New ways that law enforcement spies: push notifications


This is the latest privacy violation on a grand scale. On December 6th, news sources revealed law enforcement can and has been conducting surveillance on iOS and Android devices by eavesdropping on push notifications, irrespective of whether users of these smart devices employ end-to-end encryption. In a nutshell, if a user has secrets to hide, it’s time to turn those push notifications off.

The disclosure was brought to light by US Senator Ron Wyden, an Oregon Democrat. In a letter sent to the Department of Justice (DOJ), he disclosed these government surveillance methods, explaining that his office received a tip earlier the previous year that foreign government agencies were “demanding smartphone “push” notification records from Google and Apple.” The DOJ has offered no comments to media inquiries.

Moreover, when Google and Apple were inquired about the practice, his investigative staff were informed that the practice was prohibited from being released to the public by the government. In other words, the companies were compelled to silence by a gag order. Thanks to the Senator’s letter becoming public, the tech giants are no longer compelled by the order to remain censored.

ADVERTISEMENT

Companies like Apple and Google don’t satisfy every request by the government when it comes to handing over customer information and data. It complies with legally valid requests. This means that it doesn’t comply with frivolous requests. Apple has fought law enforcement in the past to protect its users. But when it comes to a court-sanctioned gag order with legal consequences in force, the narrative changes due to legal coercion.

Understanding the push notification loophole

The battle for online privacy has been an all-out tug-of-war for over two decades. Governments, especially US intelligence and law enforcement agencies, have been pushing the proverbial envelope off the table for omnipotent power over the digital landscape.

Understanding how this push notification loophole is being exploited is how users can protect themselves against it. This is vital for journalists, political dissidents, activists, and all free speech advocates.

Push notifications are not sent directly from app providers to our smartphones or other smart devices. Read that twice if it helps to sink in what this means for those of us who rely on end-to-end encrypted messaging apps.

“For iPhones, this service is provided by Apple's Push Notification Service; for Android phones, it's Google's Firebase Cloud Messaging,” the letter reads.

For example, this means that the messages we read in our notifications that come from Signal or WhatsApp (or any app) are by design being routed outside the app itself and passed through 3rd party servers handled by our respective mobile phone’s operating systems – Google and Apple.

This means apps such as Wire, Signal, Session, and even WhatsApp are rendered useless if users enable push notifications – or notification popups.

ADVERTISEMENT

“In certain instances, they might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification,” said Wyden.

Every app user is allocated a "push token," which is exchanged between the app and the push notification service of the mobile operating system. Push tokens aren't fixed to a specific user permanently – instead, new tokens may be generated when an individual reinstalls an app or transitions to a different device.

  • For law enforcement to identify an individual, say, a Signal user, and unmask who they are communicating with, they must first contact the app developer and request the push token.
  • From there, they take that information and give it to the operating system maker, which is Apple and Google, and request account data associated with the token.

Signal, the widely-used encrypted messaging app, did not respond to media inquiries from various news reporting platforms.

This means that the tech industry, as Wyden puts it, has found itself in “a unique position to facilitate government surveillance of how users are using particular apps.”

The letter went on to explain how app developers are pushed against the wall. On one hand, for their apps to consistently deliver push notifications on these platforms, developers must utilize the services offered by Apple or Google.

On the other hand, Apple and Google, respectively, are caught in the middle between user privacy, privacy policies by app developers, and governments demanding the tech giants to be complicit in their secret war against privacy.

Back in February 2021, an FBI agent applied for a search warrant with the US District Court in Washington, DC, seeking to obtain information from two Facebook accounts. The application specifically mentioned the need to obtain push notification tokens and was linked to an investigation into a person accused of participating in the January 6th, 2021, assault on the US Capitol. Media inquiries were sent by news reporting outlets, but Meta (which owns Facebook, WhatsApp, and Instagram) did not respond.

Since the disclosure, Apple has taken the liberty of updating its Law Enforcement Guidelines, which will disclose government requests for user push notification data in its transparency reports. Apple’s updated policies reflect that in order for the government to obtain this information, it “may be obtained with a subpoena or greater legal process.” Google already publishes push notification requests in their transparency reports.

The end of privacy?

ADVERTISEMENT

Checks and balances are designed to make sure that not one single individual or government agency wields absolute power. It is a regulatory mechanism to prevent governments from exerting their authority at the expense of the interests of a free people. At the same time, no matter what regulatory force operates to ensure limitations exist, we see the scales tipped against privacy every time, with or without the permission of congressional consent.

The trump card in the pocket of the US counter-intelligence agencies is almost exclusively that the government needs such powers to fight terrorism, and to oppose this agenda makes a person seen as “un-American.” This means that advocating for protecting our privacy is becoming more and more a foreign concept.

Therefore, secret programs and data-collecting techniques are an inalienable part of living on planet Earth since the US has been exposed to dragnet surveillance by former CIA contractor Edward Snowden, which was deemed grossly illegal. Regardless of whether data is what it wants, data is what it gets, and every US alphabet soup agency that operates an intelligence apparatus is involved.

The importance of privacy is not merely to develop new apps and online behaviors to sidestep the spooks but to advocate for the plugging up of these legal loopholes. Maybe then, we could all live in an era of privacy and carry that legacy on to future generations for as long as it will last.