Sponsored: The platforms’ privacy features and end-to-end message encryption make them popular with criminals. Dr. Cemal Dikmen & David Antsiss explain there are still legitimate, powerful ways to fight back
Encrypted Over The Top (OTT) messaging platforms such as WhatsApp, iMessage, Signal, and Telegram have seen extraordinary adoption over the past 10 years. WhatsApp in particular has emerged as the most popular messaging app in the world, with more than 2 billion users globally.
In some areas, particularly parts of Africa, Latin America, and India, OTT applications such as WhatsApp, Telegram, and Signal have become the dominant means of electronic communication.
The vast majority of OTT applications’ usage is for legitimate purposes of cost and convenience, however, these platforms’ privacy features and end-to-end encryption of message contents make them popular among criminals as well.
While message contents are encrypted, metadata that is legally obtained by law enforcement agencies (LEAs) can be valuable to investigations, with call logs helping establish patterns of life and lists of associates. Properly authorized LEAs in the US generally have robust lawful access to this information from OTT application Providers, but such access is more complex or impossible for non-US jurisdictions.
In the US, LEAs can access information from OTT messaging applications, such as WhatsApp communications, with a warrant. For instance, search warrants can provide call data records (CDRs), in addition to relevant metadata.
Outside the US, LEAs must request access to OTT applications’ communications using frameworks such as Mutual Legal Assistance Treaty (MLAT) agreements and the Clarifying Overseas Use of Data (CLOUD) Act. MLAT agreements are in place between the US and more than 60 jurisdictions, including the EU. Unfortunately, the process of obtaining data using the MLAT process is too slow for many investigative purposes.
The CLOUD Act is capable of faster results, but it depends on significant procedural development by countries that wish to benefit from it. The country must have legislation that aligns with the requirements of the Act and then sign an Executive Agreement that is approved by the US Congress.
So far, the UK is the only country that has signed such an agreement, leaving LEAs in other jurisdictions in need of alternate means of lawful access to OTT applications’ communications.
Data paths in OTT messaging applications
For most OTT messaging applications such as WhatsApp and Signal, text and voice/video communications follow distinct data paths, and this differentiation can have a significant impact on lawful interception.
The defined data paths reflect the asynchronous and synchronous natures of text messages and voice/video calls, respectively. That is, each transmission in a text message exchange constitutes a separate session, whereas voice/video calls consist of a single session made up of multiple transmissions in each direction.
Accordingly, each text message travels through an OTT application’s server as an intermediary between the sender and receiver. The sender’s message transmits to the server, which redirects it to the receiver and sends an acknowledgement back to the sender.
A response to that message (or subsequent transmission) likewise includes a hop back to the server. LEAs seeking lawful access to message details are therefore dependent on the application provider, and those outside the US face the accompanying limitations on international access imposed by MLAT and the CLOUD Act.
By contrast, voice/video calls are initially – but temporarily – mediated by an OTT application’s server. The party initiating the call sends a query to the server, which forwards the call to the receiver. Upon response from the receiver, a direct communication channel is initiated between the two parties, independent of the server.
This reduces the computing burden on the OTT application server and helps safeguard call quality by eliminating latency between call participants. By removing the OTT application server from the communication, more of the metadata exchanged between the caller and the callee becomes available to LEAs with the proper legal authorization.
Algorithmic construction of CDRs
To emulate the information available from a conventional CDR and facilitate LEA analysis, the SS8 platform applies algorithmic analysis to OTT application’s data streams to identify and classify the service (Message, Voice, Video) while extracting metadata.
This information may include timestamps and the duration of the call, as well as unique identifiers for the parties on the call and communication service providers (CSPs) involved. Thus, LEAs gain lawful access to metadata associated with OTT voice or video calls.
CDR data can provide direct insight into the behaviors and interactions of people of interest, including expanding their circle of contacts and influence or establishing patterns of life. The unique identifiers in the reconstructed CDR can also be the basis for creating broader profiles of all the individuals involved, including their phone numbers and international mobile subscriber identity (IMSI).
SS8’s lawful intelligence platform applies a schema to legally intercepted data based on these attributes, providing insights such as the physical locations and IP addresses of communication participants, as well as connections to third-party data from sources such as other devices and networks of interest. That visibility can reveal new communications and behaviors of investigation subjects, giving LEAs a lawful advantage.
The need for messaging and communication metadata from platforms such as WhatsApp and Signal is a good example of how technology can fill gaps in the timely availability of lawful intelligence data from official channels. The reconstruction and enrichment of CDR metadata using the SS8 platform is an effective and ethical approach for LEAs outside the US to obtain lawful access to details about OTT communications that would otherwise remain hidden, advancing investigations and protecting the public good.
About the authors
Dr. Cemal Dikmen – as SS8’s CTO, Cemal plays an integral role in the company’s strategic direction, development, and future growth. A renowned expert and thought leader in the legal compliance and communications analysis domain, he has been a frequent speaker at various industry conferences over the past 10 years. Cemal holds BS, MS, and PhD degrees in Electrical Engineering. You can learn more about Cemal on his LinkedIn profile by clicking here.
David Anstiss is a Senior Solutions Architect at SS8 Networks. He has been with SS8 since 2015 and has significant experience in critical network architecture technology and advanced data analytics. He is responsible for working with both intelligence agencies and Communication Service Providers (CSPs) around the world and is instrumental in helping them transition to 5G, defining system requirements to meet regulatory compliance. As a member of ETSI, he represents SS8 to ensure the adoption of cloud-native infrastructure is met with industry best practices and to guarantee that compliance of lawful interception is maintained.