The DEA, iMessage, and the Broader Significance

It’s been widely reported that the DEA San Jose office is unable to conduct surveillance of Apple iMessages. The note is revealing in its very phrasing; the author(s) state that:

While it is impossible to intercept iMessages between two Apple devices, iMessages between an Apple device and a non-Apple device are transmitted as Short Message Service (SMS) messages and can sometimes be intercepted, depending on where the intercept is placed. The outcome seems to be more successful if the intercept is placed on the non-Apple device. (emphasis added)

Note that despite the ‘encryption’ the agent(s) recognize that they can sometimes intercept messages. Importantly they are ‘more successful’ when the intercept is on the non-Apple device. Their phrasing suggests one of the following:

  1. Authorities are occasionally able to intercept messages between Apple devices; or
  2. Authorities are occasionally able to intercept messages that are inbound to an Apple device that are sent from a non-Apple device.

Either situation is interesting, insofar as the former raises questions of the efficacy of Apple’s encryption process and the latter questions about where a tap is placed pre-encryption in the Apple network.

More broadly, however, the challenge facing the DEA is one that is already encountered by investigators around the world. In fact, the DEA is in a pretty envious position: most of the major ‘messaging’ companies have some degree of corporate presence in the US and can thus be easily served with a wiretap order. Sure, a host of orders might need to be issued (one to Apple, one to Facebook, one to Google, etc etc) but this is a possible course of action.

Officers outside of the US that want similar access to messages that flow outside of SMS channels experience a different reality. They tend to need a MLAT or other cross-national warrant might be needed. Such warrants are incredibly time consuming and, as a result, resource intensive. These kinds of pressures are, in part, responsible for the uptick in discussions around state agents serving malware to mobile and fixed computing systems: it just isn’t practical to ‘wiretap’ many of these communications anymore, on the basis that the companies running the services are beyond the authorities’ jurisdictions.

So, while encryption is (fortunately) becoming more and more common, this isn’t necessarily the ‘solution’ to third-parties intercepting communications. Indeed, all it means is that attackers (in this case, the state) are targeting the far softer domains of the communications infrastructure: everything around the encryption layer itself.