The Drug Enforcement Agency has told staff that it can’t find a way to beat the encryption used in Apple’s iMessage system. Even if it could decrypt the messages, a legal loophole might make it problematic.
The revelation comes in an internal DEA intelligence note leaked to CNET. It notes that even with a federal court order, “it is impossible to intercept iMessages between two Apple devices.”
The heart of the problem is that although iMessaging looks and feels like sending a traditional SMS text message, it’s actually an encrypted message that’s sent over the Internet using a peer-to-peer route, meaning it never passes through the phone company’s machines.
DEA officials put together the note after problems with an investigation by its San Jose office. Staff there had obtained records of text messages via Verizon Wireless, but the conversations seemed incomplete. The gaps turned out to be because the target was using iMessage.
The way iMessage works also creates legal problems for officials. Existing law says that both phone and internet service providers must design their networks to make government intercepts physically possible. However, Apple appears not to fall into either category, a loophole caused by drafters of the 1994 law not forseeing the age of smartphones.
The law also means that communications are exempt from wiretapping if they use an encryption key not provided by and known to the relevant company. That seems to be the situation here: it’s the iOS that are creating the encryption keys.
This doesn’t mean drug dealer and other criminals are home and dry though. The legal and technical loopholes only mean that Apple can’t be forced to help intercept calls, not that it would be unable to do so.
Neither the DEA nor Apple is speaking publicly about the issue, but it seems highly unlikely Apple would refuse to cooperate in cases where a judge is in principle happy for interception to take place. And it does appear the workings of the iMessage system means Apple could easily add the investigators as a third-party in conversations involving the target, without those under surveillance being aware of the intrusion.