special to Drug War Chronicle by veteran investigative crime journalist Clarence Walker, cwalkerinvestigates@gmail.com
When the tech world news web site CNET published excerpts of a leaked DEA memo explaining how, during an investigation, the agency was unable to access the messages of drug dealers using the Apple iMessage system built into a Verizon cell phone, it ignited a media frenzy. "It is impossible to intercept iMessages between two Apple devices," even with a court order approved by a judge, DEA complained.
News stories and tech blogs nationwide highlighted the effectiveness of Apple's encryption protection from privacy invaders, particularly law enforcement. (See, for example, stories here and here.) Amidst the frenzy, what went little noted was that no one's private messages held by Apple's iMessage or any other cell phone service are actually immune from federal government snooping. Under the Stored Communications Act (SCA), if the DEA wants access to someone's messaging communications, all it has to do is get a warrant to review those messages.
Why most media accounts neglected to mention this basic fact is uncertain, but the failure to do so not only misled readers into believing their iMessage communications were secure from government spying, it also fed into and reinforced a narrative being constructed by federal law enforcement agencies -- that rapid advances in telecommunications technologies are leaving the government in danger of "Going Dark" when it comes to its ability to surveil its citizens, and something needs to be done to fix the "problem."
"Apple iMessage users should be aware that regardless of what they heard last week, their messages can be easily obtained by law enforcement pursuant to a warrant under the Electronic Communication Act [ECPA]," said Alan Butler, an in-house attorney with the Electronic Privacy Information Center (EPIC). "The ECPA provides in Title 111, commonly referred to as the Stored Communication Act, that a government entity may require the disclosure of electronic communications held by a provider electronic storage," Butler told the Chronicle by email. Even though the messages are encrypted by the phone company as they are sent by iMessage, Apple can decrypt messages and hand them over to law enforcement with a warrant!"
The case that inspired the DEA memo centers around a drug investigation in Texas back in February where it was unable to intercept iMessages even though a federal judge had issued a court order approving the DEA's interception of the suspects' discussions about drug deals. Although the Federal Wiretap Act allows real-time surveillance of a device or computer, the DEA discovered in the February case that most records obtained from Verizon -- the carrier of the suspect's device -- were incomplete.
Cell phone surveillance is a key tool for law enforcement in monitoring criminal activity. The New York Times reported last June that federal, state, and local officials nationwide had requested assorted cell phone data 1.3 million times in the previous year. But iMessages can be sent through iPhones, iPads, and even Macs running the OS platform with the capability to bypass the text messaging services of a cell phone carrier. Apple revealed in January that it sees over 2 billion messages sent each day from a half-billion iOS and Mac devices that uses the iMessage to keep private conversations and text messages secure from snooping.
When iMessage was launched in 2011, company executives boasted about its "secure end-to-end" encryption, and some critics say the leaking of the DEA memo is a clever scheme by the feds to help convince lawmakers to mandate that all communication systems, including social media and internet messaging systems have a back-door mechanism to allow government access to the data.
Cato's Sanchez explained why he was leery of the DEA memo and the motives for its leaking.
The DEA also complained "that iMessages between two Apple devices are considered encrypted communication and cannot be intercepted regardless of the cell phone service provider," even though in the same memo, it conceded that "sometimes the messages can be intercepted depending where the intercept is placed."
Was the DEA memo leak part of an ongoing campaign to revamp the federal laws governing surveillance of electronic communications? That's hard to prove, but showing that there is such a campaign is less difficult.
In February testimony to the House Judiciary Committee's Subcommittee on Crime, Terrorism, and Homeland Security, FBI General Counsel Valerie Caproni coined the term "Going Dark" to describe what she called federal law enforcement's rapidly diminishing ability to monitor high-tech communications products as technologies advanced over the past 10 to 15 years. Caproni singled out "social-networking sites, web-based email and peer-to-peer communications."
Other federal officials have been making similar noises.
"The FBI simply can't keep up with criminals taking advantage of online communication to hide evidence of their actions," FBI lawyer Andrew Weissman said last month during a meeting with American Bar Association.
The FBI and other federal law enforcers claim there is a growing gap between the legal authority of federal and other law enforcement agencies to intercept electronic communications pursuant to court order or direct warrant under the Communications Assistance Law Enforcement Act (CALEA) and their ability to actually do so. And they want new legislation to fix that.
Passed in 1994, CALEA law initially ordered phone companies to create a mechanism to have their systems conform to a wiretap in real-time surveillance. The Federal Communications Commission (FCC) extended CALEA in 2005 to apply to broadband providers, such as universities and Internet service providers, but messaging and social media services, such as Google Talk, Skype, Myspace, Yahoo and Facebook, as well as encrypted devices like Blackberry and Apple communications are not covered.
The FBI argues that "Going Dark" is a real and threatening possibility, with increased risk to national security and public safety. And the FCC has joined forces with the FBI by considering updating CALEA to require that digital products equipped with video or voice chats over the Internet, including Skype and Google Box Live, to rejigger their systems to allow the feds to monitor criminal activity as it happens in real time.
"We have noticed a massive upstick in the amount of FCC-CALEA inquiries within the last year, most of which are intended to address 'Going Dark' issues," said Chris Canter, a lead compliance counsel at Marashlian & Donahue , a law firm specializing in CALEA law. "This generally means that the FCC is laying the groundwork for regulatory action," he told the Chronicle.
"If we applied the FBI's logic to the cell phone carriers, it would state that every individual phone should be designed with built-in bugs," the Electronic Frontier Foundation said in a statement on CALEA. "Consumers would simply have to trust law enforcement or the phone companies not to activate those bugs without just cause."
EFF filed a Freedom of Information Act (FOIA) request with the FBI and other federal law enforcement agencies showing how the feds might try to justify forcing high-tech services to rewire their systems for expanded wiretapping purposes. The FOIA requested "information concerning the difficulties that the FBI and DOJ has encountered in conducting authorized electronic surveillance."
But so far, the Department of Justice has withheld the bulk of relevant information on the topic, provoking San Francisco US District Court Judge Richard Seeborg to order the feds to turn over the records. No court date scheduled for the feds to comply.
While law enforcement is calling for legislative changes to aid its work, critics insist that even if Congress refuses to pass laws to tackle the "Going Dark" problem, investigators can still obtain a special warrant allowing them to sneak into private residences and businesses to install a keystroke-logging system onto a computer or other devices to record passwords to unlock data they need to make a case.
The DEA adopted this same technique in the Texas case and another case where suspected drug dealers used PGP and the encrypted Web-email service identified in court records as Hushmail.com. Investigators can also send a malware to gain control of a targeted cell phone to extract the text messages, or as a last resort, obtain a warrant to seize the physical device and perform a traditional forensic analysis.
"New technologies frequently create uncertainty and the law is slow to adapt while leaving us to fight over how much surveillance we can tolerate in a free society," noted EPIC attorney Butler. "No one has quite figured out how to strike that balance in every case. However, the Fourth Amendment requires that our persons, houses, papers, and effects be protected from unreasonable search and seizures."
The battle between the imperatives of law enforcement and the privacy rights of Americans is never definitively won. Instead, it is better viewed as a never-ending series of skirmishes. And the contested terrain of this particular skirmish is your iPad.
