Apple's iMessage encryption trips up feds' surveillance

Internal document from the Drug Enforcement Administration complains that messages sent with Apple's encrypted chat service are "impossible to intercept," even with a warrant.

The DEA is not happy about Apple's iMessage transmissions, which it says are "considered encrypted communication and cannot be intercepted."
The DEA is not happy about Apple's iMessage transmissions, which it says are "considered encrypted communication and cannot be intercepted." Getty Images

Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals.

An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge.

The DEA's warning, marked "law enforcement sensitive," is the most detailed example to date of the technological obstacles -- FBI director Robert Mueller has called it the "Going Dark" problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication.

Excerpt from an iMessage "Intelligence Note" prepared by the Drug Enforcement Administration and obtained by CNET.
Excerpt from an iMessage "Intelligence Note" prepared by the Drug Enforcement Administration and obtained by CNET. Click for larger image. DEA

When Apple's iMessage was announced in mid-2011, Cupertino said it would use "secure end-to-end encryption." It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers.

A spokeswoman for the DEA declined to comment on iMessage and encryption. Apple also declined to comment.

The DEA's "Intelligence Note" says that iMessage came to the attention of the agency's San Jose, Calif., office as agents were drafting a request for a court order to perform real-time electronic surveillance under Title III of the Federal Wiretap Act. They discovered that records of text messages already obtained from Verizon Wireless were incomplete because the target of the investigation used iMessage: "It became apparent that not all text messages were being captured."

This echoes what other law enforcement agencies have been telling politicians on Capitol Hill for years. Last May, CNET reported that the FBI has quietly asked Web companies not to oppose a law that would levy new wiretap requirements on social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail. During an appearance two weeks later at a Senate hearing, the FBI's Mueller confirmed that the bureau is pushing for "some form of legislation."

Andrew Weissmann, the FBI's general counsel, said last month at an American Bar Association event that enacting a new law to amend a 1994 law called the Communications Assistance for Law Enforcement Act is a "top priority" this year. CALEA requires telecommunications providers to build in backdoors for easier surveillance, but does not apply to Internet companies, which are required to provide technical assistance instead.

What's difficult, Weissmann said, "is trying to come up with the fairest and most sort of narrowly tailored means to do this." He added: "We don't want to have a system where you're needlessly imposing burdens on thriving industries or even budding industries... So what the bureau has been spending quite a bit of time on, and certainly has as a top priority this year, is coming up with a proposal with other members of the intelligence community that tries to balance all of that. That does tackle the problem of trying to modernize where we were from 1994, given how much technology has advanced."

'Not designed to be government-proof'
Apple has disclosed little about how iMessage works, but a partial analysis sheds some light on the protocol. Matthew Green, a cryptographer and research professor at Johns Hopkins University, wrote last summer that because iMessage has "lots of moving parts," there are plenty of places where things could go wrong. Green said that Apple "may be able to substantially undercut the security of the protocol" -- by, perhaps, taking advantage of its position during the creation of the secure channel to copy a duplicate set of messages for law enforcement.

Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union, said yesterday that "Apple's service is not designed to be government-proof."

"It's much much more difficult to intercept than a telephone call or a text message" that federal agents are used to, Soghoian says. "The government would need to perform an active man-in-the-middle attack... The real issue is why the phone companies in 2013 are still delivering an unencrypted audio and text service to users. It's disgraceful."

Apple introduced iMessage, which encrypts text conversations, in 2011. That has made the DEA a bit unhappy.
Apple introduced iMessage, which encrypts text conversations, in 2011. That has made the DEA a bit unhappy. CNET/CBS Interactive

The DEA says that "iMessages between two Apple devices are considered encrypted communication and cannot be intercepted, regardless of the cell phone service provider." But, if the messages are exchanged between an Apple device and a non-Apple device, the agency says, they "can sometimes be intercepted, depending on where the intercept is placed."

This isn't the first time that federal agencies have warned of surveillance woes. An FBI staff operations specialist in the bureau's Counterterrorism Division complained in 2010 of difficulties in "obtaining information from Internet service providers and social-networking sites." And a Homeland Security report obtained by the Electronic Frontier Foundation shows that a working group convened by an FBI office in Chantilly, Va. requested details about how "investigations have been negatively impacted" by companies' delays or inability to comply with surveillance requests.

Going Dark has emerged as a significant effort inside the FBI, which employed 107 full-time equivalent people on the project as of 2009, commissioned a RAND study, hired consultants from Booz, Allen and Hamilton, and sought extensive technical input from its secretive Operational Technology Division in Quantico, Va.

"There is a growing and dangerous gap between law enforcement's legal authority to conduct electronic surveillance, and its actual ability to conduct such surveillance," FBI director Mueller told a House of Representatives committee two weeks ago. "We must ensure that the laws by which we operate and which provide protection to individual privacy rights keep pace with new threats and new technology."

As CNET was the first to report in 2003, representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the Federal Communications Commission to force broadband providers to provide more-efficient, standardized surveillance facilities. The FCC approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. The regulations were upheld in 2006 by a federal appeals court.

But the FCC never granted the FBI's request to interpret the law to cover instant messaging and VoIP programs that are not "managed"--meaning peer-to-peer programs like Apple's Facetime and iMessage, Facebook Chat, Gmail's video chat, and Xbox Live's in-game chat that do not use the public telephone network.

If Congress does nothing, law enforcement still has options. Police can obtain a special warrant allowing them to sneak into someone's house or office, install keystroke-logging software, and record passphrases. The DEA adopted this technique in a case where suspects used PGP and the encrypted Web e-mail service Hushmail.com. They can also send a suspect malware , purchase a so-called zero day vulnerability to gain control of a target device and extract the contents, or obtain a warrant to seize the physical device and perform a traditional forensics analysis.

Apple's privacy policy authorizes the company to divulge customers' information about customers to law enforcement when "reasonably necessary or appropriate" or to "comply with legal process."

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Find Your Tech Type

Take our tech personality quiz and enter for a chance to win* high-tech specs!