How American Law Lets Feds Spy On WhatsApp Without Needing To Say Why – Forbes

WhatsApp surveillance orders are being signed off on without the government needing to explain why it wants them.

In July of last year, the Drug Enforcement Administration in Ohio wanted to carry out surveillance on seven WhatsApp users. To do that, agents asked a judge to approve the use of surveillance tools known as pen register and trap and trace devices. While they wouldnt get the actual content of WhatsApp messages, they would get up-to-date information on what numbers those WhatsApp users were either messaging or calling, when, for how long and from what IP address. The latter part could also provide a rough geolocation of the user, hence the use of pen registers to both build up cases against suspects by showing, for instance, with whom drug dealers are communicating, and to assist in tracking down fugitives.

But in the investigators application to have the surveillance device installed on WhatsApp systems, there was almost zero detail on just why the DEA wanted to spy on all those numbers, regardless of where they were based (four of the seven users had Mexican telephone numbers) and for a period of 60 days. Thats because the government doesnt actually need to give a full explanation to a judge to get their approval for a pen register, thanks to a U.S. law that privacy experts say needs a drastic update so that federal agencies have to provide more detail on why they need to carry out surveillance using the surveillance tool. At a time when theres heightened concern about surveillance of encrypted apps like WhatsApp, in part thanks to the Pegasus Project revelations of global unchecked spyware use via Israeli provider NSO, pen registers represent a little-understood, potentially privacy-endangering surveillance method that the U.S. government uses frequently on Facebook and its hugely popular messaging tool.

In the Ohio pen register application, the government wrote explicitly that it only needs to provide three facts to get approval to use a pen register, none of which provide any background on the relevant investigation. They include: the identity of the attorney or the law enforcement officer making the application; the identity of the agency making the application; and a certification from the applicant that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency. This explanation, cited word-for-word in other pen register applications across various states reviewed by Forbes, is based on the Pen Register Act within the Electronic Communications Privacy Act of 1986. Under that law, courts have held that the Fourth Amendment, protecting Americans from unreasonable searches, does not apply to such surveillance, so theres no need for investigators to show probable cause.

Critics say that the law is inadequate. If that is all the government needs to inform the court, then what is the point of having a statutory standard in the first place? It is doing no work at all, says Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union (ACLU). We knew that the certification standard was abysmally low, but I thought that at the very least the government was respectful enough to tell the court what is going on so that it could ask questions and exercise moral suasion. Its a short step between saying that you dont have to do anything beyond reciting boilerplate text, and actually refusing to do anything other than recite boilerplate text.

The legalese above is the government's explanation of why it doesn't need to give any facts about its investigation when applying for a pen register to carry out surveillance on seven WhatsApp numbers.

The government does sometimes provide more information on why it is going to use a pen register, but that typically happens when they are applying for more information from a telecom or internet company under different laws. In an investigation in Missouri, where police were looking for a fugitive charged with drug dealing, the government had the surveillance device used on a Facebook account of interest, but also asked the social media giant to provide subscriber information, like the users name and address. For the latter, the government had to provide specific and articulable facts that proved the data being requested was relevant to the investigation, under another part of the Electronic Communications Privacy Act. Such hybrid orders that combine both the Pen Register Act and Stored Communications Act sections of the ECPA were last year deemed inherently questionable by the Electronic Frontier Foundation (EFF) because they are not explicitly authorized by federal law.

However it applies to use them, the government can put pen traps on almost any technology that transmits some kind of message, from cellphone services to other social media apps like Snapchat and LinkedIn. That includes car Wi-Fi systems. A recent report in Forbes detailed the surveillance of a Dodge vehicle with a device that imitates a cellphone tower in order to identify and locate a target of interest. But before that, they put a pen register on the cars internal modem that provides the Wi-Fi. After they deployed all the snooping tech, the suspect was arrested.

Though the ACLU and other privacy-focused nonprofits have, for much of the last two decades, called for laws that force the government to provide full explanations and probable cause for pen registers mandatory, theres little sign of any desire for urgent change on Capitol Hill. But, given the government is increasingly using pen registers to track all kinds of modern technologies, ones that didnt exist when the 1986 law that determines their use was created, greater oversight of this much-used surveillance method could be incoming.

This story is part of The Wire IRL feature in my newsletter, The Wiretap, where Ill provide links to the full search warrants described above. Out every Monday, its a mix of strange true crime and real-world surveillance, with all the relevant search warrants and court documents for you to pore over. Theres also all the cybersecurity and privacy news you need to read. Sign up here.

Read more:
How American Law Lets Feds Spy On WhatsApp Without Needing To Say Why - Forbes

Related Posts

Comments are closed.