How US law allows the federal government to spy on WhatsApp without needing to say why


In July of last year, the Ohio Drug Enforcement Administration wanted to monitor seven WhatsApp users. To do this, officers asked a judge to approve the use of surveillance tools known as “pen-register and trap and trace” devices. While they wouldn’t get the actual content of the WhatsApp messages, they would get up-to-date information on what numbers these WhatsApp users were sending or calling, when, for how long, and from what IP address. This last part could also provide an approximate geolocation of the user, hence the use of pen registers to both constitute files against suspects by showing, for example, with whom the drug traffickers communicate, and for help track down the fugitives.

But in investigators’ request to install the monitoring device on WhatsApp systems, there was almost no detail as to why the DEA wanted to spy on all these numbers, regardless of where they were based ( four of the seven users had Mexican phone numbers) and for 60 days. That’s because the government doesn’t actually need to give a judge a full explanation to get approval for a pen registry, thanks to a US law that privacy experts say requires a drastic update so federal agencies should provide more details on why they should perform monitoring using the monitoring tool. At a time when there has been growing concern about the surveillance of encrypted apps like WhatsApp, in part thanks to revelations from the Pegasus Project about the global use of uncontrolled spyware through Israeli vendor NSO, pen records represent a Little understood and potentially privacy-threatening surveillance method that the US government frequently uses on Facebook and its hugely popular messaging tool.

In the Ohio Pen Registry application, the government explicitly wrote that it only needed to provide three facts to obtain permission to use a pen registry, none of which provide context on the relevant investigation. They include: the identity of the lawyer or law enforcement officer making the request; the identity of the agency making the request; and an attestation from the applicant that “the information likely to be obtained is relevant to an ongoing criminal investigation carried out by this body”. This explanation, cited verbatim in other pen registry apps in various states reviewed by Forbes, is based on the Pen Register Act under the Electronic Communications Privacy Act of 1986. Under that law, the courts have ruled that the Fourth Amendment, protecting Americans from unreasonable search, does not apply to such surveillance, so investigators need not show “probable cause.”

Critics say the law is inadequate. “If that’s all the government needs to inform the court, then what’s the point in having a legal standard in the first place?” It doesn’t do any work, ”says Jennifer Granick, surveillance and cybersecurity advisor at the American Civil Liberties Union (ACLU). “We knew the certification standard was extremely low, but I thought that at the very least the government was respectful enough to tell the court what was going on so they could ask questions and exert moral pressure. There is only one step between saying that you have nothing to do beyond reciting boilerplate text and actually refusing to do anything other than reciting boilerplate text.

The government sometimes provides more information on why it is going to use a pen registry, but this usually happens when it requests more information from a telecommunications or internet company under different laws. In an investigation in Missouri, where police were looking for a fugitive accused of drug trafficking, the government made use of the monitoring device on a Facebook account of interest, but also asked the social media giant to provide information on the subscribers, such as the user’s name and address. . For the latter, the government had to provide “precise and articulate facts” proving that the requested data were relevant for the investigation, under another part of the law on the protection of electronic communications. Such “hybrid” orders that combine both sections of ECPA’s Pen Register Act and Stored Communications Act were deemed “inherently questionable” last year by the Electronic Frontier Foundation (EFF). “Because they are not explicitly authorized by federal law”.

Regardless of how it applies to use them, the government can put pen traps on almost any technology that transmits some type of message, from mobile phone services to other social media apps like Snapchat and LinkedIn. This includes car Wi-Fi systems. A recent report in Forbes detailed monitoring of a Dodge vehicle with a device that mimics a cell phone tower in order to identify and locate a target of interest. But before that, they put a pen on the car’s internal modem that provides Wi-Fi. After deploying all the spy technology, the suspect was arrested.

Although the ACLU and other privacy-focused nonprofits have, for much of the past two decades, called for laws requiring the government to provide full explanations and the probable cause of the pen registers, there is little sign of a desire for urgent change at Capitol Hill. . But, as the government increasingly uses pen registers to keep track of all kinds of modern technology, ones that did not exist when the 1986 law that determines their use was created, greater oversight of this method heavily used surveillance could be imminent.

This story is part of The Wire IRL column in my newsletter, The Wiretap, where I will provide links to the full search warrants described above. Released every Monday, it’s a mix of real weird crime and real world surveillance, with all the relevant search warrants and court documents you can dig into. There’s also all the cybersecurity and privacy news you need to read. Register now here.


About Author

Leave A Reply