In our digital communication era, instant messaging solutions are the most effective and efficient way individuals can connect with their friends and family, and businesses can connect with customers. People use some popular instant messaging solutions because they offer essential privacy and security features they look for, like end-to-end encryption, ephemeral messages, archived chat, etc. As they are continuously being used for business communications, the relevant companies must monitor and archive work-related communications to avoid various communication compliance risks using these apps.
Even though some of these secure app owners have privacy policies claiming they collect no sensitive user information and communications, when it comes to law enforcement, these secure mobile messaging apps have no escape in providing access to the message content and other required sensitive user details. The FBI training document reveals that the government agencies can obtain access to the encrypted message content and other details from secure messaging solutions like WhatsApp, WeChat, Viber, iMessage, Line, Telegram, Wickr, and Threema.
According to the summaries of information possible to obtain from each app, it is evident that getting sensitive user data from WhatsApp and iMessage applications is much easier than from other popular secure messaging if the law-enforcement agencies have a valid FBI warrant or subpoena. It also implies that the agents can obtain message content from WeCom, a part of China’s WeChat app.
Required disclosure of customer communications or records
As an example, The 18 US Code § 2703, defines the required the disclosure by a provider of electronic communication service upon a request by a governmental entity.
Data exposed by mobile instant messaging vendors
WhatsApp, which Meta Platforms own, is currently one of the most popular instant messaging solutions with 2 billion active users worldwide. The WhatsApp information for law enforcement authorities describes the data they will have to provide upon receiving any request from a law enforcement agency. The policy clearly states that “We disclose account records solely in accordance with our terms of service and applicable law, including the federal Stored Communications Act (“SCA”), 18 U.S.C. Sections 2701-2712. Under U.S. law.” The following is WhatsApp’s information based on the type of order they received from the law enforcement agencies:
- A valid subpoena related to criminal investigation can disclose information like name, service start date, last seen date, IP address, and email address
- A court order can retrieve information like blocked users
- A search warrant can issue ‘about’ information, profile photos, group information, and address book
- For pen registers, WhatsApp can provide information like the source and destination of each message
- If any user uses an iCloud backup enabled iPhone, iCloud retrievals can contain WhatsApp message content
iMessage is the popular instant messaging app created by Apple that also uses a unique end-to-end encryption mechanism that encrypts the messages from the senders’ device, Apple’s servers, and the receiving device. Based on the FBI training document, iMessage even can disclose full iMessage content to authorized government agencies if the iCloud backup is enabled. The iMessage information accessible by the agents include:
- Limited message content
- A valid subpoena can return basic subscriber information
- Under 18 US §2703 (d), iMessage can provide 25 days of iMessage lookups from a target number
- No providence for Pen Registers
- If there is a valid search warrant, iMessage can provide backups of the required device. If the device has enabled iCloud backup, it is possible to provide the encryption key. Also, if the required user has enabled messages in iCloud, the agent gets them from the iCloud returns
Signal is one of the most secure mobile messaging applications that use its own security protocol for private messaging. It secures its messages by encrypting them when sending to other signal users. When compared with information that can be retrieved by government agencies from the other apps, the signal app information they can receive is very limited and includes no message content
The Signal app claims that “(I)t’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.” Following is the only information the Signal app will provide upon request from a law enforcement agency:
- The registered date and time of the user
- Last service connectivity date of the user
Telegram is another private and secure instant messaging app launched in 2013 with more than 500 million active users per month. Its main security and privacy feature is end-to-end encryption for voice and video calls and voice chats in groups. Other privacy features include secret chats, self-destructing messages, videos, and chat locking. Following is the only information the Telegram app will provide upon request from a law enforcement agency and includes no message content:
WeChat is Chinas’ most popular instant messaging app, which is also subject to the Chinese mass surveillance network. Upon request by the Chinese government, WeChat requires tracking and providing the WeChat communication information. WeCom is another communication app with office automation tools developed by Tencent China. The following describes the information agents can receive from WeChat, but includes no message content or records for accounts created in China:
- Basic information like name, phone number, email, IP address for non-China accounts (The information will be retained as long as the account is active).
Value addition of TeleMessage
When analyzing the types of information warrants and subpoenas can access, WhatsApp, iMessage, WeChat (and WeCom) expose differing and varied amounts of user-sensitive data.
However, when it comes to work-related information, various regulatory bodies, including government organizations, require businesses that use these messaging apps to capture and archive messages and calls for mobile compliance. Therefore, companies need a strong mobile archiving solution to avoid compliance risks while using these secure mobile apps. TeleMessage offers mobile archiving services that can specifically capture each IM’s work-related communications. These allow regulated firms to comply with different governance and compliance requirements.
The WeChat archiver, for example, runs in the background without any user intervention for its operation. If an international client outside China wants to connect to WeChat, TeleMessage provides that facility as it owns a Chinese ICP (Internet Content Provider) license. It can capture voice calls and monitor text messages using the standard WeChat interface and encryption. It also uses a WeChat connector to connect with servers in Tencent and captures the communications directly from those servers in China. Then TeleMessage will upload the captured data to an enterprise archive of the company, and it provides end-to-end encryption from the mobile to the enterprise archive.
The same chats and call recording capability is availiable for WhatsApp as well.
TeleMessage offers employees the freedom to use modern messaging applications on the mobile and desktop. Our mobile archiving products securely record content from mobile carriers and mobile devices, letting companies meet recordkeeping regulations and compliance requirements.
With multiple archiving solutions, you can always find the right tools or blend for your requirements:
- Network Archiver
- Enterprise Number Archiver
- Android Archiver
- WhatsApp Archiver
- WeChat Archiver
- Signal Archiver
- Telegram Archiver
TeleMessage offers cross-carrier and international mobile text & calls capture and archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.