Facebook Reportedly Defeats Government Demand to Wiretap Messenger CallsSep 29, 2018
Reuters reported that a federal judge in Fresno, California sided with Facebook, though the proceedings are still sealed and the reasoning behind the ruling remains unclear. However, the news agency added that telecommunications law requires telcos and phone companies give access to phone lines to authorities with a warrant but exempts "many apps that rely solely on internet infrastructure" like Messenger, which runs over cellular data connections or wi-fi.
Members of a joint federal and state task force probing the international criminal gang MS-13 had tried in August to hold Facebook in contempt of court for failing to carry out a wiretap order, Reuters reported last month.
Arguments were heard in a sealed proceeding in a U.S. District Court in Fresno, California weeks before 16 suspected gang members were indicted there, but the judge ruled in Facebook's favor, the sources said.
The details of his reasoning were not available... An affidavit by an FBI agent filed publicly in the Fresno criminal proceedings said that at the time of the arrests, law enforcement could not monitor any Messenger calls.
According to Reuters, the government was nonetheless able to intercept "all ordinary phone calls and Messenger texts between the accused gang members."
Many details about what exactly the government was seeking are unclear. As the Verge noted, regular conversations in Messenger including realtime voice calls are not protected by end-to-end encryption, a security feature that ensures only the devices sending or receiving the data can decode it. (One reason for this is that Facebook scans messages for advertising purposes.) However, there is a Secret Conversations feature that enables end-to-end encryption for messages as well as photos, videos, and audio files, though not actual calls. There had been speculation that this is what authorities wanted to gain access to, though in a public affidavit submitted on August 30th, 2018, an FBI agent wrote that they were seeking access to Voice over Internet Protocol (VoIP) calls, referring to the realtime calls.
Reuters previously reported that Facebook's position is that it would have to either rewrite its encryption code to install a surveillance backdoor--something that would threaten the security of the whole platform at a time when Facebook is already experiencing numerous privacy crises--or "or else [hack] the government's current target, according to... sources." While some previous rulings have forced telecoms to allow wiretapping of some VoIP systems, those "chat, gaming, or other internet services that are not tightly integrated with existing phone infrastructure" are generally exempted, Reuters added.
Since Facebook's VoIP calls do not feature true end-to-end encryption such as other services like WhatsApp, they would be easier to tap and thus harder to protect in court. So it seems like the company dodged a real bullet. As the Verge wrote last month, researcher Philipp Hancke discovered in 2015 that the session keys used to encrypt the calls are shared with Facebook servers in a process called SDES, meaning they could "be used to retroactively decrypt traffic."
However, Hancke told the Verge it is possible Facebook takes steps to "protect that data on top of the protocol, whether it's refusing to log the keys or encrypting the entire handshake." Facebook may have also updated their security in the intervening years, the Verge wrote:
"They will be able to do a much more plausible denial if they have removed the old SDES stuff altogether," Hancke says. "If they have not, they might argue that they do not log the keying material as it passes through their servers."
Neither Facebook nor the government will talk to media about the case, Reuters wrote:
Neither prosecutors nor Facebook would answer questions about the Fresno U.S. Attorney's office attempt to hold Facebook in contempt or about the underlying wiretap request, including why the matter was dismissed.
That the battle involves MS-13 is notable, because just like with Apple's legal battles with the FBI over iPhone encryption in the wake of the San Bernardino mass shooting in 2015, the government picked an ideal villain to test the limits of their surveillance options. Donald Trump and his administration have denounced the gang as "violent animals," which the Washington Post fairly characterized as a pretext to pretend "there is some subset of a massive population of people who are so depraved and dangerous as to be animals necessitating a massive and occasionally violent response." In other words, it looks an awful lot like authorities chose the least sympathetic defendants possible to expand their surveillance envelope in ways that have ramifications for countless millions of Facebook users.
More details on what is going on should be available down the road, though for now it looks like the feds have again failed to coerce a company into compromising its security. Not that Facebook needs any help with that: The company disclosed this week that a massive security breach may have given hackers access tokens to tens of millions of accounts in what might prove to be the biggest security failure in its history.