Are We Really "Going Dark"? -- The DEA and Apple's iMessage [FEATURE]
special to Drug War Chronicle by veteran investigative crime journalist Clarence Walker, [email protected]
When the tech world news web site CNET published excerpts of a leaked DEA memo explaining how, during an investigation, the agency was unable to access the messages of drug dealers using the Apple iMessage system built into a Verizon cell phone, it ignited a media frenzy. "It is impossible to intercept iMessages between two Apple devices," even with a court order approved by a judge, DEA complained.
[image:1 align:right]The DEA's warning, marked "law enforcement sensitive," was the most detailed example yet of the technological obstacles law enforcement faces when attempting to conduct court-authorized surveillance on non-traditional forms of communication. Federal law enforcers have coined the catchy phrase "Going Dark" to illustrate the problem.
News stories and tech blogs nationwide highlighted the effectiveness of Apple's encryption protection from privacy invaders, particularly law enforcement. (See, for example, stories here and here.) Amidst the frenzy, what went little noted was that no one's private messages held by Apple's iMessage or any other cell phone service are actually immune from federal government snooping. Under the Stored Communications Act (SCA), if the DEA wants access to someone's messaging communications, all it has to do is get a warrant to review those messages.
Why most media accounts neglected to mention this basic fact is uncertain, but the failure to do so not only misled readers into believing their iMessage communications were secure from government spying, it also fed into and reinforced a narrative being constructed by federal law enforcement agencies -- that rapid advances in telecommunications technologies are leaving the government in danger of "Going Dark" when it comes to its ability to surveil its citizens, and something needs to be done to fix the "problem."
"Apple iMessage users should be aware that regardless of what they heard last week, their messages can be easily obtained by law enforcement pursuant to a warrant under the Electronic Communication Act [ECPA]," said Alan Butler, an in-house attorney with the Electronic Privacy Information Center (EPIC). "The ECPA provides in Title 111, commonly referred to as the Stored Communication Act, that a government entity may require the disclosure of electronic communications held by a provider electronic storage," Butler told the Chronicle by email. Even though the messages are encrypted by the phone company as they are sent by iMessage, Apple can decrypt messages and hand them over to law enforcement with a warrant!"
[image:2 align:left]"Nothing about the DEA memo says anything about trying to crack iMessage," Cato Institute analyst Julian Sanchez told the Chronicle in an email. "All it really says is that an ordinary wiretap on a cellphone's text messages isn't going to pick up iMessages, which is a no brainer because iMessages go over the Internet and not over a cell carrier."
The case that inspired the DEA memo centers around a drug investigation in Texas back in February where it was unable to intercept iMessages even though a federal judge had issued a court order approving the DEA's interception of the suspects' discussions about drug deals. Although the Federal Wiretap Act allows real-time surveillance of a device or computer, the DEA discovered in the February case that most records obtained from Verizon -- the carrier of the suspect's device -- were incomplete.
Cell phone surveillance is a key tool for law enforcement in monitoring criminal activity. The New York Times reported last June that federal, state, and local officials nationwide had requested assorted cell phone data 1.3 million times in the previous year. But iMessages can be sent through iPhones, iPads, and even Macs running the OS platform with the capability to bypass the text messaging services of a cell phone carrier. Apple revealed in January that it sees over 2 billion messages sent each day from a half-billion iOS and Mac devices that uses the iMessage to keep private conversations and text messages secure from snooping.
When iMessage was launched in 2011, company executives boasted about its "secure end-to-end" encryption, and some critics say the leaking of the DEA memo is a clever scheme by the feds to help convince lawmakers to mandate that all communication systems, including social media and internet messaging systems have a back-door mechanism to allow government access to the data.
Cato's Sanchez explained why he was leery of the DEA memo and the motives for its leaking.
[inline:alan-butler-200px.jpg align=right caption="EPIC attorney Alan Butler"]"If this leak came from law enforcement, and that's mostly who would have access to this memo, I wonder why someone would leak it," he said. "One reason might be to support the larger 'Going Dark' campaign by the Department of Justice. Another reason might be the hope that drug dealers will mistakenly assume iMessages are safe and get lazy. Those are two possibilities worth thinking about."
The DEA also complained "that iMessages between two Apple devices are considered encrypted communication and cannot be intercepted regardless of the cell phone service provider," even though in the same memo, it conceded that "sometimes the messages can be intercepted depending where the intercept is placed."
Was the DEA memo leak part of an ongoing campaign to revamp the federal laws governing surveillance of electronic communications? That's hard to prove, but showing that there is such a campaign is less difficult.
In February testimony to the House Judiciary Committee's Subcommittee on Crime, Terrorism, and Homeland Security, FBI General Counsel Valerie Caproni coined the term "Going Dark" to describe what she called federal law enforcement's rapidly diminishing ability to monitor high-tech communications products as technologies advanced over the past 10 to 15 years. Caproni singled out "social-networking sites, web-based email and peer-to-peer communications."
Other federal officials have been making similar noises.
"The FBI simply can't keep up with criminals taking advantage of online communication to hide evidence of their actions," FBI lawyer Andrew Weissman said last month during a meeting with American Bar Association.
The FBI and other federal law enforcers claim there is a growing gap between the legal authority of federal and other law enforcement agencies to intercept electronic communications pursuant to court order or direct warrant under the Communications Assistance Law Enforcement Act (CALEA) and their ability to actually do so. And they want new legislation to fix that.
Passed in 1994, CALEA law initially ordered phone companies to create a mechanism to have their systems conform to a wiretap in real-time surveillance. The Federal Communications Commission (FCC) extended CALEA in 2005 to apply to broadband providers, such as universities and Internet service providers, but messaging and social media services, such as Google Talk, Skype, Myspace, Yahoo and Facebook, as well as encrypted devices like Blackberry and Apple communications are not covered.
The FBI argues that "Going Dark" is a real and threatening possibility, with increased risk to national security and public safety. And the FCC has joined forces with the FBI by considering updating CALEA to require that digital products equipped with video or voice chats over the Internet, including Skype and Google Box Live, to rejigger their systems to allow the feds to monitor criminal activity as it happens in real time.
"We have noticed a massive upstick in the amount of FCC-CALEA inquiries within the last year, most of which are intended to address 'Going Dark' issues," said Chris Canter, a lead compliance counsel at Marashlian & Donahue , a law firm specializing in CALEA law. "This generally means that the FCC is laying the groundwork for regulatory action," he told the Chronicle.
"If we applied the FBI's logic to the cell phone carriers, it would state that every individual phone should be designed with built-in bugs," the Electronic Frontier Foundation said in a statement on CALEA. "Consumers would simply have to trust law enforcement or the phone companies not to activate those bugs without just cause."
EFF filed a Freedom of Information Act (FOIA) request with the FBI and other federal law enforcement agencies showing how the feds might try to justify forcing high-tech services to rewire their systems for expanded wiretapping purposes. The FOIA requested "information concerning the difficulties that the FBI and DOJ has encountered in conducting authorized electronic surveillance."
But so far, the Department of Justice has withheld the bulk of relevant information on the topic, provoking San Francisco US District Court Judge Richard Seeborg to order the feds to turn over the records. No court date scheduled for the feds to comply.
While law enforcement is calling for legislative changes to aid its work, critics insist that even if Congress refuses to pass laws to tackle the "Going Dark" problem, investigators can still obtain a special warrant allowing them to sneak into private residences and businesses to install a keystroke-logging system onto a computer or other devices to record passwords to unlock data they need to make a case.
The DEA adopted this same technique in the Texas case and another case where suspected drug dealers used PGP and the encrypted Web-email service identified in court records as Hushmail.com. Investigators can also send a malware to gain control of a targeted cell phone to extract the text messages, or as a last resort, obtain a warrant to seize the physical device and perform a traditional forensic analysis.
"New technologies frequently create uncertainty and the law is slow to adapt while leaving us to fight over how much surveillance we can tolerate in a free society," noted EPIC attorney Butler. "No one has quite figured out how to strike that balance in every case. However, the Fourth Amendment requires that our persons, houses, papers, and effects be protected from unreasonable search and seizures."
The battle between the imperatives of law enforcement and the privacy rights of Americans is never definitively won. Instead, it is better viewed as a never-ending series of skirmishes. And the contested terrain of this particular skirmish is your iPad.
Comments
Control Freak Freak-Out
So the DEA can't keep us safe without knowing everything we're saying and doing, in real time, and without a warrant? Really?
This is how it works: first the government takes a big chunk of your civil liberties away, promising everyone additional magic protection, and it isn't enough. It doesn't solve anything. Then it's done again, and again, with the same results. More is not better. Finally, no freedom exists because there's no anonymity, and whatever alleged social or political problem motivated the government's eavesdropping or prohibition solution still exists. Not only does it still exist, it thrives, and a new problem emerges with powers that threaten to target citizens as political, racial, or religious enemies by their own government.
If the electronic frontier and other convenient forms of information are totally surveilled, the opponents will adapt. And then what?
Maybe universal health care, going solar, and legalizing illicit drugs are the answers--solutions falling under the general categories of self-sustainability, independence and freedom--all things having a long track record of success.
internet privacy
PGP is a safe and secure means of encrypting email messages provided one uses a laptop that requires a passphrase to get in it (the computer) and a good strong passphrase for your private key. Hopefully, the individual(s) one is sending encrypted emails to has also taken the precautions of strong passphrases for both their computers and their PGP private keys. Strong passphrases include use of upper and lower case letters, numbers,and special characters ie. %, $, # and so forth. Resist the temptation to use easy passwords like (password) as it makes it so much easier for intruders to crack. All parties involved in the secure email chain need to be aware that laziness and inattention to detail is what hackers and crackers look for. I don't know for sure, but I'd almost bet a paycheck those dealers in Texas were either lazy or didn't take COMSEC seriously. Remember, somebody's always listening and/or trying to gain access to ones system and communications. Don't be a victom. Cheers.
How to Send Secure iMessages
I admit I read neither the leaked memo nor the original article when it came out a while ago. However, you CAN have secure iMessages; spend a whopping $20 and buy Mac OS X Server and run the server yourself. Then you will control the private key(s). On the clients, open the Messages app (10.8) and Messages > Preferences > Accounts and delete all but Bonjour then click the + sign at the bottom and under Account Type choose "Jabber" and enter the information about your server. Ta da!
Do not jailbreak your phone. Do run whole disk encryption on your Mac and put it in a secure location where it's physically protected. If you must use the computer use a non-admin account and don't load any plugins or use JavaScript, and only connect to hosts via SSL, i.e. https and other secure protocols. and on and on.
I also admit I didn't read the whole spiel when I signed up for an Apple's Messages but I'm sure it contains the so-called standard language that they do not intentionally share info with LE unless there's a warrant. However, it's hard to know these days with so much corruption and bullying going on from the govt.
If you want better control over privacy in communications use email. It can be encrypted with third party tools like PGP mentioned above, the GNU version, or use /Applications/Utilities/Keychain.app and create your own Certificate Authority and then create your own certificates which you control and create for others to whom you want to securely communicate. Once in the app use the menu Keychain Access > Certificate Assistant > Create a Certificate Authority …
My sense is that Apple has really dragged its heels in improving the user friendliness of this software (Keychain and creating Certificate Authorities and generally integrating them with the ton of server apps they ship as part of the default OS install). It should be MUCH easier to use. I'm sad to say I think it's still so difficult due to pressure from the, well, you know who. The monsters who think they own you and have elevated themselves to GOD status over everyone and must be able to spy on anyone they want, whenever they want.
I totally agree with the 4th paragraph (except for the discrepancy I note above). I too have no doubt it's a dual edged ploy: 1) make Mac/iOS users think they are sending top secret message that NO ONE in the middle can read and 2) deceive everyone into thinking we need to make backdoors in every OS and all apps to let the "good guys" be our big brother to protects us from the "bad guys."
"…Even though the messages are encrypted by the phone company as they are sent by iMessage…"
Actually Verizon probably does ZERO encryption on their side. The encryption is done on the device.
Here's the bottom line: If you are using an IM account on Apple's servers then for sure you are encrypting using their public key. Apple will definitely be able to read the message. But if you use an IM account on your server then they WILL NOT, and EVERYONE IN BETWEEN WILL NOT be able to read the message.
even though in the same memo, it conceded that "sometimes the messages can be intercepted depending where the intercept is placed."
If you jailbreak your device you should no longer trust it. If you have not jailbroken your iPhone/iPad then nefarious agents (crooks and govt. alike) can only read your messages via installing software on your device (for various reasons, including the certificates on your device are trustworthy, with ultra-rare caveats) or through a jailbreak hack themselves which they trick you into doing.
All that said, one thing I think is important to keep in mind and tell legislators is to reject the infantile characterizations many use of "good guys and bad guys." Jesus condemned the religious/economic/political/judicial/etc… leaders of his day as "looking good on the outside but on the inside being full of dead people's bones, everything disgusting, and corruption." [Matthew 23:27-28] This pattern is repeated throughout history often, before then and after. Tons of people in power torture and kill others because they claim they are the good guys ridding us of the bad guys. The Spanish Inquisition, Nazism, racism, drug prohibition, etc…
I'm reminded of a quote I feature by H. L. Mencken: https://ChristiansAgainstProhibition.org/node/720/
The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.
And I would add that often times those who are far worse than scoundrels are behind the oppressive laws, before too long they are torturing you or burning you at the stake or burning thousands of you in ovens or forcing your political leaders to …
So free speech can suck at times, like when some asshole is trashing you, but it's sure better than having to get approval of everything you might say from the overlords who appointed themselves and their cronies over you.
Some other security tidbits:
• DO NOT put your passwords in the Notes field in your Addressbook/Contacts app!!!
• In the Contacts app > Preferences > Card > and UNcheck Export notes in vCards so that if/when you share contact info none of the note information goes along
• CHECK "Enable private me card" and Card > Go to my card then Edit > Edit card… and uncheck any of the fields in your card you don't want to share with others when you send them your card.
This has been a public service announcement.
This sounds like they cant
This sounds like they cant make warrantless surveillance. Awesome!
Don't count on it
Mr. Bongstar 420, I wouldn't bet my freedom on that assumption. Our 4th and 5th amendment freedoms are only as strong as the courts make them, and the government is ALWAYS devising new ways to circumvent them. Don't take anything for granted. Cheers.
Protecting Freedom
Perhaps the Tor network approach to anti- surveillance could help solve this traffic-analysis problem in the alternative community. I suggest those in-the-life check out Tor.
Add new comment