Unfortunately, it is an undeniable fact that there is no way to fully protect our privacy on the Internet. While we personally or companies try to protect our data and make it difficult to access it, the same effort is made by those who want to access it. Today, a topic that has already been joked around on the internet for a long time has turned out to be actually applicable.
According to an FBI document that Rolling Stone says it has seized, the FBI reveals that it is extremely easy to obtain data from WhatsApp and iMessage applications through legal means. The document in question also reveals that there are multiple legal ways to seize users’ sensitive information.
Here is the FBI’s resulting document:
The FBI’s non-confidential document, which you can access from this link, does not contain information about the security levels of applications. Instead, it explains what information can be obtained through legal means, specific to applications. When we directly translate the information in the document dated July 7, 2021, the following table emerges:
What information about the user can be obtained from which application?
- iMessage: Subscriber data, message recipient and sender information, device backup, encryption keys, date/time information, recording time information, user’s directory.
- Line: Subscriber data, message recipient and sender information, user’s directory, date/time information, recording time information
- Signal: Date/time information, recording time information
- Telegram: Recording time information
- Threema: Subscriber data, registration time information, date/time information, encryption keys
- Viber: Subscriber data, date/time information, IP address, encryption keys, registration time information
- WeChat: Subscriber data, registration time information, IP address
- WhatsApp: Subscriber data, registration time information, date/time information, user’s contacts, message recipient and sender information
- Wickr: Subscriber data, registration time information, date/time information
When we look at this table, it is very clear that the messaging applications where your data is most secure are Signal and Telegram.
On the other hand, the legal decisions taken according to the information provided by the FBI allow the FBI to access the following information:
iMessage:
- Message content is shown as limited.
- With the notification, basic level subscriber information can be obtained.
- 25-day conversations with a target number with an intelligence access decision (18 U. S. Code § 2709) can be seen.
- Pen registration: No information is provided.
- Search order: Backups of the target device can be accessed, encryption keys are also given if iCloud is used. If the target has enabled messages in iCloud, messages can also be received from here.
Line:
- Message content is limited (maximum 7 days).
- The suspect/victim’s registered information such as phone number, profile photo and e-mail address can be accessed.
- Usage information can be obtained.
Signal:
- Message contents are not given.
- The date and time of the user’s registration is given.
- Information about the last time the user was online.
Telegram:
- Message contents are not given.
- No contact information provided.
- In confirmed terrorist investigations, IP addresses and phone numbers can be submitted to the relevant authorities.
Threema:
- No message content is given.
- The hash of the phone number and email address is served if the user provided this information.
- Push Token is issued if push service is used.
- Public Key is available.
- Registered date (without time) is given.
- The last login date (without time) is given.
Viber:
- No message content is given.
- Provides account creation details and when it was created.
- Message history (date, time, source phone number and destination phone number) is available.
WeChat:
- No message content is given:
- Accepts notifications and protection letters, but does not provide information about accounts created in China.
- Provides basic information about non-Chinese accounts (as long as the account is active).
WhatsApp:
- Limited message content is given (if the target is using iPhone and has iCloud backups enabled).
- Notice: Basic subscription information is offered.
- Court order: Blocked user information is offered along with basic subscription information.
- Search order: Provides information about the registered contacts in the directory and who the target is registered in.
- Pen registration: Source and destination information is presented for each message every 15 minutes.
Wickr:
- No message content is given.
- The date and time the account was created is given.
- Information about the type of device on which the application is installed.
- The date the application was last used is given.
- Information is given about how many messages there are in total.
- Information such as e-mail address and phone number associated with the account are given, but these are not given directly, but as ‘External ID’.
- Avatar image is given.
- Limited information about recent changes to account settings.
- Wickr version number is given.
To sum up, iMessage and WhatsApp, two giant messaging apps that are constantly trying to market themselves on security, reveal more of our knowledge than other messaging apps.