Encryption used in Apple’s iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects’ conversations, an internal government document reveals.
An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, “it is impossible to intercept iMessages between two Apple devices” even with a court order approved by a federal judge.
The DEA’s warning, marked “law enforcement sensitive,” is the most detailed example to date of the technological obstacles — FBI director Robert Mueller has called it the “Going Dark” problem — that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication.
When Apple’s iMessage was announced in mid-2011, Cupertino said it would use “secure end-to-end encryption.” It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers.
A spokeswoman for the DEA declined to comment on iMessage and encryption. Apple also declined to comment.
The DEA’s “Intelligence Note” says that iMessage came to the attention of the agency’s San Jose, Calif., office as agents were drafting a request for a court order to perform real-time electronic surveillance under Title III of the Federal Wiretap Act. They discovered that records of text messages already obtained from Verizon Wireless were incomplete because the target of the investigation used iMessage: “It became apparent that not all text messages were being captured.”
This echoes what other law enforcement agencies have been telling politicians on Capitol Hill for years. Last May, CNET reported that the FBI has quietly asked Web companies not to oppose a law that would levy new wiretap requirements on social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail. During an appearance two weeks later at a Senate hearing, the FBI’s Mueller confirmed that the bureau is pushing for “some form of legislation.”
Andrew Weissmann, the FBI’s general counsel, said last month at an American Bar Association event that enacting a new law to amend a 1994 law called the Communications Assistance for Law Enforcement Act is a “top priority” this year. CALEA requires telecommunications providers to build in backdoors for easier surveillance, but does not apply to Internet companies, which are required to provide technical assistance instead.
What’s difficult, Weissmann said, “is trying to come up with the fairest and most sort of narrowly tailored means to do this.” He added: “We don’t want to have a system where you’re needlessly imposing burdens on thriving industries or even budding industries… So what the bureau has been spending quite a bit of time on, and certainly has as a top priority this year, is coming up with a proposal with other members of the intelligence community that tries to balance all of that. That does tackle the problem of trying to modernize where we were from 1994, given how much technology has advanced.”
Apple has disclosed little about how iMessage works, but a partial analysis sheds some light on the protocol. Matthew Green, a cryptographer and research professor at Johns Hopkins University, wrote last summer that because iMessage has “lots of moving parts,” there are plenty of places where things could go wrong. Green said that Apple “may be able to substantially undercut the security of the protocol” — by, perhaps, taking advantage of its position during the creation of the secure channel to copy a duplicate set of messages for law enforcement.
Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union, said yesterday that “Apple’s service is not designed to be government-proof.”
“It’s much much more difficult to intercept than a telephone call or a text message” that federal agents are used to, Soghoian says. “The government would need to perform an active man-in-the-middle attack… The real issue is why the phone companies in 2013 are still delivering an unencrypted audio and text service to users. It’s disgraceful.”