The FBI has been warning that the growing use of end-to-end encryption applications will make it increasingly difficult for agents to use online communications to catch criminals.
But they can take heart from recent cases involving associates of President Donald Trump who used encryption and still got nabbed. Paul Manafort and Michael Cohen probably thought they were being really careful when they sent what they believed would be secret messages, but it appears they didnt do their homework about the limitations of the apps.
As court papers reveal, their shoddy digital opsec helped convert them into future guests of the Federal Bureau of Prisons.
The problem isnt that the apps themselves are failingtheyve worked as designed.
In fact, many encrypted apps are very good at rendering messages unreadable to those who might try to eavesdrop on them as they move across the wire.
In terms of trying to protect the contents of your message, certainly using an encrypted messaging app is better than not using an encrypted messaging app, Daniel Kahn Gillmor, a staff technologist for the ACLU.
But it seems like key people in Trumps orbit didnt realize that it can take more than protecting the contents of your messages in transit to keep you out of jail.
Take Michael Cohen. Trumps former personal attorney and fixer pleaded guilty to cheating on his taxes, bank fraud, and illegal campaign contributions to Trump in the form of hush-money payments to his alleged mistresses.
Cohen may have thought he was protecting himself by texting about his crimes over an encrypted messaging app. But prosecutors say they got their hands on over 700 pages of messages sent over encrypted applications. They also had records of a call he made using an encrypted telephone application to discuss the payoffs with National Enquirer boss David Pecker.
Its unclear what app Cohen used, but he could have mitigated some of his risk by using one that offers disappearing messageslike Signal. Even if Pecker flipped on Cohen, the feds would have lost important corroborating messages. Even in cases where the FBI is able to defeat the encryption that locks unauthorized users out of secure devices such as iPhones, disappearing messages usually protect the phone owners privacy.
Theoretically, its possible that under very limited circumstances the feds could access disappeared Signal messages from an unlocked phone, according to Gillmor.
There is a risk that a very clever extraction that pulls both the file system key out of the operating system and pulls the underlying bits off the device, he said.
But thats not something authorities can count on.Thats a big crap-shoot, thats a big gamble, Gillmor added. Depending on how frequently your disk fills up, those blocks couldve been overwritten.
Its not like those in Trumpland were unaware of Signal. Campaign emails released under the Freedom of Information Act show Trump transition aides briefly discussed whether to get former National Security Adviser Michael Flynn signed up for secure communications technology like Signal just days before his fateful conversation with former Russian Ambassador Sergey Kislyak. The emails dont say whether Flynn ever got on board with the app or whether the feds obtained encrypted messages or calls, but he did plead guilty to lying to the FBI about his conversation with Kislyak.
The settings on encrypted messaging apps can also undermine security.
That was Manaforts problem. While he was out on bail, the former Trump campaign chairman used the encrypted WhatsApp to text and call two witnesses as part of what prosecutors claimed was an effort to secure materially false testimony about his lobbying activities for the former government in Ukraine.
Those witnesses dimed him out to special counsel Robert Muellers office, and the FBI had records of his texts to back up their claims, thanks to his default settings choice of settings. As WhatsApps website notes, messages aren't protected by WhatsApp end-to-end encryption when backed up to cloud services. Manaforts backed-up texts were then easy pickings for the FBI. The government confirmed that these messages were sent by Manafort, upon review of Manaforts iCloud account pursuant to a court-authorized search, an FBI agent wrote in an affidavit about the messages.
And then theres Person A, widely believed to be former Manafort pal Konstantin Kilimnik, who is described in a sentencing memorandum for lawyer Alex van der Zwaan as a Ukrainian business associate of Manafort with ties to a Russian intelligence service. Van der Zwaan, who worked with Gates and Manafort, got an email from Person A on his work account instructing him to chat by either WhatsApp or Telegram. He later admitted he lied about the email and his work with the Ukrainian government to the FBI and got a 30-day prison sentence.
Both Telegram and WhatsApp collect metadata on their usersdetails about when messages were sent and to which accounts. Prosecutors could have subpoenaed that data to discover that van der Zwaan was talking to someone with Russian intelligence links in the months before the 2016 election.
Asked to evaluate the Trump associates overall command of communications security, Nate Cardozo, a senior staff attorney at the Electronic Frontier Foundation (EFF), didnt come down too hard. I hate to shit on them because everybodys opsec is terrible, he said.
And therein lies an important lesson.
Encrypted apps have made the average text messager more secure against the kind of dragnet interception practiced by the NSA. But relying on them in the face of an adversary like Mueller requires a bit than clicking download and hoping for the best. Just ask Paul Manafort and Michael Cohen.
Correction: An earlier version of this story incorrectly stated that WhatsApp backs up messages to cloud services such as iCloud and Google Drive by default. We regret the error.