Going Dark and Covert Messaging Apps

ENFORCEMENT SENSITIVE FIELD ANALYSIS REPORT RegionalAnaIysis with National Perspective. 29 September 2015 Going Dark Covert Messaging Applications and Law Enforcement Implications Prepared by the Wisconsin Statewide Information Center (WSIC) with a contribution from the DHS Office of Intelligence and Analysis Scope: This Field Analysis Report explains covert messaging technology and its increasing use by both malicious actors and mainstream consumers. We are providing this analysis to inform local, state, and federal entities of potential adversary communication techniques that impact law enforcement and national security interests. (U) Summary 0 Consumer demand has led to the rapid proliferation of covert messaging software applications, or apps. 0 Covert messaging software can encompass off-network messaging and/or secure messaging. 0 (U) Law enforcement access to data communicated over these platforms is increasingly problematic. Foreign terrorist organizations, homegrown violent extremists (HVEs), domestic terrorist and criminal organizations are integrating this technology into their Understanding covert messaging apps is crucial for law enforcement investigators. DHS de?nes an HVE as a person of any citizenship who has lived and/or operated primarily in the United States or its territories who advocates. is engaged in, or is preparing to engage in ideologically motivated terrorist activities (including providing support to terrorism) in the furtherance of political or social objectives promoted by a foreign terrorist organization, but is acting independently of direction by a foreign terrorist organization. HVEs are distinct from traditional domestic terrorists who engage in unlawful acts of violence or to intimidate civilian populations or attempt to in?uence domestic policy without direction from or in?uence from a foreign actor. DHS de?nes domestic terrorism as any kind of act of unlawful violence that is dangerous to human life or potentially destructive of critical infrastructure or key resources committed by a group or individual based and operating entirely within the United States or its territories without direction or inspiration from a foreign terrorist group. This act is a violation of the criminal laws of the United States or of any state or other subdivision of the United States and appears to be intended to intimidate or coercion, or to affect the conduct of a government by mass destruction, assassination, or kidnapping. A domestic terrorist differs from an HVE in that the former is not inspired by and does not take direction from a foreign terrorist group or foreign power. (U) (U) Sultan-diva! (U) ?0287-15 ENFORCEMENT SENSITIVE

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE (U//FOUO) “Going Dark” – The Rise of Covert Communications Platforms (U) In October 2014, FBI Director James B. ComeyUSPER discussed the current state of law enforcement abilities to leverage communication technology in front of an audience at the Brookings Institution. Director Comey stated: (U) Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it “Going Dark,” and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so. 1 (U//FOUO) Covert messaging applications are fueling the “Going Dark” trend. Commercially available secure communication platforms are not a new concept. Blackberry Messenger, a PIN-to-PIN messaging service available only on Blackberry devices, was touted as an early solution for secure corporate communications. Between 2009 and 2011, messaging apps such as WhatsApp and Kik were introduced as cross-platform, over-the-top (OTT) messaging platforms. *,† AppleUSPER responded to the growing popularity of these applications by releasing iMessage on iOS devices in 2012, which featured Wi-Fi messaging and end-to-end encryption. Other secure messaging apps, such as Wickr, Telegram, TextSecure, and surespot, were subsequently released. 2 (U//FOUO) Increased public awareness of government surveillance has contributed to the rising consumer demand for covert messaging apps. This trend led software developers to use advancing technologies to make these apps more user-friendly than previous releases. Technological knowledge barriers that once prevented the average citizen from securing his/her communications have fallen, and covert messaging apps have gone mainstream. 3 (U//LES) Criminals and violent extremists have taken notice of the ever-expanding technologies available to conceal their interactions and evade detection by law enforcement. 4,5,6 In his June 3, 2015 testimony before the House Committee on Homeland Security, FBI Assistant Director Michael SteinbachUSPER pointed to “mobile apps like Kik and WhatsApp as well as data-destroying apps like Wickr and surespot” as the burgeoning apps of choice for Islamic State of Iraq and the Levant (ISIL) interactions. 7 (U//FOUO) With the field of covert messaging platforms continually diversifying, it is important to note the subtle differences between the apps and what they offer. Covert messaging software can encompass off-network messaging and/or secure (encrypted) messaging. (U//FOUO) Off-Network Messaging (U//FOUO) Off-network communication technology is popular for messaging apps because it does not rely on a mobile phone’s cellular data plan to function. Instead, users are able to send and receive messages from their phone using a Wi-Fi network when cellular networks are not available or if a user wants to communicate without using cellular company infrastructure. Messages do not register on the user’s phone plan and are not discoverable by legal demand served on the mobile phone carrier (for example, search warrants or court orders; check with your local jurisdiction to determine what * (U//FOUO) Cross-platform in this context refers to the ability of software to function identically on different operating systems–Apple’s iOS, Google’s Android, Microsoft’s Windows, etc. † (U//FOUO) Over-the-top content refers to the delivery of any content (audio, video, etc.) from a third party service provider. UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 2 of 12

I [ll constitutes a valid legal demand). However, the data may be available through serving legal demand on software application providers. Other devices, such as tablets, can also be used to communicate through off-network messaging platforms.8 (U) Basics communication refers to a transmission of information that is essentially scrambled with a code so that the information is unreadable to any person without the key to the code. Unauthorized parties can still intercept information, but the message that they receive will be nearly indecipherable. An important part of the protocol is where the key data for is stored. Companies that store the key for messages on their servers run the risk of a data compromise if a hacker is able to retrieve the key from their servers and the messages. One of the most common schemas is the asymmetric pair exchange. A person, call him Andrew, is assigned a Public Key, which is a long string of numbers that the person will display publically. If another person, Barb, wants to send Andrew secured information, she will use Andrew?s Public Key to the data. When Andrew receives the message, he will use the mathematically corresponding Private Key that is assigned to him to the message. Only the person with the corresponding Private Key to the message?s Public Key will be able to get the scrambled message back to its intended form, so it is imperative that Private Keys are not shared. Most secure messaging apps are now promising ?end-to-end End-to-end is more secure because the Private Key pairs used during the communication remain on the user?s devices and are not uploaded to the app ?3 servers. No ?backdoors? into the secure messaging services can be installed because the information passing through the services is indecipherable without the Private Keys stored on the participating users? devices. To combat the problem of sophisticated hackers attempting to mathematically break Public Key more services have begun to implement Fomard Secrecy in their protocols. Fomard Secrecy protocols feature Public/Private Key pairs that are created for each session; these pairs are never stored or reused. If an attacker were to break the code, the attacker would only have access to the information exchanged in that session alone. No future or historical information would be available due to the reassignment of keys. (U) Secure Messaging Secure messaging offers even more safeguards against message interception. These apps contain some level of for any communications sent using the service. protocols range from the most basic forms of to high-level proprietary protocols designed by some of the world?s leading Secure messaging apps have a reputation to uphold within their user community that the apps? services are secure, and free from government intrusion. Some companies have gone so far as to promote the use of a ?warrant canary? to inform users whether or not a secret government subpoena has been filed on the company.11 places its warrant canary in their annual transparency reports. The warrant canary states, ?As of the date of this report, Wickr has not been required by a FISA request to keep any secrets that are not in this transparency report as part of a national security order.?12 Wickr alerted users in its blog that if the warrant canary disappears in its report then things ?will have shifted.?13 In late 2013, Apple published its ?rst transparency report and it contained its warrant canary: ?Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.? The next two transparency reports that Apple published no longer featured the warrant canary, which led many people to speculate that Apple may have been served federal legal demand.14 I I Page 3 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE • (U//FOUO) Bloggers can also act as an unofficial warrant canary for companies. A tech blogger regularly e-mails 2foursUSPER, surespot’s parent company, questioning whether or not they have received requests to cooperate with a government agency and if the company has ever received a National Security Letter. In May 2014, 2fours replied that the answer to all of the blogger’s questions was no. In November 2014, the blogger repeated the e-mail, and 2fours responded that they had received an e-mail regarding how one could serve a subpoena to 2fours. In April 2015, the blogger re-sent the questions and received no reply back from the company. 15 (U//FOUO) Common Covert Messaging Apps (U//FOUO) Like many commercial products, covert messaging apps are evaluated in online buyers’ guides and forums. 16 The most highly regarded platforms are discussed below. Unless otherwise noted, the apps are available for both iOS and Android users. • (U//FOUO) KIK – First released in October 2010, the Kik Messenger app allows users to share voice, text, images, and other content. Kik Messenger works through a unique Kik ID that allows users to contact each other regardless of whether or not they are in the recipient’s contact network. All the user has to do is publicize his/her Kik name, and any other Kik user may contact them. 17 Due to its popularity with teens and tweens, sexual predators have often used Kik. To combat the pervasive nature of the child exploitation threat over its software, Kik partnered with Microsoft’s PhotoDNA software that will help block the distribution of child pornography over the app. Kik recently surpassed 200 million users. 18 • (U//FOUO) WHATSAPP – With approximately 800 million users, WhatsApp is the most popular messaging service available. The company is based in Mountainview, CA and FacebookUSPER acquired WhatsAppUSPER in early 2014. 19 WhatsApp added TextSecure end-to-end encryption technology to their services at the end of 2014. However, a recent study showed that iOS devices do not support the TextSecure protocol, and WhatsApp messages sent or received from an iPhone are not encrypted and more vulnerable to interception. 20 • (U//FOUO) SURESPOT – First released in December 2014, surespot is a secured messaging app that allows for voice and text messaging. It does not support group messaging or file attachments other than photos. Surespot is entirely open source software, so the users are able to review the code and security protocols that are used. 21 Surespot is owned and developed by 2fours, a company based out of Boulder, CO. Surespot has less than 500,000 downloads through the Google Play store. 22 • (U//FOUO) TELEGRAM – The Telegram message app was first released in August 2013. Telegram messaging service is available for phones and personal computers and is mostly cloud-based. The Durov brothers, the founders of Russian VK, developed the app, and the company is based in Berlin, Germany. Telegram has over 50 million active users and exchanges nearly 1 billion messages a day. 23 • (U//FOUO) WICKR – The Wickr app was first released in June 2012; it is available on Android and iOS platforms as well as Windows desktop. The Wickr app supports the transmission of text, video, audio or images. Users are able to edit images that are UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 4 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE sent through the app. Wickr is based out of San Francisco and has over a million downloads. 24 (U//FOUO) SCRAMBL3 – The newest secure messaging application, Scrambl3, was released in early June 2015. Scrambl3 is currently only available on Android devices and allows for text and voice communication. Scrambl3 was developed from the last NSA standards to protect Top Secret classified communications. 25 US MobileUSPER, whose headquarters is in Irvine, CA, created the app. Since the app is newly released, Scrambl3 has less than 5,000 downloads from the Google Play store. Scrambl3 is not yet available on iOS devices. 26 • (U//FOUO) THREEMA – The Threema app was released in late 2012, and it supports text, voice and multimedia messaging. Threema GmbH developed the software. 27 All of the company’s servers are located in Switzerland. Threema has less than 5 million downloads in the Google Play store. • (U//FOUO) SILENT CIRCLE – Mike Janke USPER and Phil ZimmermanUSPER founded the Silent Circle company in 2012. Zimmerman created Pretty Good Privacy (PGP), a widely used e-mail encryption software program. Silent Phone, released in late 2012, offers encrypted video and voice for paid subscribers. The company followed by releasing Silent Text, which offers encrypted data transfers (text, images, audio) between parties. In June 2014, Silent Circle and Geeksphone teamed up to release the Blackphone, an Android-based smartphone operating Silent Circle’s full suite of privacy products and several other privacy-focused features. The company will release Blackphone 2 in September of this year. 28 Silent Circle is based out of Switzerland, and the apps have nearly a million downloads between iOS and Android platforms. Dutch mobile network provider KPN recently partnered with Silent Circle to become the first telecom provider in the world to offer customers encrypted communications services using Silent Text and Silent Phone. 29 (U//FOUO) See Appendix A for further details on covert messaging apps. (U//FOUO) Terrorists and Criminals Seek Out Secure Communications Services (U//FOUO) While ISIL has been prolific in their use of social media to help radicalize and recruit individuals, ISIL members and their supporters are learning the risks and vulnerabilities that arise when relying so heavily on publicly available technology. 30 ISIL social media accounts now regularly feature guidance to their followers on how best to obfuscate communications. Recommendations now include setting up Virtual Private Networks (VPNs) when browsing the internet to conceal Internet protocol (IP) address and cookie information, as well as encrypting any e-mails that are sent. 31 ISIL leaders have become so concerned about surveillance and intelligence collection that they have banned certain devices and technologies on the battlefield. According to media reporting, Apple products are forbidden in their caliphate, as ISIL believes Android devices are more secure. 32 (U//FOUO) As the number of successful counterterrorism interdiction efforts continues to rise, violent extremists are increasingly turning to more secure methods of interaction. Media reporting highlights specific communications vulnerabilities, and violent extremist forums regularly discuss the best covert communications options. 33 UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 5 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE • (U//FOUO) On June 8, 2015, Belgian authorities arrested 16 conspirators in several anti-terror raids. Belgian law enforcement officials told the media that they had been monitoring the suspects’ communications over WhatsApp. 34 • (U//FOUO) On May 27, 2015, probably deceased ISIL fighter Junaid Hussain tweeted publically that any individuals interested in waging lone offender attacks should contact him using the messaging application surespot. Hussain stated that “these days u don’t even need to go abroad for training you can be taught & assisted online via 200 percent secure methods.” 35 • (U//FOUO) In November 4, 2014, a follower of ISIL on TwitterUSPER, posted publically that individuals should “NOT use KIK Messenger when chatting about sensitive Jihadi stuff” because it was not secure. Following his post, there was a discussion among his followers of apps that were preferred and known to be secure. 36 (U//LES) Internationally-based violent extremists are not the only ones who have found use for secure messaging apps. A body of open source and law enforcement reporting notes that drug trafficking organizations, HVEs, and militia extremists are using the apps to evade surveillance. 37 • (U) Rafael Caro Quintero, former leader of the Guadalajara cartel, used WhatsApp to send video messages to leaders of the New Generation Jalisco cartel according to media reporting in July 2015. 38 • (U//LES) Drug trafficking organizations are using Silent Circle products to encrypt their communications. Law enforcement reports Silent Circle is being utilized in Atlanta, Dallas, Denver, Philadelphia, and San Francisco as of February 2015. 39 • (U) Ali Shukri AminUSPER, a 17-year-old from Virginia, pled guilty to providing material support and resources to ISIL. Court documents filed on 11 June 2015 describe the teen’s use of the surespot app to organize the travel of a supporter to Syria. 40 • (U//LES) Militia extremists in Utah are telling members to use secure messaging services like Wickr to discuss surveillance and group membership, according to analysis by the Utah Statewide Information & Analysis Center in April 2015. 41 (U//LES) Law Enforcement Implications for Covert Messaging Apps (U//FOUO) Law enforcement investigators will be able to send legal demand to messaging software companies based in the United States. However, the information that is returned may not be useful, as most of these companies do not store message content on their servers. If the company stores message content on its servers, it is likely that the content that is returned will be indecipherable without the user’s key, typically stored on the user’s device. Depending on the app, identifying account information may or may not be stored with the company, so it is imperative for the investigator to visit the specific app’s website to determine what the company can or cannot produce. Most importantly, nearly all of the companies have data request disclosure policies that will notify the user if a legal demand is submitted for the individual’s account information. It is imperative that investigators use language in their legal demand to legally prohibit the company from doing so (“gag order” language). UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 6 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE (U//FOUO) If the company is based outside the United States, an investigator must take special considerations when filing legal demand to ensure compliance. In some cases, a Mutual Legal Assistance Treaty (MLAT) between the US Government and the company’s host government is typically required for any legal demands to be served on the company. 42 Kik Messenger, based out of Canada, cautions agencies that a MLAT may be required to obtain any user data from Kik. 43 (U//FOUO) Since the message content in most secure messaging apps is saved only on the device, apps like Threema recommend creating an identity backup of the phone using the device’s backup system. 44 If a backup is created, it could be stored in the device’s cloud storage (e.g., iCloud and OneDrive), which means that it may be accessible to law enforcement if the investigator chooses to subpoena any cloud accounts for the subject of the investigation. The identity backups look different for each app, but the investigator may be able to see the chat messages and contact list, depending on the app and user settings. 45 (U//LES) Forensic examination of the subject’s device may find conversation artifacts depending on the app the subject used. However, if the device itself has a passcode or is encrypted, the forensic analyst will have a greatly reduced chance of recovering any evidence as forensic examination technology has limited capability for analyzing locked devices. Forensic examiners stress the importance of interviewing the subject and asking for any device passwords and any passwords or keys associated with the apps installed on the subject’s phone. 46 (U) Outlook (U//LES) The type of app selected by malicious actors is often influenced by both security features and the population using the app. Sophisticated organizations typically use apps that are both off-network and encrypted. Other criminal actors like human trafficking rings or child predators may use platforms like Kik, which is not encrypted, because the app’s use among teens is so high. Understanding how covert messaging applications work and the different features of secure or offnetwork technology is crucial for law enforcement investigators. Often there will be little information that can be retrieved from serving legal demand on these communication software providers. However, the ability to recognize that a subject is using a covert app can lead to more informed interviews of the subject and any conspirators. Awareness also enables a more focused forensic examination of any devices seized. 47 (U//LES) Knowledge that the subject of a law enforcement investigation is using covert messaging may also enable decisions about alternative investigative techniques such as confidential informants or undercover operations. UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 7 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE (U//FOUO) Appendix A – Covert Messaging Application Attributes UNCLASS FIED//FOR OFFICIAL USE ONLY App Kik WhatsApp surespot Silent Circle Silent Phone Silent Text Telegram Wickr Scrambl3 Threema Encryption/Key Assignment Message/Data Storage and Deletion Registration and Retention None Messages are only stored on the user’s device. Message artifacts can be found forensically, even after deletion. End-to-end encryption using TextSecure encryption on Android platform. Only stores keys on the user’s device. Assigns new key with every message. End-to-end encryption. Key pairs are assigned at registration, tied to username. Users can regenerate their keys at any time. App allows key verification between chat participants. Messages are stored on the user’s device. All messages pass through WhatsApp servers. Files sent through messaging (images, videos) are stored for a short period of time after 48 delivery. Message data and keys are encrypted and stored on the device. Data can be decrypted with user’s password. Message deleted from sender’s phone will be deleted on the recipient’s phone and surespot server as well. App also runs cache processes that will leave significant artifacts that can be found during forensic examination. Silent Text has a “Burn Notice” feature that allows users to decide how long a message can be viewed before it is deleted from both sending and receiving devices. Register with unique Kik username. The phone number of the device is not stored or accessible by Kik. Uses device phone number to route chats and calls to user. Uses device’s phone book to find other registered users with whom to chat. Uses Silent Circle Instant Messaging Protocol (SCIMP) with end-to-end encryption. Practices forward secrecy by assigning distinct keys for each message to both users. Keys are erased from memory. End-to-end encryption only on “Secret Chat” feature. Secret Chat has rotating key protocol that discards old previously used keys. App allows key verification between chat participants. End-to-end encryption. Practices forward secrecy by assigning new keys for each message. Employs encryption protocols and then places that information in “Dark Internet Tunnels” of proprietary encryption protocols. End-to-end encryption. Key pairs are assigned at registration and regenerated whenever the app is launched. Register with unique surespot username and password. Passwords can never be reset or recovered. Users can create multiple identities to use on the same device. Paid subscriptions to Silent Text and Silent Phone required; subscriber credit card USPER data is held by Stripe . Silent Circle retains username and encrypted password. Users can elect to have messages in Secret Chat self-destruct after so many seconds. Messages deleted from sender’s phone will be deleted on the recipient’s phone. All messages, including Secret Chats, are stored in the 49 device in plain text. Forensic examination will likely produce Secret Chats and any deleted messages. Users can set their message to last between three seconds and six days. Once messages are deleted, they are forensically wiped from the phone. “Secure Shredder” feature runs in the background and wipes previously deleted information, making it unattainable to forensic examination. Removes all metadata from messages and media. No information currently available, as the app has just been released. Account is tied to device phone number. Users can also establish a public username if they want to be searchable. No information available. No phone number is required at registration. However, it is recommended that the user links the Threema ID to the phone number in order to be discoverable to contacts. Device registration is encrypted. Unique Device Identifier is never uploaded to Wickr’s servers, so user is anonymous. No information currently available, as the app has just been released. UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 8 of 12

ENFORCEMENT SENSITIVE (U) DHS Perspective DHS assesses that growing concerns regarding the privacy of user data and the perceived spying by US law enforcement and the US Government are driving ordinary citizens as well as criminal elements to more secure or anonymizing methods of communication. The increasing market demand for secure services will continue to spark the startup of anonymization companies and the development of new techniques to counter law enforcement efforts. (U) A Pew Research Center poll from late 2013 revealed that as many as eighty-six percent of Internet users have taken steps online to remove or mask their digital footprints?ranging from clearing cookies to their e-mail, from avoiding using their name to using virtual networks that mask their IP address. Fifty-?ve percent of Internet users have taken steps to avoid observation by specific people, organizations, or the government.50 (U) Internet traf?c is surging worldwide, according to data published by Canadian broadband management company Sandvine. After the public accusations of US Government spying in 2014, the bandwidth consumed by traf?c doubled in North America; in Europe and Latin America the share of traf?c Technology sawy criminals, driven by the fear of government tracking and surveillance, are likely to increase their use of anonymizing applications such as The Onion Router (TOR) and unindexed ?invisible? sections of the Internet called the Deep Web. Use of these services would almost certainly impair law enforcement efforts to identify malicious actors. TOR and the Deep Web (U) TOR is free software for enabling anonymous communication. TOR directs Internet tra?ic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user?s location and usage from anyone conducting network surveillance or traffic analysis. (U) The Deep Web is an unindexed section of the lntemet. Deep Web pages operate just like any other site online, but they are constructed so that their existence is invisible to web crawlers such as search engines. The Deep Web is ?lled with content and sites of a nefarious nature that are only accessible via tools like TOR.54 DHS further assesses that HVEs will likely continue to use covert messaging applications to plan both travel and Homeland attacks. Due to the security restrictions of such apps, it is increasingly imperative that bystanders?to include parents, teachers, and community members?remain aware of possible signs of radicalization and mobilization to violence and report concerns to the appropriate authorities. Comments, requests, or shareable intelligence may be directed to the Wisconsin Statewide Information Center at (888) 324-9742 or wsic@doj.state.wi.us. ENFORCEMENT SENSITIVE Page90f12

UNCLASSIFIED LAW ENFORCEMENT SENSITIVE Source Summary Statement This report was drawn from government documents, law enforcement reporting, and open source information. In addition, the daily criminal investigation case support duties of assigned to the WSIC Intelligence Analysis Unit (IAU) infomied this product. We have high con?dence in the validity of all sources used and our review of covert messaging technology. We have medium con?dence in our characterization of violent extremist and criminal use of covert messaging technologies. This is due to the emergent and rapidly changing nature of speci?c technologies discussed and the paucity of associated human source reporting. (U) Report Suspicious Activity (U) To report suspicious activity, law enforcement, private security personnel, and emergency managers should follow established protocols; all other personnel should call 911 or contact local law enforcement. Suspicious activity reports (SARs) will be forwarded to the appropriate fusion center and FBI Joint Terrorism Task Force for further action. For more information on the Nationwide SAR Initiative. visit (U) Tracked by: HSEC-8.2.2, HSEC-8.2.4, HSEC-8.7.1, HSEC-8.7.2.12, HSEC-8.8.1. HSEC-8.8.3 1 James B. Comey; FBI, Director; ?Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course??; 16 OCT 2014; Extracted information is Overall speech was Remarks as delivered at the Brookings Institution. 2 Molly Wood; The New York Times; ?Can you trust ?secure? messaging apps?; 19 MAR 2014; accessed 21 JUL 2015; (U). 3 Ellen Nakashima; The Washington Post; ?Proliferation of New Online Communications Services Poses Hurdles?; 26 JUL 2014; 1e4-b8e5? d0de80767fc2_story.html; accessed on 21 JUL 2015; (U). 4 WSIC Intelligence Analysis Unit; Meetings; 2014; 2015; Weekly Analyst Meeting-Criminal Case Support Discussions; Extracted information is Overall meeting discussions were 5 26 FEB 2015; DOI Communications Security Measures of a Western US-Based Militia Extremist Group; Extracted information is Overall document classification is 6 Ellen Nakashima; The Washington Post; ?Proliferation of New Online Communications Services Poses Hurdles"; 26 JUL 2014; 1e4-b8e5- d0de80767fc2_story.html; accessed on 21 JUL 2015; (U). 7 Michael Steinbach; FBI. Assistant Director, Counterterrorism Division; Terrorism Gone Viral: The Attack in Garland, Texas and Beyond; Statement Before the House Homeland Security Committee; 3 JUN 2015; Extracted information is Overall testimony was UNCLASSIFIED. 8 Susan Kantra; USA Today; ?Free messaging apps can help you stop paying for texts"; 15 JUN 2013; 3/06/1 69/; accessed on 21 JUL 2015; (U). 9 Andy Greenberg; ?Hacker lexicon: What is end-to-end 25 NOV 2014; accessed 21 JUL 2015; (U). 10 Neal Ungerleider; Fast Company; ?Phil Zimmerman?s Silent Circle builds a secure. seductive fortress around your smartphone"; 5 OCT 2012; accessed on 21 JUL 2015; Blog. 11 Zack Whittaker; ?How tech companies use warrant canaries to secretly communicate with you"; 5 MAR 2015; accessed 21 JUL 2015; (U). 2 "Wickr Transparency Report 2015?; accessed on 21 JUL 2015; (U). 13 ?Wickr Transparency Report 2015?; accessed on 21 JUL 2015; (U). UNCLASSIFIED LAW ENFORCEMENT SENSITIVE Page100f12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE 14 (U); Zack Whittaker; ZDNET; “Apple omits ‘warrant canary’ from latest transparency reports; Patriot Act data demands likely made”; 18 SEPT 2014; http://www.zdnet.com/article/apple-omits-warrant-canary-fromlatest-transparency-reports-patriot-act-data-demands-likely-made/; accessed 21 JUL 2015; (U). 15 (U); George Maschke; Antipolygraph.org News; “Developer’s silence raises concern about Surespot Encrypted Messenger”; 7 JUN 2015; https://antipolygraph.org/blog/2015/06/07/developers-silence-raisesconcern-about-surespot-encrypted-messenger/; accessed on 21 JUL 2015; (U); Blog. 16 (U); The Electronic Frontier Foundation; “Secure messaging scorecard”; 12 JUN 2015; https://www.eff.org/secure-messaging-scorecard; accessed on 21 JUL 2015; (U) Blog. 17 (U); Kik Help Center; “Frequently Asked Questions”; https://kikinteractive.zendesk.com/forums; 2013; accessed on 21 JULY 2015; (U). 18 (U); Shane Dingman; The Globe and Mail; “For fast-growing chat apps like Waterloo’s Kik, child exploitation a pervasive threat;” 16 MAR 2015; http://www.theglobeandmail.com/technology/for-fast-growingchat-apps-child-predators-are-a-pervasive-threat/article23485785/; accessed on 21 JUL 2015; (U). 19 (U); WhatsApp; “Contact Us”; 2015; https://www.whatsapp.com/contact/; accessed on 21 JUL 2015; (U). 20 (U); Fabian A. Scherschel; c’t magazine; “Keeping Tabs on WhatsApp’s Encryption;” 30 APR 2015; http://www.heise.de/ct/artikel/Keeping-Tabs-on-WhatsApp-s-Encryption-2630361.html; accessed on 21 AUG 2015; (U). 21 (U); Google Play; “surespot encrypted messenger”; 12 DEC 2014; https://play.google.com/store/apps/details?id=com.twofours.surespot; accessed 21 JUL 2015; (U). 22 (U); Google Play; “surespot encrypted messenger”; 12 DEC 2014; https://play.google.com/store/apps/details?id=com.twofours.surespot; accessed 21 JUL 2015; (U). 23 (U); The Telegram Team; Telegram Blog; “Telegram reaches 1 billion daily messages”; 8 DEC 2014; https://telegram.org/blog/billion; accessed on 21 JUL 2015; (U) Blog. 24 (U); WICKR; “Wickr”; https://wickr.com/; accessed on 21 JUL 2015; (U). 25 (U); PR Newswire; “US mobile launches Scrambl3 mobile app to the public; the world’s most secure cellphone service, developed for Top Secret Classified Communication, now available at Google Play Store”; 1 JUN 2015; http://www.prnewswire.com/news-releases/usmobile-launches-scrambl3-mobile-app-tothe-public-the-worlds-most-secure-cellphone-service-developed-for-top-secret-classified-communicationnow-available-at-google-play-store-300091319.html; accessed on 21 JUL 2015; (U) Blog. 26 (U); Google Play; “Scrambl3”; 20 JUL 2015; https://play.google.com/store/apps/details?id=com.usmobile.scrambl3; accessed 24 AUG 2015; (U). 27 (U); Threema; “Threema. Seriously secure messaging.”; https://threema.ch/en; accessed on 21 AUG 2015; (U). 28 (U); Silent Circle; “Silent Circle Support Center”; 2015; https://support.silentcircle.com/; accessed on 21 JUL 2015; (U) Blog. 29 (U); Loek Essers; PCWorld. “KPN strikes deal with Silent Circle to offer encrypted phone calls”; 19 FEB 2014; http://www.pcworld.com/article/2099160/kpn-strikes-deal-with-silent-circle-to-offer-encrypted-phonecalls.html; accessed on 21 JUL 2015; (U) Blog. 30 (U); Francis X. Taylor; DHS, Under Secretary, Office of Intelligence and Analysis; Terrorism Gone Viral: The Attack in Garland, Texas and Beyond; Statement Before the House Homeland Security Committee; 3 JUN 2015; Extracted information is UNCLASSIFIED; Overall testimony was UNCLASSIFIED. 31 (U); Channel 4 News; “Forget Facebook: jihadists are using different networks”; 26 NOV 2014; http://www.channel4.com/news/islamic-state-messaging-apps-facebook-monitor-terrorism; accessed on 21 JUL 2015; (U). 32 (U); Alessandria Masi; International Business Times; “ISIS bans Apple iPhones, iPads, iPods in the caliphate due to fears they’re being tracked”; 6 FEB 2015; http://www.ibtimes.com/isis-bans-apple-iphonesipads-ipods-caliphate-due-fears-theyre-being-tracked-1807006; accessed on 21 JUL 2015; (U) Blog. 33 (U//FOUO); Intelligence Watch and Warning, Current Intelligence Division, Department of Homeland Security; E-mail; 13 FEB 2015; DOI 5 FEB 2015; (U//FOUO); "Hijrah (2015) to the Islamic State”--Posted to Internet; Extracted information is UNCLASSIFIED; Overall document classification U//FOUO; Hijrah (2015) to the Islamic State pdf attached to e-mail. 34 (U); BBC News; “Belgium arrests in anti-terror raids targeting Chechens”; 8 JUN 2015; http://www.bbc.com/news/world-europe-33046258; accessed 21 JUL 2015; (U) Blog. 35 (U//FOUO); OSC; EUL2015052752693374; 27 MAY 2015; DOI MAY 2015; British ISIL Fighter Urges Muslims in West To Perpetrate 'Lone Wolf' Attacks; Extracted information is UNCLASSIFIED; Overall document classification U//FOUO. 36 (U); The Cyber & Jihad Lab; “ISIS follower on Twitter warns against using Kik Messenger Service ‘when chatting about sensitive jihadi stuff’; recommends other technologies”; 5 NOV 2014; http://cjlab.memri.org/lab-projects/tracking-jihadi-terrorist-use-of-social-media/isis-follower-on-twitter-warnsagainst-using-kik-messenger-service-when-chatting-about-sensitive-jihadi-stuff-recommends-othertechnologies/; accessed on 21 JUL 2015; (U). 37 (U//LES); FBI; “Increasing Availability and Drug Traffickers’ Adoption of Encrypted Mobile Messaging Applications Threaten Law Enforcement Collection”; 11 APR 2014; pg 1; (U//LES). UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 11 of 12

UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE 38 (U); Fusion; “Mexican millennials at the forefront of drug war intelligence“; http://fusion.net/story/28864/mexican-millennials-at-the-forefront-of-drug-war-intelligence; accessed on 21 JUL 2015; (U). 39 (U//LES); DEA; “DEA-HOU-BUL-073-15 - Silent Circle: Another Encrypted Option Emerges in the Houston Division”; FEB 2015; pg 1; (U//LES). 40 (U); US District Court, Eastern District of Virginia, Alexandria Division; “United States of America, Plantiff versus ALI SHUKRI AMIN; 11 JUN 2015; pg 4. 41 (U//LES); Utah Statewide Information & Analysis Center; “Militia Extremists Begin Intel Collection in State of Utah’; 28 APR 2015; pg 2; (U//LES). 42 (U); Orin Kerr; The Washington Post; “What legal protections apply to e-mail stored outside the U.S.?”; 7 JUL 2014; https://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/07/07/what-legal-protectionsapply-to-e-mail-stored-outside-the-u-s/; accessed on 21 JUL 2015; (U) Blog. 43 (U); Kik; “Law Enforcement Guide”; 13 NOV 2014; https://kiklawenforcement.zendesk.com/hc/enus/articles/203419779-Download-our-Guide-for-Law-Enforcement; accessed on 21 JUL 2015; (U). 44 (U); Threema; “Threema FAQ”; 2015; https://threema.ch/en/faq; accessed on 21 JUL 2015; (U) Blog. 45 (U); Threema; “Threema FAQ”; 2015; https://threema.ch/en/faq; accessed on 21 JUL 2015; (U) Blog. 46 (U); Mark Howard; Senior Digital Forensics Analyst, Wisconsin Department of Justice; 16 JUN 2015; (U//LES); “Observations on Encrypted Messaging Apps and Forensic Examinations”; Extracted information is U; Overall document classification is U//LES; E-mail. 47 (U); WSIC Intelligence & Analysis Unit; Meetings; 2014; 2015; (U); Weekly Analyst Meeting-Criminal Case Support Discussions; Extracted information is U//LES; Overall meeting discussions were U//LES. 48 (U); Kids and Teens Online; “Where do pictures and files we send using Whatsapp end up?”; 10 OCT 2013;http://kidsandteensonline.com/2013/10/10/where-do-pictures-and-files-we-send-using-whatsapp-endup/; accessed 21 JUL 2015; (U) Blog. 49 (U); Zuk Avraham; Zimperium Mobile Security; “Telegram app store secret-chat messages in plain-text database”; 23 FEB 2015; http://blog.zimperium.com/telegram-hack; accessed 21 JUL 2015; (U); Blog. 50 (U) Pew Internet and American Life Project; “Anonymity, Privacy, and Security Online”; http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/; accessed 24 AUG 2015. 51 (U) Sandvine; “Global Internet Phenomena Report – 2H 2014”; https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/2h-2014-global-internetphenomena-report.pdf; Accessed 24 AUG 2015. 52 (U) TorrentFreak; “Encrypted Internet Traffic Surges in a Year, Research Shows”; 14 MAY 2014; https://torrentfreak.com/encrypted-internet-traffic-surges-140514/; accessed 28 SEP 2015; (U). 53 (U) Trend Micro; “The Deep Web: Anonymizing Technology for the Good…and the Bad?”; 01 JUN 2015; http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-deep-webanonymizing-technology-good-and-bad; accessed 28 SEP 2015; (U). 54 (U) Trend Micro; “The Deep Web: Anonymizing Technology for the Good…and the Bad?”; 01 JUN 2015; http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-deep-webanonymizing-technology-good-and-bad; accessed 28 SEP 2015; (U). UNCL ASSIFIED//L AW ENFORCEMENT SENSITIVE Page 12 of 12

CLASSIFICATION: OFFICIAL USE ONLY Office of Intelligence and Analysis Customer Feedback Form Product Title: Going Dark Covert Messaging Applications and Law Enforcement Implications 1. Please select partner type: Select One Select One 2. What is the highest level of intelligence information that you receive? Select One 3. Please complete the following sentence: focus most of my time on:? Select One 4. Please rate your satisfaction with each of the following: Neither Very Somewhat Satisfied no.- Somewhat Very Satisfied Satisfied Dissatisfied Dissatisfied Dissatisfied Product?s overall usefulness 0 Products timeliness 0 Products responsiveness to your intelligence needs 5. How do you plan to use this product in support of your mission? (Check all that apply.) DnVe planning and preparedness Efforts. training, and/0r Initiate a law enforcement investigation emergency response operations Initiate your own regional-specific analysis Observe, identify, and/or disrupt threats Initiate your own tOpic-specific analysis Share with partners Develop long?term homeland security strategies Allocate resources equipment and personnel) DO not plan to use Reprioritize Organizational focus Other: Author or adjust policies and guidelines 6. To further understand your response to question please provide specific details about situations in which you might use this product. 7. What did this product n_ot address that you anticipated it would? 8. To what extent do you agree with the following two statements? strongly Neither Agree Strongly Agree Agree nor Disagree D'sag'ee Disagree A This product will enable me to make better decisions regarding this topic. 0 This product provided me with intelligence information I did not ?nd elsewhere. 0 9. How did you obtain this product? Select One 10. Would you be willing to participate in a follow-up conversation about your feedback? Yes Position: State: Email: Privacy Act Statement CLASSIFICATION: OFFICIAL USE ONLY Product Serial Number: le287-15 REV: 29 October 2014