by Michael Dean Thompson

According to what Cooper Quentin who is a technologist at the Electronic Frontier Foundation told the Washington Post, the government has promised they will only use this latest tool for the most grievous crimes. We have heard that before. We previously heard that with regard to geofencing requests against Google’s location history data. Then cops used Google’s data to track down a wallet theft. We heard similar promises with facial recognition systems, only to discover facial recognition technology had been used to falsely identify a watch thief in New Orleans. Likewise, we now know that push notifications are being used for more than we were promised.

The most outrageous cases do make for good print coverage. The FBI has used push notifications to track down terrorists, child predators, and January 6 suspects. Of the more than 130 cases of government requests for push notification data uncovered by the Washington Post, four of them dealt with child sex abuse materials and a kidnapping that turned into a murder. On the other hand, some of the cases included drug crimes and covid-­relief fraud.

The power of the tool is unmistakable, especially as it can apply to apps that advertise themselves as being secure. LuvEmYoung is an example of a case that demonstrates the horrid nature of the worst crimes and just how surprisingly vulnerable any mobile phone user can be. The owner of the account LuvEmYoung, allegedly a Toledo resident named Michael Aspinwall, went through some effort to withhold his identity as he shared videos with covert agents of his abuse of children, in one case a sleeping four-­year-­old boy. First, he acquired a Swiss private messaging app called TeleGuard, presumably because the developers of TeleGuard advertise that they do not save user data on their servers. But they do offer to notify the user of incoming messages via push notifications and had a push notification token on their servers that tied his device to his Google account.

Armed with the username LuvEmYoung and that he was using the TeleGuard app, a “foreign law enforcement officer” acquired the push notification token associated with that account. The FBI then submitted the push token to Google and asked for the associated account information, including email addresses. It is unclear if Aspinwall actually had the push notifications activated, but Google had recorded that he took the extra effort to use the app on his neighbor’s WiFi and associated their IP address with his account. Aspinwall was arrested within a week after the request to Google was made. After his arrest, Aspinwall confessed to his crimes.

It is difficult to imagine anyone who would not cheer the FBI’s apparent success here. Aspinwall was abusing children known to him as they slept and sharing videos of those crimes over a supposedly secure app while riding his neighbor’s WiFi. Nevertheless, the same functionality that permitted the FBI to easily find him and other predators also might enable a local prosecutor to hunt down women seeking an abortion and using the same types of secure apps to learn about their options in presumed privacy. As Quentin told the Washington Post, “Even if you trust the U.S. right now to use this, you might not trust a new administration to use it in a way you deem ethical.”

It is interesting to note that among the cases discovered by the Washington Post, a number of the push notifications were to encrypted app users. In one case, the government acquired a dual-­factor authentication push token for the internet phone app Talkatone. In two other cases, Amazon’s encrypted messaging app Wickr also gave up its users via push tokens. Daniel Kahn Gillmor, a senior technologist at the American Civil Liberties Union, told the Washington Post, “Down the road, law enforcement could use the tactic to infiltrate a group chat for activists or protestors, whose push tokens might give them away.”

Until recently, the government was able to take advantage of the push notification privacy hole in secret. The Department of Justice had demanded that companies like Apple and Google not release information about the requests. Senator Wyden, a Democrat from Oregon, blew that open when he wrote a letter to Attorney General Merrick Garland regarding the practice and pointing out the practice’s secrecy. Afterward, Apple, which had not been requiring a court order before providing the data, changed its practices and began reporting the requests while also requiring a court order as a result of the letter.

Yet again, this follows the well-­worn path of the government taking advantage of poorly understood invasive technologies to secretly surveil Americans without court oversight. The government’s secret use of Google’s location history and its willingness to drop prosecutions rather than admit its use of cell-­site simulators in court are just a couple of examples. Thanks to Senator Wyden, we can soon hope to see more transparency regarding the government’s use of push notifications. And then, we wait to see what new techniques of secret government surveillance are exposed next.   

Sources: The Washington Post, Wired.com

Subscribe today

Already a subscriber? Login