Not every secure messaging app is as safe as it would like us to think. And some are safer than others.
A recently disclosed FBI training document [dated January 7, 2021] shows how much access to the content of encrypted messages from secure messaging services US law enforcement can gain and what they can learn about your usage of the apps.
The infographic shows details about iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp, and Wickr. All of them are messaging apps that promise end-to-end encryption for their users. And while the FBI document does not say this isn’t true, it reveals what type of information law enforcement will be able to unearth from each of the listed services.
Note: A pen register is an electronic tool that can be used to capture data regarding all telephone numbers that are dialed from a specific phone line. So if you see that mentioned below it refers to the FBI’s ability to find out who you have been communicating with.
iMessage
iMessage is Apple’s instant messaging service. It works across Macs, iPhones, and iPads. Using it on Android is hard because Apple uses a special end-to-end encryption system in iMessage that secures the messages from the device they’re sent on, through Apple’s servers, to the device receiving them. Because the messages are encrypted, the iMessage network is only usable by devices that know how to decrypt the messages. Here’s what the document says it can access for iMessage:
- Message content limited.
- Subpoena: Can render basic subscriber information.
- 18 USC §2703(d): Can render 25 days of iMessage lookups and from a target number.
- Pen Register: No capability.
- Search Warrant: Can render backups of a target device; if the target uses iCloud backup, the encryption keys should also be provided with the content return. Can also acquire iMessages from iCloud returns if the target has enabled Messages in iCloud.
Line
Line is a freeware app for instant communications on electronic devices such as smartphones, tablets, and personal computers. In July 2016, Line Corporation turned on end-to-end encryption by default for all Line users, after it had earlier been
available as an opt-in feature since October 2015. The document notes on Line:
- Message content limited.
- Suspect’s and/or victim’s registered information (profile image, display name, email address, phone number, LINE ID, date of
- registration, etc.)
- Information on usage.
- Maximum of seven days’ worth of specified users’ text chats (Only when end-to-end encryption has not been elected and applied and only when receiving an effective warrant; however, video, picture, files, location, phone call audio, and other such data will not be disclosed).
Signal
Signal is a cross-platform centralized encrypted instant messaging service. Users can send one-to-one and group messages, which can include files, voice notes, images, and videos. Signal uses standard cellular telephone numbers as identifiers and secures all communications to other Signal users with end-to-end encryption. The apps include mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel. The document notes about Signal:
- No message content.
- Date and time a user registered.
- Last date of a user’s connectivity to the service.
This seems to be consistent with Signal’s claims.
Telegram
Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) system. The service also provides end-to-end encrypted video calling, VoIP, file sharing, and several other features. There are also two official Telegram web twin apps—WebK and WebZ—and numerous unofficial clients that make use of Telegram’s protocol. The FBI document says about Telegram:
- No message content.
- No contact information was provided for law enforcement to pursue a court order. As per Telegram’s privacy statement, for confirmed terrorist investigations, Telegram may disclose IP and phone numbers to relevant authorities.
Threema
Threema is an end-to-end encrypted mobile messaging app. Unlike other apps, it doesn’t require you to enter an email address or phone number to create an account. A user’s contacts and messages are stored locally, on each user’s device, instead of on the server. Likewise, your public keys reside on devices instead of the central servers. Threema uses the open-source library NaCl for encryption. The FBI document says it can access:
- No message content.
- Hash of phone number and email address, if provided by the user.
- Push Token, if push service is used.
- Public Key
- Date (no time) of Threema ID creation.
- Date (no time) of the last login.
Viber
Viber is a cross-platform messaging app that lets you send text messages, and make phone and video calls. Viber’s core features are secured with end-to-end encryption: calls, one-on-one messages, group messages, media sharing, and secondary devices. This means that the encryption keys are stored only on the clients themselves and no one, not even Viber itself, has access to them. The FBI notes:
- No message content.
- Provides account (i.e. phone number) registration data and IP address at the time of creation.
- Message history: time, date, source number, and destination number.
WeChat is a Chinese multi-purpose instant messaging, social media, and mobile payment app. User activity on WeChat has been known to be analyzed, tracked, and shared with Chinese authorities upon request as part of the mass surveillance network in China. WeChat uses symmetric AES encryption but does not use end-to-end encryption to encrypt users’ messages. The FBI has less access than the Chinese authorities and can access:
- No message content.
- Accepts account preservation letters and subpoenas, but cannot provide records for accounts created in China.
- For non-China accounts, they can provide basic information (name, phone number, email, IP address), which is retained for as long as the account is active.
WhatsApp, is an American, freeware, cross-platform centralized instant messaging and VoIP service owned by Meta Platforms.[ formerly FaceBook] It allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other content. WhatsApp’s end-to-end encryption is used when you message another person using WhatsApp Messenger. The FBI notes:
- Message content limited.
- Subpoena: Can render basic subscriber records.
- Court order: Subpoena return as well as information like blocked users.
- Search warrant: Provides address book contacts and WhatsApp users who have the target in their address book contacts.
- Pen register: Sent every 15 minutes, provides source and destination for each message.
- If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, including message content.
Wickr
Wickr has developed several secure messaging apps based on different customer needs: Wickr Me, Wickr Pro, Wickr RAM, and Wickr Enterprise. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. Wickr was founded in 2012 by a group of security experts and privacy advocates but was acquired by Amazon Web Services. The FBI notes:
- No message content.
- Date and time account created.
- Type of device(s) app installed on.
- Date of last use.
- The number of messages.
- The number of external IDs (email addresses and phone numbers) connected to the account, but not to plaintext external ID themselves.
- Avatar image.
- Limited records of recent changes to account settings such as adding or suspending a device (does not include message content or routing and delivery information).
- Wickr version number.
Conclusion
If there is one thing clear from the information in this document it’s that most, if not all, of your messages, are safe from prying eyes in these apps, unless you’re using WeChat in China. Based on the descriptions, you can check out which apps are available on your favorite platform and which of the bullet points are relevant to you, to decide which app is a good choice for you.
The safest way however is to make sure the FBI doesn’t consider you a person of interest. In those cases even using a special encrypted device can pose some risks.
Stay safe, everyone!