Paul Manafort’s Terrible Encrypted Messaging OPSEC Got Him Additional Charges

Don’t commit crimes. But if you do, don’t back up the evidence of your crimes to Apple or Google’s cloud, where it doesn’t matter that the evidence was originally end-to-end encrypted.

|
Jun 5 2018, 2:54pm

Image: Shutterstock

President Trump’s former campaign chairman and former lobbyist for dictators Paul Manafort was accused of trying to tamper with witnesses in his own case Monday.

Federal prosecutors working for special counsel Robert Mueller III accused Manafort of attempting to contact witnesses using the encrypted messaging app WhatsApp in an attempt to persuade them to commit perjury, as one of the witnesses put it to the FBI, according to court documents. The evidence obtained by the FBI was a result of Manafort’s awful OPSEC.

Read more: The Motherboard Guide To Not Getting Hacked

First of all, two witnesses contacted by Manafort provided the messages to the feds effectively selling him out. End-to-end encrypted messages are no good if the person you’re sending them to is going to hand them over to the people you’re trying to hide them from.

But Manafort also owned himself in this case.

As it turns out, Manafort was backing up information from his WhatsApp to Apple’s iCloud, where data is not encrypted and is thus available to police armed with a valid search warrant.

The point of using an end-to-end encrypted messaging app like WhatsApp is that the messages travelling through the internet are unreadable to anyone who intercepts them, making wiretapping them all but impossible. But if you keep those messages on your device, or worse, you back them up unencrypted to the cloud—be it iCloud or Google Drive—you open the door for authorities to obtain them with court orders, effectively making the original encryption pointless.

Some messaging apps specifically protect against this scenario by not allowing backups. Signal or Wire, for example, don’t have backup features. Moreover, both messaging apps allow users to set up messages to self-destruct, meaning the apps delete the messages from both sender and receiver’s devices after a certain amount of time. This makes it harder for authorities, or bad guys, to retrieve the messages even if they get their hands on the phone.

Perhaps Paul Manafort should’ve read our guide on how to avoid state and law enforcement surveillance.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Get six of our favorite Motherboard stories every day by signing up for our newsletter .