Subpoena to Encrypted App Provider Highlights Overbroad FBI Requests for Information

A recently revealed grand jury subpoena shows that the FBI is likely continuing to ask companies for more information than the law allows, according to technology and privacy attorneys.

Illustration by The Intercept.

A recently revealed grand jury subpoena shows that the FBI is likely continuing to ask companies for more information than the law allows, according to technology and privacy attorneys interviewed by The Intercept.

Earlier this year, the FBI served Open Whisper Systems, the creator of Signal, a popular end-to-end encrypted messaging application, with its first criminal grand jury subpoena. On Tuesday, Open Whisper Systems and its lawyers at the American Civil Liberties Union successfully challenged a gag order forbidding the company from speaking about that request.

The published documents show that the FBI requested “any and all subscriber information and any associated accounts to include subscriber name, address, telephone numbers, email addresses, method of payment, IP registration, IP history logs and addresses, account history, toll records, upstream and downstream providers, any associated accounts acquired through cookie data, and any other contact information from inception to the present” for two phone numbers.

Open Whisper System argues that the government is not entitled to that breadth of information with just a subpoena. “The government is asking for information like communications metadata, cookie data, upstream and downstream providers, and perhaps even contact lists, but it is far from settled that the government is entitled to that type of information through a subpoena,” wrote Brett Max Kaufman, a staff attorney with the ACLU who is involved with the case, in an email to The Intercept.

The actual content of emails and text messages — what you and friends, family, and associates write — are usually protected by the highest standard in both the national security and criminal context: a search warrant signed by a judge. However, there are typically fewer logistical hoops to jump through if the information is regarded as less sensitive or revealing.

For example, metadata — information about who people are communicating with, when, and how often — has a lower legal threshold, and can usually be obtained with a subpoena. Most jurisdictions don’t require a judge or magistrate to review and sign off on a subpoena in a criminal or civil case.

With a subpoena, law enforcement can get most basic customer records: name, address, telephone connection records, length of service, subscriber identity or IP address, and the means of payment for the account.

Government watchdogs have criticized the FBI for making over-broad subpoenas in the national security sphere in the past, without approaching the Foreign Intelligence Surveillance Court; the issue has been subject to less debate when it comes to criminal cases, such as this one.

The information the FBI is requesting from Open Whisper Systems is “arguably available with a subpoena,” Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation wrote in a Twitter message, but “overproduction is FBI’s goal.”

Overproduction occurs when a company or other target of a subpoena supplies more information than is asked for — either in range or in type.

Facebook, like Open Whisper Systems, requires a court order for more revealing metadata like “message headers and IP addresses” according to its public law enforcement guidelines. Apple tells The Intercept it requires the same standard.

When the Electronic Communications Privacy Act was enacted in 1986, Congress authorized law enforcement to get historical phone records from companies with just a subpoena — determining that this type of information was less sensitive — but not email metadata. For that, they’d need a higher-level court order.

For applications like Signal — which facilitates calls and text messages over the internet between users of the app — it’s unclear whether it falls under the protections of e-mail or phone calls.

This is an issue the ACLU’s principal technologist, Chris Soghoian, wrote about in 2013, suggesting U.S. surveillance law “may poorly protect new text message services,” like Apple’s iMessage, WhatsApp, Google Voice, Signal, and others, because the law didn’t anticipate the overlap between phone calls and online communications.

According to Al Gidari, the director of privacy at Stanford University’s Center for Internet and Society and a former attorney for many of the major technology companies — requests for transactional data for an application like Signal should probably require a court order rather than a subpoena, or what’s known as a 2703 (d) order.

“I would say that upstream and downstream providers as listed in the Signal subpoena is outside the scope” of what FBI can ask for, he wrote in an email. He compared this information to “email header information.”

Gidari says that the way the FBI wrote the request, asking for things like upstream and downstream providers, suggests it understands the meaningful difference between Internet communications and phone calls. “I get that they don’t like the limitation, but Congress chose a long time ago to treat internet communications metadata differently than phone call metadata,” he wrote.

It’s not the first time the FBI has been accused of overreach with providers.

The FBI has an established history during national security investigations of demanding from tech companies more information about their customers than they were legally obliged to turn over. For many years, FBI issued requests asking for “electronic communication transactional records” — email metadata, browser history, and more. The FBI requested this data using national security letters, secret administrative subpoenas that don’t require a court order, and almost always come attached with lengthy gag orders.

The bureau has issued an overbroad request as recently as 2013, as revealed by a national security letter published by Yahoo. But there’s also evidence that companies like Yahoo, and other tech giants like Facebook, have fought back against these requests. It’s rare to see a published national security letter, though there are tens of thousands issued every year — and the Department of Justice is meant to review them for release when the investigation ends, or three years after the letter is issued.

A legal opinion issued by the Department of Justice’s Office of Legal Counsel back in 2008 said companies only had to provide the most basic subscriber records — though the bureau has continued to insist that it disagrees with that interpretation.

However, in the case of companies like Signal receiving grand jury subpoenas in the criminal courts rather than national security letters — there is no Office of Legal Counsel opinion advising companies on what exactly they need to provide. Some companies, like Open Whisper Systems, interpret the clause narrowly — but it’s not clear whether others, faced with pressure during an investigation, do the same.

It this case, Open Whisper Systems barely had any subscriber data to give to the FBI. They responded with two pieces of information for one of the phone numbers: the time that the Signal account was created and the most recent date that the user connected to the Signal server. The other phone number did not have a Signal account associated with it.

Other messaging services routinely store more information about their users, including the IP addresses they use to connect to the service, their contact lists, who they sent messages to and when, and often the content of the messages themselves. When those services receive similar government requests, they could be legally compelled to turn over that information. Open Whisper Systems designed Signal to log only the bare minimum information necessary to operate their service, specifically to avoid being put in that position.

In June, The Intercept compared the encrypted message apps Signal, WhatsApp, and Allo. While other apps had more users, more funding, and more useful features, Signal was better from a privacy perspective because of its policy of not logging any metadata or content associated with conversations, and also because it uses end-to-end encryption by default.

Either way, companies would need to spend substantial money and time on legal resources to fight the requests if they feel they are too expansive — something not all companies can afford. “The government’s overbroad request in [Signal’s case] parallels its approach in national security cases: ask for the moon, and hope companies are too intimidated or unsophisticated to push back,” Kaufman wrote.

“We hope this case serves as an example to other providers who receive such requests and lack the resources to fully understand their rights and the government’s authorities.”

Correction, Sept. 10: The original version of this story misstated the role of Brett Max Kaufman.

Join The Conversation