Don't Kill the Messenger: How the New Technologies Used by Messaging Applications Are Gutting Compelled Disclosure Laws
A quiet revolution has taken place in the social media world and law enforcement has gotten the short end of the stick.[i]
There used to be a time when electronic communications providers sacrificed their users’ privacy concerns for their own financial gain.[ii] Email providers routinely used complex algorithms to scan and analyze the contents of their users’ incoming and outgoing messages in order to tailor advertisements to each user’s unique preferences.[iii] In turn, email providers gained a substantial percentage of their revenue from selling these targeted advertisements to companies and businesses interested in marketing their products online.[iv] In recent years, however, a growing number of popular messaging applications have flipped the script altogether on their use of technology.[v] The privacy of their users’ communications has become the foundation of their companies, and the technological innovations they employ have solidified that foundation.[vi] In the words of one such messaging app, “Respect for your privacy is coded into our DNA.”[vii]
Innovations in technology have given rise to new security features and programs which preserve and protect users’ privacy at various stages in the communication process.[viii] In order to protect the user from unauthorized entry into his account or device, companies are incorporating encrypted passwords and two-factor authorization.[ix] To prevent unauthorized access to the contents of messages, technologies such as end-to-end encryption and ephemeral communications are being employed.[x] While these security measures protect users from traditional hackers, such technological innovations also have the effect of preventing law enforcement agents from obtaining access to information that they otherwise have the legal and statutory authority to obtain.[xi] Even after complying with the Electronic Communications Privacy Act (ECPA) and following proper procedures, agents must still overcome the roadblock that these innovations place in their path.[xii]
One such innovation is end-to-end encryption—a security feature that provides protection to the contents of messages sent between two or more users.[xiii] End-to-end encryption entails the same scrambling process present in general encryption.[xiv] However, it operates in a slightly different manner that is uniquely tailored to safeguarding communications in transit.[xv] End-to-end encryption software works by scrambling, or encrypting, a sender’s message before it is transmitted to the receiver.[xvi] Thus, when the message leaves the sender’s possession, it is already encrypted and cannot be viewed in an intelligible format by anyone intercepting the message—hackers, governments, and messaging apps alike.[xvii] It is only decrypted once it is in the intended recipient’s possession because only he has the key that can decrypt the message.[xviii] Essentially, this means that apps with end-to-end encryption have access to, and may store, the encrypted versions of its users’ communications.[xix] Such versions, however, are completely useless to them and to anyone that obtains them because no one but the rightful recipient has the code or key to decrypt the message.[xx] Thus, when an app with this security feature is compelled to disclose the content of its users’ messages to law enforcement, all it is capable of turning over is meaningless data.[xxi]
Ephemeral communications, meanwhile, are the closest thing users have to not leaving a digital trace of their communications.[xxii] Ephemeral communications, as the name suggests, are short-lived messages that are deleted on a schedule that either the app or the user sets in advance.[xxiii] Snapchat’s reputation for privacy is rooted in ephemeral communications, as the app is almost entirely designed around this one safeguard.[xxiv] It prides itself on having this signature feature, touting that delete is our default.[xxv] Once a snap or chat has been viewed by the user it was sent to, the message is permanently deleted from the sender’s account, the recipient’s account, and Snapchat’s servers.[xxvi] The company’s law enforcement guidelines even reflect this practice, stating that it may only disclose the contents of users’ communications in a very narrow set of circumstances, i.e. when the message has not otherwise been deleted.[xxvii] Snapchat’s deletion policy does not apply to snaps that have been saved in a user’s Memories archive or that have not been opened.[xxviii] However, even unopened snaps are eventually deleted, though that is done thirty days after the snap was sent.[xxix] Story content is, at the most, available for twenty-four hours provided that the user does not delete the content before then.[xxx] Additionally, the feature provides no protection against users who take screenshots of the messages prior to them being deleted.[xxxi] Just as with end-to-end encryption, apps that feature ephemeral communications hinder law enforcement’s ability to obtain the contents of users’ communications, even with a valid search warrant issued pursuant to the SCA.[xxxii] With no copy of the messages on its servers, apps with this feature have nothing to disclose to law enforcement despite being legally compelled to do so.[xxxiii]
In recent years, messaging apps have redefined their role in society.[xxxiv] By incorporating privacy policies, business practices, and security features that hinder law enforcement’s access to users’ data, they have asserted their role as conduits of information.[xxxv] They are mere messengers—carriers of their subscribers’ data.[xxxvi] More importantly, however, they are carriers of their users’ desires, and the way they do business is a direct manifestation of their users’ privacy expectations in their electronic communications with others.[xxxvii]
Instead of punishing companies by controlling—and effectively killing—the features they are incorporating into their apps, Congress should amend the ECPA and see these entities for what they really are—mere messengers.[xxxviii]
[i]. See Matt Apuzzo, WhatsApp Encryption Said to Stymie Wiretap Order, N.Y. Times (Mar. 12, 2016), https://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie-wiretap-order.html.; Brett Max Kaufman, New Documents Reveal Government Effort to Impose Secrecy on Encryption Company, ACLU (Oct. 4, 2016, 7:00 AM), https://www.aclu.org/blog/free-future/new-documents-reveal-government-effort-impose-secrecy-encryption-company.
[ii]. See In re Yahoo Mail Litig., 7 F. Supp. 3d 1016, 1021 (N.D. Cal. 2014).
[iv]. Id. Yahoo’s annual revenue from such advertising was as high as seventy-five percent. Id.
[viii]. See Walt, supra note 5.
[ix]. Security Practices, supra note 6.
[xi]. Apuzzo, supra note 1.
[xiii]. Nadeem Unuth, What Is End-to-End Encryption?, Lifewire, https://www.lifewire.com/what-is-end-to-end-encryption-4028873 (last updated May 31, 2017).
[xviii]. Unuth, supra note 13.
[xix]. See Apuzzo, supra note 1.
[xx]. See Id.
[xxii]. See When Does Snapchat Delete Snaps and Chats?, Snapchat: Support, https://support.snapchat.com/en-US/a/when-are-snaps-chats-deleted (last visited July 14, 2017).
[xxiii]. See Custom Message and File Retention, Slack, https://get.slack.help/hc/en-us/articles/203457187-Custom-message-and-file-retention (last visited July 14, 2017).
[xxiv]. See When Does Snapchat Delete Snaps and Chats?, supra note 22.
[xxvi]. Snapchat, Inc., Law Enforcement Guide 9 (2016), https://storage.googleapis.com/snap-inc/privacy/lawenforcement.pdf.
[xxxi]. When Does Snapchat Delete Snaps and Chats?, supra note 22.
[xxxii]. See Snapchat, Inc., supra note 26, at 9.
[xxxiv]. See Walt, supra note 5.
[xxxv]. See Id.; Apuzzo, supra note 1.
[xxxvi]. See Apuzzo, supra note 1; Walt, supra note 5.
[xxxvii]. See Apuzzo, supra note 1; Walt, supra note 5.
[xxxviii]. See Apuzzo, supra note 1; Walt, supra note 5.