Don't Kill the Messenger: How the New Technologies Used by Messaging Applications Are Gutting Compelled Disclosure Laws
Veronika Balbuzanova
A quiet revolution has taken place in the social
media world and law enforcement has gotten the short end of the stick.[i]
There used to be a time when electronic
communications providers sacrificed their users’ privacy concerns for their own
financial gain.[ii] Email providers routinely used complex
algorithms to scan and analyze the contents of their users’ incoming and outgoing
messages in order to tailor advertisements to each user’s unique preferences.[iii] In
turn, email providers gained a substantial percentage of their revenue from
selling these targeted advertisements to companies and businesses interested in
marketing their products online.[iv] In recent years, however, a
growing number of popular messaging applications have flipped the script
altogether on their use of technology.[v] The privacy of their
users’ communications has become the foundation of their companies, and the
technological innovations they employ have solidified that foundation.[vi] In
the words of one such messaging app, “Respect for your privacy is coded into
our DNA.”[vii]
Innovations in technology have given rise to new
security features and programs which preserve and protect users’ privacy at
various stages in the communication process.[viii] In order to
protect the user from unauthorized entry into his account or device, companies
are incorporating encrypted passwords and two-factor authorization.[ix] To
prevent unauthorized access to the contents of messages, technologies such as
end-to-end encryption and ephemeral communications are being employed.[x] While
these security measures protect users from traditional hackers, such technological
innovations also have the effect of preventing law enforcement agents from
obtaining access to information that they otherwise have the legal and
statutory authority to obtain.[xi] Even after complying with the
Electronic Communications Privacy Act (ECPA) and following proper procedures,
agents must still overcome the roadblock that these innovations place in their
path.[xii]
One such innovation is end-to-end encryption—a
security feature that provides protection to the contents of messages sent between
two or more users.[xiii] End-to-end encryption entails the same
scrambling process present in general encryption.[xiv] However, it
operates in a slightly different manner that is uniquely tailored to
safeguarding communications in transit.[xv] End-to-end encryption
software works by scrambling, or encrypting, a sender’s message before it is
transmitted to the receiver.[xvi] Thus, when the message leaves the
sender’s possession, it is already encrypted and cannot be viewed in an
intelligible format by anyone intercepting the message—hackers, governments,
and messaging apps alike.[xvii] It is only decrypted once it is in
the intended recipient’s possession because only he has the key that can
decrypt the message.[xviii] Essentially, this means that apps with
end-to-end encryption have access to, and may store, the encrypted versions of
its users’ communications.[xix] Such versions, however, are
completely useless to them and to anyone that obtains them because no one but
the rightful recipient has the code or key to decrypt the message.[xx] Thus,
when an app with this security feature is compelled to disclose the content of
its users’ messages to law enforcement, all it is capable of turning over is
meaningless data.[xxi]
Ephemeral communications, meanwhile, are the
closest thing users have to not leaving a digital trace of their
communications.[xxii] Ephemeral communications, as the name
suggests, are short-lived messages that are deleted on a schedule that either
the app or the user sets in advance.[xxiii] Snapchat’s reputation
for privacy is rooted in ephemeral communications, as the app is almost
entirely designed around this one safeguard.[xxiv] It prides itself
on having this signature feature, touting that delete is our default.[xxv] Once
a snap or chat has been viewed by the user it was sent to, the message is
permanently deleted from the sender’s account, the recipient’s account, and
Snapchat’s servers.[xxvi] The company’s law enforcement guidelines
even reflect this practice, stating that it may only disclose the contents of
users’ communications in a very narrow set of circumstances, i.e. when the
message has not otherwise been deleted.[xxvii] Snapchat’s deletion
policy does not apply to snaps that have been saved in a user’s Memories
archive or that have not been opened.[xxviii] However, even unopened
snaps are eventually deleted, though that is done thirty days after the snap
was sent.[xxix] Story content is, at the most, available for
twenty-four hours provided that the user does not delete the content before
then.[xxx] Additionally, the feature provides no protection against
users who take screenshots of the messages prior to them being deleted.[xxxi] Just
as with end-to-end encryption, apps that feature ephemeral communications
hinder law enforcement’s ability to obtain the contents of users’
communications, even with a valid search warrant issued pursuant to the SCA.[xxxii] With
no copy of the messages on its servers, apps with this feature have nothing to
disclose to law enforcement despite being legally compelled to do so.[xxxiii]
In recent years, messaging apps have redefined
their role in society.[xxxiv] By incorporating privacy policies,
business practices, and security features that hinder law enforcement’s access
to users’ data, they have asserted their role as conduits of information.[xxxv] They
are mere messengers—carriers of their subscribers’ data.[xxxvi] More
importantly, however, they are carriers of their users’ desires, and the way
they do business is a direct manifestation of their users’ privacy expectations
in their electronic communications with others.[xxxvii]
Instead of punishing companies by
controlling—and effectively killing—the features they are incorporating into
their apps, Congress should amend the ECPA and see these entities for what they
really are—mere messengers.[xxxviii]
[i]. See Matt
Apuzzo, WhatsApp Encryption Said to Stymie Wiretap Order, N.Y. Times (Mar. 12, 2016),
https://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie-wiretap-order.html.; Brett
Max Kaufman, New Documents Reveal Government Effort to Impose Secrecy
on Encryption Company, ACLU (Oct.
4, 2016, 7:00 AM),
https://www.aclu.org/blog/free-future/new-documents-reveal-government-effort-impose-secrecy-encryption-company.
[ii]. See In
re Yahoo Mail Litig., 7 F. Supp. 3d 1016, 1021 (N.D. Cal. 2014).
[iii]. Id.
[iv]. Id. Yahoo’s
annual revenue from such advertising was as high as seventy-five
percent. Id.
[v]. See, e.g.,
Vivienne Walt, With Telegram, a Reclusive Social Media Star Rises Again, Fortune (Feb. 23, 2016, 4:25 AM),
http://fortune.com/telegram-pavel-durov-mobile-world-congress/. However,
some communications providers still routinely scan and analyze the contents of
their users’ messages in order to provide targeted advertisements. Yahoo
Privacy Center, Yahoo!,
https://policies.yahoo.com/us/en/yahoo/privacy/index.htm (last updated June 13,
2017). Yahoo’s Privacy Policy states that it collects such
information “to customize the advertising and content you see.” Id. Likewise,
Facebook’s Terms of Service state that, in utilizing Facebook’s services, users
agree to give Facebook access to the content of their communications so the
company can “deliver advertising and other commercial or sponsored content that
is valuable to our users and advertisers.” Statement of Rights
and Responsibilities, Facebook,
https://www.facebook.com/terms.php (last revised Jan. 30,
2015). Snapchat also personalizes ads according to information it
collects from users’ use of the application, though such information does not
include the actual content of the messages. Privacy Policy, Snap, Inc.,
https://www.snap.com/en-US/privacy/privacy-policy/ (last modified June 5,
2017).
[vi]. See Privacy
Policy, supra note 5; Security Practices, Slack,
https://slack.com/security-practices (last visited July 14, 2017); End-to-End
Encryption, WhatsApp: FAQ,
https://faq.whatsapp.com/en/general/28030015 (last visited July 14, 2017).
[vii]. WhatsApp
Privacy Policy, WhatsApp,
https://www.whatsapp.com/legal/#privacy-policy (last modified Aug. 25, 2016).
[viii]. See Walt, supra note
5.
[ix]. Security
Practices, supra note 6.
[x]. Walt, supra note
5; Privacy Policy, supra note 5.
[xi]. Apuzzo, supra note
1.
[xii]. Id.
[xiii]. Nadeem
Unuth, What Is End-to-End Encryption?, Lifewire,
https://www.lifewire.com/what-is-end-to-end-encryption-4028873 (last updated
May 31, 2017).
[xiv]. Id.
[xv]. Id.
[xvi]. Id.
[xvii]. Id.
[xviii]. Unuth, supra note
13.
[xix]. See Apuzzo, supra note
1.
[xx]. See Id.
[xxi]. Id.
[xxii]. See When
Does Snapchat Delete Snaps and Chats?, Snapchat:
Support,
https://support.snapchat.com/en-US/a/when-are-snaps-chats-deleted (last visited
July 14, 2017).
[xxiii]. See Custom
Message and File Retention, Slack,
https://get.slack.help/hc/en-us/articles/203457187-Custom-message-and-file-retention
(last visited July 14, 2017).
[xxiv]. See When
Does Snapchat Delete Snaps and Chats?, supra note 22.
[xxv]. Id.
[xxvi]. Snapchat, Inc., Law Enforcement Guide 9 (2016),
https://storage.googleapis.com/snap-inc/privacy/lawenforcement.pdf.
[xxvii]. Id.
[xxviii]. Id.
[xxix]. Id.
[xxx]. Id.
[xxxi]. When
Does Snapchat Delete Snaps and Chats?, supra note 22.
[xxxii]. See Snapchat, Inc., supra note
26, at 9.
[xxxiii]. Id.
[xxxiv]. See Walt, supra note
5.
[xxxv]. See Id.; Apuzzo, supra note
1.
[xxxvi]. See Apuzzo, supra note
1; Walt, supra note 5.
[xxxvii]. See Apuzzo, supra note
1; Walt, supra note 5.
[xxxviii]. See Apuzzo, supra note
1; Walt, supra note 5.
