Law Enforcement Wiretaps Stymied by Apple’s iMessage Encryption
The encryption used by Apple’s iMessage service prevents interception by law enforcement even with the means granted by a federal court order, according to an internal U.S. Drug Enforcement Administration (DEA) memo obtained by CNET. Due to Apple’s encryption method, it is “impossible to intercept iMessages between two Apple devices,” the memo states.
Apple boasted about the service’s “secure end-to-end encryption” when it launched in June 2011, and users have flocked to the free service, which requires an Apple iDevice and an iCloud account. Apple CEO Tim Cook told the audience during the iPad mini keynote announcement in October 2012 that over 300 billion iMessages had been sent up to that point.
Unlike traditional text messages, which are transmitted via a carrier’s network control channel, iMessages are encrypted and sent as data over a mobile device’s internet connection, with Apple’s servers coordinating the exchange. As a result, law enforcement’s traditional means of obtaining text messages through court-ordered cooperation with mobile carriers does not apply to iMessages.
According to the DEA memo, the agency’s San Jose office initially became aware of the issue after discovering that the messaging records of a surveilled individual, obtained from Verizon through a court order, were incomplete. iMessage is only enabled when both the sender and receiver are using iDevices with an iCloud account. When an iMessage user sends a message to someone not using the service, the data is transmitted via standard SMS. The DEA therefore discovered that only these traditional SMS exchanges were viewable during the surveillance operation; the suspect’s iMessages were not.
Due to Apple’s encryption method, it is impossible to intercept iMessages between two Apple devices.
While many citizens applaud what could be considered a victory in the name of individual privacy, law enforcement officials view the situation as a serious impairment to their ability to combat criminal activity. In response, agencies such as the FBI have begun to push Congress for new laws to address the challenges posed by internet-based communications.
At the center of law enforcement’s efforts is the Communications Assistance for Law Enforcement Act (CALEA). Passed in 1994, CALEA requires telecommunications companies to provide “backdoors” to their networks so that law enforcement agencies can easily gain access to a suspect’s communications. While quite effective for land- and cellular-based phone surveillance, the Act’s backdoor requirement does not apply to firms that develop or deploy Internet-based communication technologies, such as VoIP, e-mail, and instant messaging.
Amending or replacing CALEA has therefore become a top priority for law enforcement, but challenges by privacy advocates and businesses have made it difficult for the movement to gain traction, despite a growing urgency conveyed by key officials. FBI Director Robert Mueller told a House committee last month:
There is a growing and dangerous gap between law enforcement’s legal authority to conduct electronic surveillance, and its actual ability to conduct such surveillance. We must ensure that the laws by which we operate and which provide protection to individual privacy rights keep pace with new threats and new technology.
As CNET points out, law enforcement agencies still have options in the event that Congress fails amend CALEA. With judicial authorization, law enforcement officers can secretly gain access to a suspect’s home or office and install keystroke logging software to capture messages and passwords. They are also allowed to send the suspect malware that can either gain control of a suspect’s device or quietly monitor the device’s activities. These methods are significantly more risky, time consuming, and potentially dangerous, however, which is why challenges to CALEA will likely make headlines in the coming months.