What’s the news: “…push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls – not to Apple, not to Google, not to anyone but you & the people you’re talking to,” said Meredith Whittaker, President of Signal Foundation, stated in a tweet dated December 12, 2023. Her ‘Public Service Announcement’ or PSA as she called it was in response to a recent letter by a US Senator stating that Google’s and Apple’s push notification data includes sensitive user metadata.
What’s the push notification controversy? Earlier, US Senator Ron Wyden wrote to the Department of Justice (DOJ) about how government agencies demand smartphone push notification records from Google and Apple to spy on users. He asked that the companies be allowed to inform their customers and the public about such demands by government agencies for notifications-related data. Even in India, law enforcement agencies have picked up on this new form of metadata acquisition. MediaNama has written an in-depth story on how the police in India have made similar demands to go after suspects.
Signal does not share message or sender details: Whittaker claimed that push notifications in Signal “act as a ping that tells the app to wake up.” The notifications are processed on the user’s device and do not reveal who sent the message or who is calling.
In Signal, push notifications simply act as a ping that tells the app to wake up. They don't reveal who sent the message or who is calling (not to Apple, Google, or anyone). Notifications are processed entirely on your device. This is different from many other apps. 2/
— Meredith Whittaker (@mer__edith) December 11, 2023
Another X (formerly known as the Twitter microblogging platform) user pointed out that rather than the exposure of the text, the bigger issue is that “the push gets sent at all, not what’s in it. It lets an attacker identify somebody by *when* they get messages, messages the attacker may even have sent.”
To this, Whittaker replied, “So this is an issue worth clarifying. It’s not possible [right now] to build a mass [communications] app [without] push notifications, [especially with] calling. This is a problem, we agree.”
There's confusion post-Wyden letter on whether message contents/sender IDs are contained in push notifications. So this is an issue worth clarifying. It's not possible rn to build a mass comms app w/o push notifications, esp w calling. This is a problem, we agree.
— Meredith Whittaker (@mer__edith) December 11, 2023
No other alternative for push notifications: Whittaker said in the thread that currently there is no other way to send push notifications to users. Google users have a “battery destroying push option” and Apple offers no other alternative to apps.
Apple simply doesn’t let you do it another way. And Google, well you could (and we've tried), but the cost to battery life is devastating for performance, rendering this a false option if you want to build a usable, practical, dependable app for people all over the world.* 4/
— Meredith Whittaker (@mer__edith) December 11, 2023
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
Also Read:
- Government Agencies Demand Push Notification Data From Apple, Google To Spy On Users: US Senator
- How India’s Police Is Using Metadata
- Signal’s Meredith Whittaker Discusses Challenges Of Client-Side Scanning And The Battle For Encryption
- Multiple Indian MPs, Journalists Receive Alerts From Apple That Their Phones May Be Targets Of State Surveillance