Government agencies demand smartphone push notification records from Google and Apple to spy on users, a letter written by US Senator Ron Wyden to the Department of Justice (DOJ) revealed, Reuters reported.
This is a new form of government demand for metadata that hasn’t received much attention previously. For context, we’ve written an in-depth story on how the police in India use various types of metadata to go after suspects.
Wyden did not name any particular country but said that “Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data.”
The senator urged the DOJ to permit Apple and Google to inform their customers and the general public about such demands by government agencies for notifications-related data since the two companies informed the senator’s office that “this practice is restricted from public release by the government.”
What are push notifications and how do they work?
“Push notifications are the instant alerts delivered to smartphone users by apps, such as a notification about a new text message or a news update. They aren’t sent directly from the app provider to users’ smartphones. Instead, they pass through a kind of digital post office run by the phone’s operating system provider. For iPhones, this service is provided by Apple’s Push Notification Service; for Android phones, it’s Google’s Firebase Cloud Messaging. These services ensure timely and efficient delivery of notifications, but this also means that Apple and Google serve as intermediaries in the transmission process,” the letter explained.
Essentially, all the content displayed in notifications passes through Apple or Google servers. For instance, while your WhatsApp message passes through WhatsApp’s servers, details shown in the message notification, such as sender details, time, and preview of the message, pass through Apple or Google’s servers depending on if you’re on iOS or Android.
What metadata is available in notifications?
“The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification,” the letter explained.
How does this enable government agencies to spy on users?
Notifications contain metadata that otherwise would have been hard or impossible for the government to get. “As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information. […] Consequently, Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps,” the letter remarked.
Can app developers not encrypt the contents of the notifications?
App developers can encrypt some of the contents contained in notifications but this requires additional steps and doesn’t happen by default, which leaves many developers sending content unencrypted.
For example, this Android dev center article describes how to use Firebase Cloud Messaging, and specifically recommends adding message content to the payload. End-to-end encryption is possible but requires extra work and libraries, it isn’t native. https://t.co/LLFOJM17qJ pic.twitter.com/KZwPs3tddu
— Matthew Green (@matthew_d_green) December 6, 2023
Apple response: Apple told Reuters that the senator’s letter gave the company the opening they needed to share more details about how governments monitored push notifications. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests,” the company said.
Google response: “We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden. We share the Senator’s commitment to keeping users informed about these requests,” Google told 404 Media.
For more reading on this:
- Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications (Jospeh Cox/404 Media)
- Authorities ask Apple and Google about users of messenger apps (Andre Meister/Netzpolitik.org) [In German]
- How India’s Police Is Using Metadata
- Multiple Indian MPs, Journalists Receive Alerts From Apple That Their Phones May Be Targets Of State Surveillance
- Signal’s Meredith Whittaker Discusses Challenges Of Client-Side Scanning And The Battle For Encryption
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!