surveillance against everyone on the internet’ mixed up with ‘being actively under pressure from a state-level actor’. If the likes of MI5 or the FBI were genuinely after someone they’d need a lot more than an encrypted messaging service and a VPN to avoid them.
I like my current setup but I’m under no illusion it would do much at all against the ‘electric cattle prod and water-boarding’ school of decryption exploits.
Learn from Reddit, don’t give corporations the power to do so and they can’t inevitably abuse that power.
Generally agree, but this document is also from January 2021. Apple brought E2EE to almost all aspects of iCloud in December 2022 including iCloud Backups. It’s opt-in, so theoretically, if you were having a conversation with a contact who didn’t opt-in to E2EE but backed up their iMessages to iCloud, the government could still access your messages via that contact even if you opted-in to E2EE, but still.
This. Apple users should turn it on in settings -> iCloud.
Also depends on if the backup is properly encrypted. If it is, security of whatever storage you use is pretty irrelevant.
This makes me suspicious though, surely if they’ve declassified this that means they want people to see it, so isn’t there a very real chance it’s intentionally misleading?
Basically it’s what they have decided to disclose to law enforcement. So at best it tells you the baseline capabilities of law enforcement.
I think that today, in 2023, some of the information here is outdated. We know that different messages can be intercepted and decrypted. It is labelled as unclassified, which I think might be different from declassified?
Correct it’s labeled as unclassed sensitive info for law enforcement. That just means “don’t share this shit on facebook if you want to keep your job”
Exactly!
well this isn’t as eye opening as I thought it would be. But thank you for the summary, really!
Is there a link to this article or doc or anything?
Found a PCMag article indicating this:
https://www.pcmag.com/news/fbi-document-shows-how-popular-secure-messaging-apps-stack-up
So OP did indicate it’s from 2021. That’s a long time though in tech. So while interesting to see, who knows if this has changed in 2+ years.
Sorry, but the article I found is in French and it doesn’t give any more information. It is just a translation of what is in the picture. I did find these:
https://uk.pcmag.com/security/137344/fbi-document-shows-how-popular-secure-messaging-apps-stack-up
https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-encrypted-messaging-apps
https://www.androidauthority.com/fbi-document-messaging-apps-3069511/
https://scribe.rip/@ghostisheretwo/sorry-for-the-wait-d216303d1fa4
