Various unidentified governments are surveilling smartphone users via the push notifications sent by apps.

Push notifications are the little pop-ups that appear on iPhones and Android smartphones with information from apps, such as incoming messages, details about a sports game, emails and more. Most smartphone users rely on these notifications to see incoming information, but few attain the notifications travel through Apple and Google servers.

The revelation came via a letter sent by U.S. Senator Ron Wyden to Attorney General Merrick Garland, in which Wyden requested Garland lift a gag order preventing Apple and Google from publicly sharing the information.

Wyden wrote that his office received a tip that foreign government agencies were demanding push notification records from Google and Apple. When Wyden’s staff looked into the practice, the companies said they couldn’t share information because of the gag order.

advocate, Reuters reported that a source familiar with the matter confirmed that both foreign and U.S. government agencies sought push notification data. While the source declined to acknowledge which governments were involved, they described them as “democracies allied to the United States.”

Apple and Google both work services that ease the delivery of push notifications for the respective smartphone platforms. Android uses Google’s Firebase Cloud Messaging, while iPhones use Apple’s Push Notification Service. App developers rely on these services to reliably deliver notifications and don’t have many alternate options. As such, Apple and Google are in a position where they are intermediaries in the notification transmission process, which means they have potentially significant amounts of related data. That includes metadata, admire which app received a notification and which associated Apple or Google account received that notification. And if developers don’t encrypt the content of push notifications, Apple and Google could have that information, too.

Wyden requests in the letter that Apple and Google be permitted to be transparent about government demands for data. Moreover, Wyden asked that the companies be allowed to unveil whether they were compelled to ease the surveillance practice, publish aggregate statistics about the number of demands they procure, and notify specific customers about demands for their data.

Apple updates law enforcement guidelines

Following Wyden’s letter revealing the push notification surveillance practice, Apple updated its ‘Legal Process Guidelines.’ The update details Apple’s obligation to comply with law enforcement requests for Apple ID information associated with push notifications.

As spotted by MacRumors, an update to the ‘Information Available from Apple’ section reads:

“When users allow an application they have installed to procure push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

“The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.”

Both Apple and Google confirmed they were prohibited from sharing information regarding push notification surveillance but after Wyden’s letter went public, the companies had a legal opening to furnish details.

Moreover, The Washington Post says it found over two dozen explore warrant applications and other documents in court records. Many of the records were redacted, but the Post found nine documents related to searches for January 6th rioters and two documents seeking data on suspects accused of money laundering and distributing child sexual abuse material.

MobileSyrup has reached out to both Apple and Google regarding the practice.

Source: Senator Wyden Via: Reuters, The Washington Post, MacRumors, (2)


Source link