Governments use push notification data to spy on smartphone users [Update]

Apple and Google were prohibited from sharing information about push notification surveillance by the U.S. government

Alternate notification option on iOS 16

Various unidentified governments are surveilling smartphone users via the push notifications sent by apps.

Push notifications are the little pop-ups that appear on iPhones and Android smartphones with information from apps, such as incoming messages, details about a sports game, emails and more. Most smartphone users rely on these notifications to see incoming information, but few realize the notifications travel through Apple and Google servers.

The revelation came via a letter sent by U.S. Senator Ron Wyden to Attorney General Merrick Garland, in which Wyden requested Garland lift a gag order preventing Apple and Google from publicly sharing the information.

Wyden wrote that his office received a tip that foreign government agencies were demanding push notification records from Google and Apple. When Wyden’s staff looked into the practice, the companies said they couldn’t share information because of the gag order.

Further, Reuters reported that a source familiar with the matter confirmed that both foreign and U.S. government agencies sought push notification data. While the source declined to identify which governments were involved, they described them as “democracies allied to the United States.”

Apple and Google both operate services that facilitate the delivery of push notifications for the respective smartphone platforms. Android uses Google’s Firebase Cloud Messaging, while iPhones use Apple’s Push Notification Service. App developers rely on these services to reliably deliver notifications and don’t have many alternate options. As such, Apple and Google are in a position where they are intermediaries in the notification transmission process, which means they have potentially significant amounts of related data. That includes metadata, like which app received a notification and which associated Apple or Google account received that notification. And if developers don’t encrypt the content of push notifications, Apple and Google could have that information, too.

Wyden requests in the letter that Apple and Google be permitted to be transparent about government demands for data. Moreover, Wyden asked that the companies be allowed to reveal whether they were compelled to facilitate the surveillance practice, publish aggregate statistics about the number of demands they receive, and notify specific customers about demands for their data.

Apple updates law enforcement guidelines

Following Wyden’s letter revealing the push notification surveillance practice, Apple updated its ‘Legal Process Guidelines.’ The update details Apple’s obligation to comply with law enforcement requests for Apple ID information associated with push notifications.

As spotted by MacRumors, an update to the ‘Information Available from Apple’ section reads:

“When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

“The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.”

Both Apple and Google confirmed they were prohibited from sharing information regarding push notification surveillance but after Wyden’s letter went public, the companies had a legal opening to provide details.

Update 07/12/2023 at 12:48pm ET: Apple provided the following statement to MobileSyrup regarding push notification surveillance:

“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users. In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Update 07/12/2023 at 2:04pm ET: Google provided the following statement to MobileSyrup regarding the push notification issue:

“We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden. We share the Senator’s commitment to keeping users informed about these requests.” 

Moreover, The Washington Post says it found over two dozen search warrant applications and other documents in court records. Many of the records were redacted, but the Post found nine documents related to searches for January 6th rioters and two documents seeking data on suspects accused of money laundering and distributing child sexual abuse material.

Source: Senator Wyden Via: Reuters, The Washington Post, MacRumors, (2)

Related Articles