A small Nebraska company called PenLink claims it does very good business with law enforcement agencies in the US and around the world. The company specializes in helping investigators monitor users of messenger services and social networks. Acting as an intermediate instance, they collect the data streams from Facebook, Google & Co. and passes them on to the police in processed form.
Backups as a rich source of information
The information comes from a secret recording of a round at the National Sheriffs' Association winter conference in Washington, which the founder of the transparency portal "Tech Inquiry", Jack Poulson, made and has now published.
The recording contains a presentation by longtime PenLink employee Scott Tuma. In the presentation, he explained the extent to which tech companies and providers such as Apple, WhatsApp or Snapchat made information available to the police. This often does not even require a valid search warrant - a subpoena or direct contact is sometimes sufficient for voluntary cooperation.
Tuma called Apple's iCloud backups "phenomenal." "If you've done something bad, I'll bet you I can find it in this backup," he said, according to the recording Poulson first made available to Forbes.
Inconsistent encryption at Apple
Apple has gradually expanded end-to-end encryption in iCloud in recent years, but it still is missing for mail and bookmarks, for example. Despite long-term demands, Apple still does not encrypt backups. This leads to the rather absurd situation that iMessages can initially be stored in encrypted form in the iCloud. However, the key to this can be found in the backup. Apple regularly issues backup copies from the computer clouds to authorities by court order.
Tuma also claims that it is possible to view the content of WhatsApp messages, although the platform promises strict security measures. Since messages are not encrypted when they are backed up, this automatically overrides the protection provided by the app's end-to-end encryption.
Metadata recorder for WhatsApp
The PenLink representative reported on a case in New York where he was sitting on "about a thousand WhatsApp recordings". However, the Facebook-owned service is not well-suited for real-time eavesdropping, as you can only create backups once a day. However, metadata showing how a WhatsApp account was used and which numbers contacted each other and when could be tracked with with a tool called "pen register" that offers to its customers.
A WhatsApp spokesperson emphasized that "We carefully review, validate and respond to law enforcement requests based on applicable law and in accordance with our Terms of Service and make this clear on our website and in regular transparency reports." Data would not be released to companies like PenLink, but directly to investigators. Since last year it has also been possible to encrypt backups in the iCloud or Google Drive.
Google Location Data even after years
Tuma also raved about the location data from Google: The Android provider "can locate me to within a meter". He worked on countless long-unsolved cases in which the data could still be assigned to the suspects after "five, six, seven years", for example in a hit-and-run or a sexual assault. If people carry their smartphones with them and have a Gmail account, the investigators are lucky: "And that happens often." In comparison, Facebook can find a target within 18 to 27 meters. Snapchat has started to provide a more accurate location within about five meters.
It is also very revealing to ask Google for search histories, said Tuma. He had witnessed it in several murder investigations: Perpetrators were actually looking for "how to dispose of a human corpse" through the service. This is then also so in their Google history. The practitioner assured: "They cleared their browser and their cookies and so on, they think it's gone. Google is the best." A spokesman for the search engine giant asserted that they always try to reconcile data protection with the needs of the police.
Suspects tracked for free and almost live
According to the presentation, tech companies can in principle be commissioned to track suspects free of charge and almost live. The disadvantage is that social media feeds cannot be accessed in real time. There is a delay of 15 minutes on Facebook and Instagram. With Snapchat, the intervals are even greater. In "urgent cases" the operators delivered the desired data faster.
According to Tuma, what makes things more difficult for law enforcement officers is that they have to log into a portal and download the files. If an investigator does not report every hour during surveillance, he will be locked out. PenLink automated the process so officials could take a break.
Civil rights activist: "Disturbing" and hardly legal
Jennifer Granick from the US civil rights organization American Civil Liberties Union (ACLU) described much of the report as "disturbing" on Twitter. PenLink, for example, claims that a "simple request" on Facebook, for example, provides information about "when and where a photo was uploaded or when a credit card transaction took place. That goes beyond what the law allows."
There's so much that's disturbing in this story. For example, PenLink claims “simple subpoena” to Facebook yields information such as when and where a photo was uploaded, or when a credit-card transaction took place. That's beyond what the law allows.
— Jennifer Granick (@granick) February 24, 2022
Social network operators are able to filter by date, type of data and even by sender and recipient. Anyone who supplies terabytes of data cannot "justify reasonable suspicion" as required by constitutional law.
Stay up to date with digital trends
We cover latest trends all things digital with news and infos about developments for your online business.