An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:

  • Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

  • Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

  • Signal: date and time of account creation and date of last connection.

  • Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

  • Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

  • Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

  • WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

  • WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.

  • Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

  • catastrophicblues@lemmy.caEnglish
    5·
    1 year ago

    It seems like Signal, Telegram, and Threema are the best for now. Signal provides the least information, but for the majority of people, the stuff from Telegram are things the government already know, and I’m not sure how useful the Threema information is.

    • exu@feditown.comEnglish
      3·
      1 year ago

      I read it as Threema being about as secure as Signal if you don’t give them your phone number & email and use the Libre version without Google push notifications.

  • !ozoned@lemmy.world@beehaw.orgEnglish
    22·
    1 year ago

    No mention of Matrix. Wonder if it’s not on their radar, or they have nothing, or just wasn’t important to put it on there?

    • jackattackson@lemm.eeEnglish
      10·
      1 year ago

      I’m wondering the same thing.

      I am a long time signal user but I just started using Matrix yesterday and now I’m very curious about whether Signal or Matrix is better somehow in terms of security/privacy.

      • !ozoned@lemmy.world@beehaw.orgEnglish
        22·
        1 year ago

        I stopped using Signal after they said no alternate clients, then got into crypto, then introduce a proprietary shim to their stack.

        I plan on someday actually running my own Matrix server for myself and family, right now I’m on Matrix.org though. At this point I don’t know how folks recommend Signal over Matrix. There are a lot of clients, so maybe the choice of clients is too confusing? IDK.

        But anyone saying Matrix isn’t easy enough for non-tech folks to understand, my sister, niece, even wife set up Element themselves on their phones without issue. My father and step-mother both use Element with us. I configured it but they know how to message and do video chat and things.

        • dismalnow@kbin.social
          3·
          1 year ago

          ̷W̷̶̷h̷̶̷i̷̶̷l̷̶̷e̷̶̷ ̷̶̷F̷̶̷r̷̶̷a̷̶̷n̷̶̷c̷̶̷e̷̶̷ ̷̶̷i̷̶̷s̷̶̷n̷̶̷’̷̶̷t̷̶̷ ̷̶̷a̷̶̷ ̷̶̷p̷̶̷a̷̶̷r̷̶̷t̷̶̷ ̷̶̷o̷̶̷f̷̶̷ ̷̶̷F̷̶̷V̷̶̷E̷̶̷Y̷̶̷ ̷̶̷"̷̶̷t̷̶̷h̷̶̷e̷̶̷ ̷̶̷f̷̶̷i̷̶̷v̷̶̷e̷̶̷ ̷̶̷e̷̶̷y̷̶̷e̷̶̷s̷̶̷ ̷̶̷a̷̶̷l̷̶̷l̷̶̷i̷̶̷a̷̶̷n̷̶̷c̷̶̷e̷̶̷"̷̶̷,̷̶̷ ̷̶̷i̷̶̷t̷̶̷ ̷̶̷i̷̶̷s̷̶̷ ̷̶̷e̷̶̷x̷̶̷t̷̶̷r̷̶̷e̷̶̷m̷̶̷e̷̶̷l̷̶̷y̷̶̷ ̷̶̷l̷̶̷i̷̶̷k̷̶̷e̷̶̷l̷̶̷y̷̶̷ ̷̶̷t̷̶̷h̷̶̷a̷̶̷t̷̶̷ ̷̶̷i̷̶̷t̷̶̷ ̷̶̷i̷̶̷s̷̶̷ ̷̶̷c̷̶̷o̷̶̷m̷̶̷p̷̶̷r̷̶̷o̷̶̷m̷̶̷i̷̶̷s̷̶̷e̷̶̷d̷̶̷ ̷̶̷b̷̶̷e̷̶̷c̷̶̷a̷̶̷u̷̶̷s̷̶̷e̷̶̷ ̷̶̷M̷̶̷a̷̶̷t̷̶̷r̷̶̷i̷̶̷x̷̶̷ ̷̶̷w̷̶̷a̷̶̷s̷̶̷ ̷̶̷c̷̶̷r̷̶̷e̷̶̷a̷̶̷t̷̶̷e̷̶̷d̷̶̷ ̷̶̷b̷̶̷y̷̶̷ ̷̶̷t̷̶̷h̷̶̷e̷̶̷ ̷̶̷F̷̶̷r̷̶̷e̷̶̷n̷̶̷c̷̶̷h̷̶̷ ̷̶̷g̷̶̷o̷̶̷v̷̶̷e̷̶̷r̷̶̷n̷̶̷m̷̶̷e̷̶̷n̷̶̷t̷̶̷ ̷̶̷i̷̶̷n̷̶̷ ̷̶̷2̷̶̷0̷̶̷1̷̶̷8̷̶̷.̷̶̷ ̷̶̷ ̷̶̷

          Keep in mind that op’s foia request is from 2021.

          Edit - I’m misremembering. Disregard.

          https://en.wikipedia.org/wiki/Matrix_(protocol)

          The initial project was created inside Amdocs, while building a chat tool called “Amdocs Unified Communications”,[4] by Matthew Hodgson and Amandine Le Pape [fr]. Amdocs then funded most of the development work from 2014 to October 2017.[5] Matrix was the winner of the Innovation award at WebRTC 2014 Conference & Expo,[6] and of the “Best in Show” award at WebRTC World in 2015.[7]

          • space@beehaw.org
            15·
            1 year ago

            Fact check: the French govt did not create Matrix.

            Matrix is an open protocol created in 2014, for an Israel-based private company.

            In 2018 the french govt decided to use a verson of that protocol in their own chatting network.

            • dismalnow@kbin.social
              1·
              1 year ago

              Thanks, and apologies. I’ve edited out my idiocy. Misremembered, and was thinking of something else.

        • jackattackson@lemm.eeEnglish
          7·
          1 year ago

          Thanks for sharing! I really want to get my family on Matrix now.

          We have not been able to find a solid chat/video call app that the entire family (various ages and tech aptitude) can effectively use. We’ve been bouncing around to various apps since COVID lockdowns started. We had been using Slack for a while but the video calling in Slack is unusable now.

      • Em Adespoton@lemmy.caEnglish
        1·
        1 year ago

        Well, there are a few leakage issues with Matrix, but there’s also the benefit that you can stand up your own server or use one based in a country you’re comfortable having access to your basic connection data.

        So unlike Signal where the hashes are all stored in one place, with Matrix no single government has control over the entire network.

    • worfamerryman@beehaw.orgEnglish
      1·
      1 year ago

      I think it is because it is a bit nuanced. I used to host a matrix server and if the FBI was like hey, give us the data to something.

      I’d just give them anything they wanted. I did not allow signups, I only gave access to one friend and only had it setup as a learning project.

      I’m sure my friend wouldn’t do anything shady on it, I’ve been close friends with him for about 30 years. But I’m not going to fight the fbi on their behalf. Plus, if they were using the server for something that the fbi needed to get involved with, I’d be pissed they used my server to do it.

      tl:dr anyone can host a matrix instance and each host could have different levels of access.

      • 676@lemmy.caEnglish
        2·
        1 year ago

        The server shouldnt be seeing anything of value if you’re end to end encrypted

        • worfamerryman@beehaw.orgEnglish
          1·
          1 year ago

          That is what I imagine as well. Either way, if they want files to try and decrypt then they can have them.

    • Sl00k@programming.devEnglish
      4·
      1 year ago

      Also important to note it’s been well known the CIA uses Matrix internally for communications. If they’re using it for communication it’s probably pretty sturdy.

    • worfamerryman@beehaw.orgEnglish
      6·
      1 year ago

      I think it is because it is a bit nuanced. I used to host a matrix server and if the FBI was like hey, give us the data to something.

      I’d just give them anything they wanted. I did not allow signups, I only gave access to one friend and only had it setup as a learning project.

      I’m sure my friend wouldn’t do anything shady on it, I’ve been close friends with him for about 30 years. But I’m not going to fight the fbi on their behalf. Plus, if they were using the server for something that the fbi needed to get involved with, I’d be pissed they used my server to do it.

      tl:dr anyone can host a matrix instance and each host could have different levels of access.

  • Schedar@beehaw.orgEnglish
    10·
    1 year ago

    Wonder what a difference it now makes with the iCloud “advanced Data protection” that provides end to end encryption for iCloud backups etc. in theory that should block the iCloud backup route.

    • aroom@kbin.social
      2·
      1 year ago

      I guess if you enable it on your device you are safe, but if your content is on another device that doesn’t enable it (it’s an opt in option), your content will be available.

      • codus@leby.devEnglish
        3·
        1 year ago

        Advanced data protection is across your entire account, not per device. According to Apple’s documentation they rotate the keys locally on your devices and then delete them from their services so they no longer have a key to give.

  • ThiccBathtub@reddthat.comEnglish
    1·
    1 year ago

    What about if Apples **‘Advanced Data Protection’ ** which I’m not sure if it is only enabled with iCloud+ subscriptions. Where Apple claims that ‘Advanced Data Protection uses end to end encryption to ensure that data types listed here can only be decrypted on your trusted devices, protecting your information even in the case of a data breach in the cloud’ this list includes VERY sensitive things such as FULL device backups, FULL Message Backups (iMessage & SMS etc), iCloud Drive and a whole lot more. Mainly because Apple literally says on their settings page to turn this on ‘Because Apple will NOT have the keys required to recover your data, you will be guided through verification of your recovery methods in case you ever lose access to your account.’

    Can someone verify whether using this would mitigate attempts at retrieval of the data and would require a very lengthy brute-force instead of just HANDING OVER the decryption keys.

    Thank you OP for continuing bringing this to people’s attention.

  • flashgnash@lemm.eeEnglish
    15·
    1 year ago

    This makes me suspicious though, surely if they’ve declassified this that means they want people to see it, so isn’t there a very real chance it’s intentionally misleading?

    • bbbhltz@beehaw.orgOPEnglish
      20·
      1 year ago

      I think that today, in 2023, some of the information here is outdated. We know that different messages can be intercepted and decrypted. It is labelled as unclassified, which I think might be different from declassified?

      • SenorBolsa@beehaw.orgEnglish
        17·
        1 year ago

        Correct it’s labeled as unclassed sensitive info for law enforcement. That just means “don’t share this shit on facebook if you want to keep your job”

    • pixelpop3@programming.devEnglish
      2·
      1 year ago

      Basically it’s what they have decided to disclose to law enforcement. So at best it tells you the baseline capabilities of law enforcement.

  • TemporaryBoyfriend@lemmy.caEnglish
    4·
    1 year ago

    And FYI, the info about Signal was confirmed as they received a subpoena a couple years back, and their response was part of the public court records.

    • ehrenschwan@feddit.deEnglish
      1·
      1 year ago

      Yeah, Signals response pointing to how their service works and than all the data consisting of only these two things war hilarious.

  • Dalë@lemmy.fmhy.mlEnglish
    8·
    1 year ago

    Whilst enlightening, it’s kinda also useless. Let’s be honest the majority of endusers use a particular app, in the main, because its most likely what everyone else in their friend group uses.

    In my case WhatsApp, I’d struggle to get all my friends and family to change at this point.

    • ForestOrca@kbin.social
      4·
      1 year ago

      In my case, I was running phone apps on an iPod Touch, and it couldn’t run WhatsApp. So I convinced a core group of friends to get on Signal back Snowden rec’d it. And the way networks operate, it spread out from there.

      • sibloure@beehaw.org
        1·
        1 year ago

        I feel very lucky and still somewhat skeptical that I was able to get friends and family onboard with Signal. Then I remember (1) most people don’t think twice about installing random apps and (2) most people are best suited for an easy onboarding experience like Signal offers.

    • MrMonkey@lemm.eeEnglish
      2·
      1 year ago

      I just do it the easy way: I’m using Signal. If you want to text me or receives texts from me then use it.

      Now it’s not just my friends but my neighbors now. SMS is straight garbage, I won’t use it.

    • Airgoof@vlemmy.netEnglish
      6·
      1 year ago

      Took me a moment, but I converted most close contacts to Telegram. Not Meta-infested and solid apps including desktop.

      It gets easier the more you already have.

      • Stumblinbear@pawb.socialEnglish
        1·
        1 year ago

        Did this as well. I got my mom over early, but my dad being kicked of Facebook (don’t ask, but you can probably guess) was what finally got everyone to move over in one fell swoop. Pretty much my whole family is, now

    • 🇺🇦 Max UL@lemmy.proEnglish
      3·
      1 year ago

      You don’t “have to” use apps that compromise your security. If you really want to switch to better practices you can and can still thrive. I got and persuaded my whole company and friend groups off of bad apps. It’s possible.