# WhatsApp Links: [[Facebook]] ## 2 billion users https://fortunly.com/statistics/whatsapp-statistics/ [[2022-01-06]] *The active number of monthly Whatsapp users is higher than that of Facebook Messenger (1.3 billion), WeChat (1.2 billion), QQ (617 million), and Telegram (500 million). However, the recent changes in WhatsApp’s privacy policy are expected to drive more users away from the popular app in favor of Telegram and other software. The extent of the migration is yet to be seen.* ### [FBI Document Says the Feds Can Get Your WhatsApp Data — in Real Time](https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/) *A previously unreported FBI document obtained by Rolling Stone reveals that “private” messaging apps WhatsApp and [[iMessage]] are deeply vulnerable to law-enforcement searches* By [[Rolling Stone]] on [[2021-11-29]] (Selected excerpts) But in [a previously unreported FBI document](https://propertyofthepeople.org/document-detail/?doc-id=21114562) obtained by _Rolling Stone_, the bureau claims that it’s particularly easy to harvest data from [Facebook](https://www.rollingstone.com/t/facebook/)’s WhatsApp and Apple’s iMessage services, as long as the [FBI](https://www.rollingstone.com/t/fbi/) has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology. While the FBI document raises no questions about the apps’ abilities to keep out hackers and snoops-for-hire, the paper does describe how law-enforcement agencies have multiple legal pathways to extract sensitive user data from the most popular secure messaging tools. The document — titled “Lawful Access” and prepared jointly by the bureau’s Science and Technology Branch and Operational Technology Division — offers a window into the FBI’s ability to legally obtain vast amounts of data from the world’s most popular messaging apps, many of which hype the security and encryption of their services. But WhatsApp is unique in how quickly it can produce data to law-enforcement agencies in response to a so-called pen register — a surveillance request that captures the source and destination of each message for a targeted individual. WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.” A WhatsApp spokeswoman confirmed the company’s near-real-time responses to a pen register. But the spokeswoman added that the FBI document omits important context, such as that pen registers for WhatsApp do not yield actual message content and only apply in a forward-looking, not retroactive, manner. The spokeswoman said the company uses end-to-end encryption for the content of users’ messages, which means law enforcement can’t directly access that content, and has defended that message encryption in courts around the world. “We carefully review, validate, and respond to law-enforcement requests based on applicable law, and are clear about this on our website and in regular transparency reports,” the spokeswoman said. ==The FBI document, she added, “illustrates what we’ve been saying — that law enforcement doesn’t need to break end-to-end encryption to successfully investigate crimes.”== - Is metadata extraction acceptable? Not quite the W it seems to be (but it is a good political talking point) In 2017 and 2018, Buzzfeed News published a [series](https://www.buzzfeednews.com/article/jasonleopold/fbi-probe-of-paul-manafort-focuses-on-13-suspicious-wire) of [explosive](https://www.buzzfeednews.com/article/jasonleopold/newly-uncovered-russian-payments-are-a-focus-of-election) [stories](https://www.buzzfeednews.com/article/jasonleopold/maria-butina-paul-erickson-suspicious-bank-money-russia) about former Trump campaign chairman Paul Manafort, the Russian embassy in the U.S., and other high-profile figures that drew on a trove of confidential documents from the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. In early 2020, a former senior FinCEN adviser named Natalie Edwards [pled guilty](https://www.justice.gov/usao-sdny/pr/former-senior-fincen-employee-pleads-guilty-conspiring-unlawfully-disclose-suspicious) to leaking so-called Suspicious Activity Reports to an unnamed reporter, and Edwards later [said](https://www.buzzfeednews.com/article/davidmack/fincen-natalie-mayflower-sours-edwards-sentencing) she was a source for Buzzfeed’s reporting. A judge later [sentenced](https://www.justice.gov/usao-sdny/pr/former-senior-fincen-employee-sentenced-six-months-prison-unlawfully-disclosing) Edwards to six months in prison. According to the FBI’s criminal complaint in the case and [subsequent reporting](https://www.propublica.org/article/how-facebook-undermines-privacy-protections-for-its-2-billion-whatsapp-users), Edwards and a Buzzfeed reporter exchanged hundreds of messages on WhatsApp, which they believed to be a safe place to communicate. Instead, authorities would later use those WhatsApp messages to make their case against Edwards. “WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says [Daniel Kahn Gillmor](https://www.aclu.org/news/by/daniel-kahn-gillmor/), a senior staff technologist at the ACLU. ### [[iMessage]] The other tech giant that can be compelled by law enforcement to hand over potentially large amounts of sensitive messaging data is Apple. iMessage, Apple’s text-message service, comes loaded on the iPhone and is used by [1.3 billion people](https://www.forbes.com/sites/zakdoffman/2021/07/31/apple-imessage-beaten-by-whatsapp-for-iphone-ipad-mac-users-after-update/) worldwide. ==According to the FBI’s “Lawful Access” guide, if served with a court order or a search warrant, Apple must hand over basic subscriber information as well as 25 days’ worth of data about queries made in iMessage, such as what a targeted user looked up in iMessage and also which other people searched for that targeted user in the app. That doesn’t include actual message content or whether messages were exchanged between different users.== ### [[Apple]] [[iCloud]] But the amount of data available to law enforcement is potentially far greater — greater even than the user data provided by WhatsApp — if a targeted user backs up their iMessage activity to iCloud, Apple’s online storage platform. If that’s the case, the FBI document says, then law enforcement can request back-ups of the target’s device, including actual messages sent and received in iMessage if they’re backed up in the cloud. While Apple [describes](https://support.apple.com/en-us/HT202303) [[iCloud]] as an encrypted service, it comes with a giant loophole. ==Apple holds an encryption key that can unlock user data in iCloud, and so police departments or federal agencies can request that key with a search warrant or a customer’s consent to access certain user data. “You’re handing someone else the key to hold onto on your behalf,” says Mallory Knodel of the Center for Democracy and Technology. “Apple has encrypted iCloud but they still have the keys, and as long as they have the key, the FBI can ask for it.”== Daniel Kahn Gillmor, the ACLU senior staff technologist, says Apple has the ability to implement end-to-end encryption for iCloud. But the company [reportedly abandoned plans](https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT) to do so after federal law-enforcement agencies put pressure on Apple, saying fully encrypting iCloud backups would interfere with the government’s investigative abilities. “For cloud-based backup providers, they could if they want to lock themselves out of their users’ data,” Gillmor says. “iCloud has not made that choice for iMessage backups.” There are several messaging apps listed in the FBI document for which minimal data is available to law enforcement without the actual device in hand. [[Signal]] will provide only the date and time someone signed up for the app and when the user last logged into the app. [[Wickr]] will give law enforcement data about the device using the app, when someone created their account, and basic subscriber info, but not detailed metadata, the FBI document says. But the number of users on Signal and Wickr, while growing, pales in comparison to WhatsApp and iMessage, which the FBI’s own guide describes as two of the most permissible secure-messaging apps in existence. And that imbalance raises questions about the complaints from law-enforcement agencies about secure and encrypted messaging apps interfering with their ability to investigate crimes. ==Wessler of the ACLU says the FBI’s “Lawful Access” should act as a reality check the next time police officers or FBI officials insist that encrypted messaging hampers their work. “As we can see, [those complaints are] completely overblown and not representative of how much information they continue to have access to even from these encrypted communication platforms,” he says.==