Vice’s Motherboard is puzzling over a massive leap in the number of Title III wiretap orders served on Facebook during the first half of 2015: A whopping 201 (targeting 259 users) over the course of just six months, according to the social networking giant’s latest transparency report, compared with a mere nine such orders (targeting 16 users) for the whole of 2014. The experts Motherboard interviewed were at a loss to explain the jump, but one quite simple and plausible explanation leaps out at me: WhatsApp, the instant messaging client whose acquisition was finalized by Facebook at the very end of last year — and which law enforcement officials routinely say is favored by bad actors looking to communicate securely.
The key point to understand here is that Title III wiretap orders are pretty much the last resort for law enforcement, which often has a choice of numerous legal tools for accessing digital content. Because wiretaps have long been considered particularly intrusive — often capturing weeks or months worth of conversations, many with innocent parties — they require what are sometimes dubbed “superwarrants,” with a higher legal standard than ordinary search warrants. To obtain a Title III wiretap order, for instance, applicants must not only demonstrate probable cause, but also “exhaustion” — meaning they have to demonstrate they’ve exhausted the other feasible ways of obtaining the evidence they need before turning to wiretaps.
Getting stored data, by contrast, doesn’t require investigators to jump through any such extra hoops — and so, unsurprisingly, law enforcement rarely goes to the trouble of seeking Title III orders for realtime interception of electronic communications when the very same data can be obtained with a plain vanilla search warrant, or even a mere subpoena. The official numbers reflect this: Just 32 of the 2,433 Title III wiretap orders issued last year were for “electronic” (meaning computer, fax, or pager) communications. That doesn’t mean either cops or criminals are ignoring the Internet, just that the legal tools typically used to obtain digital communications don’t show up in the official numbers — leading to what my friend Chris Soghoian has dubbed the Wiretap Reporting Gap.
Of course, if a particular communications facility doesn’t involve remote storage of (unencrypted or decryptable) communications content, then a Title III order (or, for intelligence cases, a FISA wiretap order) may be the only available option. As WhatsApp’s own FAQ explains, the company does not store user messages on its own servers — which means that the only way to get your hands on those messages is to gain access to the end-user’s device or intercept the messages live on the wire. WhatsApp has also, famously, begun rolling out end-to-end encryption for many of its users, which means even if the company did retain ephemeral copies of the messages, law enforcement might need to employ realtime interception in order to mount a man-in-the-middle attack if it wants to be able to actually read those messages.
One thing that’s clear, however, is that the encryption deployed by WhatsApp to date has not led to law enforcement agencies “going dark”: Lawful intercepts of WhatsApp messages have been specifically cited as key to several arrests in the continuing investigation of the recent terrorist attacks in Paris. Belgian law enforcement officials, according to reports, have been “working with U.S. authorities to monitor suspects’ communications on WhatsApp Inc.’s messaging service.” In this case, the intercepts are more likely to be conducted via FISA authorities than Title III, but with WhatsApp now handling significantly more message volume than traditional SMS, it seems like a safe bet we’ll see that number continue to rise in coming years.