US Senator Ron Wyden (D-OR) has claimed that Google and Apple can be compelled by American and foreign law enforcement agencies into discreetly handing over push notifications data.
The explosive revelation came to light as the senator wrote a letter to the US Department of Justice (DOJ) demanding a change in regulations.
In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple.Ron Wyden
How Are Law Enforcement Agencies Spying Through Push Notifications?
Push notifications are delivered using Google’s Firebase Cloud Messaging on Android and Apple’s Push Notification Service on iOS. On both platforms, every user is assigned a “push token”. This token is then transferred between the push notification service on the respective platform and the app.
The senator also claimed that his staff have been investigating the tip over the past year and has been in touch with both tech giants in question.
Law enforcement agencies can make use of these push tokens to identify a user and find out who they might have been communicating with.
To do this, they first need to approach the app developer and obtain the necessary push token. Once equipped with the token, they can bring it to the OS maker (in this case, Apple or Google) to request information on the account associated with the token, including metadata linked to the push notifications.
Governments can reportedly track a variety of information this way, including the apps used by a person, specific times when push notifications were received, the phone associated with a certain Apple or Google account, and so on.
The metadata shared by the operating system maker doesn’t usually include the content of the notifications. However, law enforcement agencies can still use the information from the push tokens to make additional requests for the content of specific pushes.
They can sometimes receive unencrypted content, too, which might range from the backend directives of an app to the text displayed in the push notification.
The current regulations put companies like Apple and Google in a unique position where they are compelled to discreetly help governments spy on how certain apps are being used, Wyden wrote in his letter.
When the senator’s staff enquired with Google and Apple about the practice, they were reportedly told that government policies restrict companies from sharing any information about it with the public.
Wyden Calls for Increased Transparency on Push Notification Surveillance
Demanding a change in policies, Ron Wyden requested the DoJ to repeal any laws restricting transparency about compelled surveillance. Unless prevented by a specific court order, companies should also be able to notify individual users if they are under surveillance, the senator wrote.
Though the letter only mentioned unspecified foreign governments to have requested push notification records from Google and Apple, the FBI has done the same.
Following the attack on the US capitol in 2021, an FBI agent submitted a search warrant application to the Washington DC district court. The application, which requested information on two accounts controlled by Facebook, specifically included a request to use push notification tokens,
The Department of Justice is yet to reveal whether it intends to honor Senator Wyden’s request. However, Apple released a statement saying that the letter has given them the opening they needed in order to be able to publicly share more details on the governmental surveillance of push notifications.
Now that the practice has become public knowledge, the company will soon be updating its transparency reporting to reflect push notification information requests.