What data can Google and WhatsApp give about their users after a court order, as in the case of the attorney general?

The judicial case opened against Álvaro García Ortiz, attorney general of the State, continues to move forward to try to settle his responsibility in the leak to the media of Alberto Gómez Amador’s tax filepartner of Isabel Díaz Ayuso. After the procedures to track the prosecutor’s telephone numbers and requesting call information from telephone companiesnow Judge Ángel Hurtado will ask WhatsApp and Google to help recover messages of the applications installed on García Ortiz’s two cell phones and in his email account.

At the request of the Central Operational Unit (UCO) of the Civil Guard, Judge Hurtado has ordered the issuance of a rogatory commission to the two technology companies so that they provide all the required data and know precisely if the prosecutor was involved in the leak. to the media about the emails between Gómez Amador’s lawyer and the Prosecutor’s Office. For this, requests WhatsApp for messages received and/or sent by the userchat backups and communication logs.

Regarding Google, the judge of the Criminal Chamber of the Supreme Court requests the data stored in the services and products linked to the accountbackups of linked devices, third-party applications, chats and communication logs, with crucial data such as date, time, origin, destination or type of communication.

State security forces have the power to ask companies for copies of information that is related to an ongoing investigation. However, “access to these companies that usually operate or have their data outside the European Union is very limited,” according to statements to EL ESPAÑOL – El Androide Libre de David del Olmoforensic computer expert specialized in mobile devices.

Requests for rogatory commissions and judicial authorizations are usually slow, and according to the expert, “in many cases we will only obtain access data, but not the content of the messages, which is encrypted“. In that case it would be necessary to “perform a forensic analysis on the mobile device and then compare the data with the operator, if it wants to collaborate.” EL ESPAÑOL – El Androide Libre has contacted representatives of Google and WhatsApp in Spain, but until the closing of this edition they have not made any statements and refer to their respective privacy policies.

This is how WhatsApp manages

In the case of WhatsApp, the Meta company ensures in your Help Center that “does not disclose the content of its users’ messages in response to government requestsand it can’t do that either.” End-to-end encryption “ensures that only you and the person you communicate with can read or hear what you send.” The text, image or video leaves the device sending it encrypted and It remains that way until it reaches the mobile phone designated as the recipient. Nobody, not even WhatsApp itself, can consult the content.

Currently, when companies like Meta receive, through a court order, a request to inform the police or a judge of a suspect or accused in a criminal investigation, they can provide data such as name, contacts, active hours and other information, but never the content of the messages, which is protected with end-to-end encryption protocol. That information is only kept on the phone used or, if the user chooses, in the phone’s cloud-based backup associated with a Drive account.

Government agencies send requests for user data to WhatsApp, more than 300,000 between January and June 2024 internationally, according to the latest report published by Meta. In the case of Spain, the figure drops to 3,100 requests in legal processes corresponding to 5,765 accounts or users, with 66.3% of cases in which requests produced some dataalthough these are not specified.

To check if these requests comply with applicable laws and WhatsApp privacy policiesthe company “has a specialized and trained compliance team that reviews and evaluates each government request for user data, in order to determine whether the request was sent in the context of an emergency or as a legal process originating from authorities police or government”.

If the mobile phone from which the communications were made is found, David del Olmo explains that, in the case of WhatsApp, the information “is stored in the local database on the device, so recovering deleted messages without access to backup is technically possible in some cases.” Everything will depend “on the appropriate tools, the level of encryption and the possible physical or logical limitations of the device.”

This is how Google manages

For its part, the Internet giant explains very clearly how it proceeds in these cases in the terms of service published on their website. “At Google we receive requests for the disclosure of information about users from public bodies around the world. We carefully review each of these requests to ensure that it complies with applicable laws,” they say in the section ‘How Google handles government requests for user information‘.

“If a request asks for too much information, we try to limit it and, In some cases, we refuse to provide the information in its entirety. In the Transparency Report, we publish the number and type of requests we receive,” they conclude.

Still, there is a nuance, since the response to these requests depends on which Google service provider is: Google LLC, being based in the US, is governed by US law, while Google Ireland Limited, the provider of Mountain View services in Europeoperates under Irish law.

Every six months, and for the sake of transparency, Google publishes a detailed report on the number of government requests for user information and the number of accounts subject to these requests, which can give a reliable clue about the final result of the proceedings requested by the magistrate of the Supreme.

In the last recorded period, from January to June 2024, Google received more than 7,180 government requests for information corresponding to 11,368 accounts around the world. Of all of them, In 85% of the cases (an average also applicable to Spain) data were generatedalthough the company does not specify the type or detail of that information.

In the case of emails, in principle, they are not protected by end-to-end encryption (as is the case with instant messaging applications such as WhatsApp). For some time now, Gmail users have had the Confidential Mode, a padlock that allows you to “encrypt emails on the client side” and whose recipients will not be able to forward, copy, print or download the email, unless they have the password defined by the sender.

In any case, if after detailed review by its legal team, Google sends the data required by the judge, the judge will be able to access the user’s registration information (name, account creation information, email addresses associated, telephone number…), the login IP addresses and the timestamps corresponding to each emailand even to their content.