Push Notifications Pull to the Forefront
by Michael Dean Thompson
The convergence of web technologies with handheld computing devices and high-capacity, inexpensive storage has led to a remarkable new era of corporate data collection most people would find shockingly invasive. Criminal Legal News has covered how, in the process of plumbing the depths of available corporate data, cops have exposed innocent Americans to precisely the kinds of general warrant dragnets the framers of the Constitution sought to prevent. And as the number of devices tracking consumer behavior increases alongside their functionality, the number of potential surveillance vectors goes up as well. Criminal Legal News previously covered the potential of push notifications providing fodder for general searches. Thanks to Senator Wyden (D., Ore.), we now know how cops are doing just that.
Our insight into the issue began when Sen. Wyden wrote a letter to the Department of Justice (“DOJ”) about the ways foreign governments were demanding Google and Apple handover user data. In addition to collecting data that describes communications such as keyword searches and app use (a.k.a. metadata) as well as location data, these foreign governments were demanding information about push notifications.
Much like location data, push notifications are passive events from a user’s perspective. By virtue of having downloaded an app, the users can find themselves receiving notifications the app provider believes to be of interest to the user. For example, a news app may issue push notifications regarding political news, or a music app may push notices of a recent upload by a particular artist. As a result, the governments could learn which apps a person uses, the devices the person uses to access the app, and that user’s interests. The actual content of the push notification may not be known but can be easily obtained from the app developer as a simple next step. Wired has discovered the FBI used a search warrant in 2021 to request details of two accounts at Facebook, including a specific mention of push notifications.
It appears DOJ policies have prevented companies like Apple and Google from openly discussing how governments have been using push notification data. In his letter to the DOJ, Sen. Wyden said, “Apple and Google should be permitted to be transparent about the demands they receive.” He went on to state that unless a court imposes a temporary gag order on the companies, they should be allowed “to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.”
As a result, Apple has issued a statement confirming that DOJ policies were in the way. “In this case, the federal government prohibited us from sharing information,” according to Apple. The company went on to add, “Now that this method has become public, we are updating our transparency reporting to detail these kinds of requests.”
Google concurred, with a spokesperson claiming to Wired that it had been releasing the data all along. “We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Sen. Wyden.” It turns out that Google had been aggregating the requests with others into a more generic category. That category, Google Cloud Platform data, revealed 175 requests by the U.S. government from December 2019 to December 2022. Among those, 13 requests were accompanied by a search warrant. Yet, due to the aggregation, we cannot be clear how many of those were actually push notification queries.
Tim Harwick says on Macrumors.com that the government is reported to have been using push notification queries to tie user accounts to messaging apps. That makes sense, especially with regard to encrypted messaging apps. Even if the app developers comply with Apple’s recommendations, for example, and encrypts the push notification message before submitting, the metadata of the message is still available. Apple likewise suggests that push notification payloads not include personal or private information. Yet, such feature usage is not enforced and may render the entire message accessible in a single step by a government agency.
These continued invasions of privacy highlight how the hording habits of corporations with regard to consumer data generate unnecessary risks to consumer privacy and civil liberties. Federal laws require that these same corporations make public disclosures when nefarious actors raid their systems. However, federal policies apparently prevent the open discussion of how government agencies raid the very same data stashes. Senator Wyden is correct to demand change in federal policies toward transparency. Unfortunately, that seems to go against the very nature of our secretive policing agencies, especially since corporations seem to be such compliant bedfellows.
Unless there is a radical change in data collection behavior, the best bet will always be to maintain your own data hygiene, starting with minimizing the number of apps installed on your device.
Sources: techdirt.com, wired.com, macrumors.com