US Senator Ron Wyden (D-OR) warned in a letter to the Department of Justice that unknown governments are spying on Apple and Google phone users through their push notifications. The letter says his office received a tip last year that government agencies in foreign countries were “demanding” push notification files from the tech giants.
Push notifications are pop-up messages that appear on the lock screen and home screen to notify you of new messages, updates, breaking news, and other app updates. Since those push notifications go through Apple and Google’s servers, the tech giants are “in a unique position to facilitate government monitoring of how users use certain apps,” said Wyden, who sits on the Commission Senate Intelligence, he explains in the letter, which was shared with TechCrunch.
Wyden notes that Apple and Google can “covertly be compelled by governments to hand over this information.”
“Apple and Google should be able to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users of other types of government data demands,” Wyden wrote in the letter.
“These companies should be able to generally disclose whether they have been forced to facilitate this tracking practice, publish aggregate statistics about the number of requests they receive and, unless temporarily enjoined by a court, notify specific customers of their data requirements. “
Wyden called on the Justice Department to repeal or modify “any policies that impede this transparency.”
The letter was Reuters first reported.
Data from these push notifications provides Apple and Google with information about which app received a notification and when, in addition to details about the phone and Apple or Google account associated with the notification. The letter explains that in some cases, companies may also receive encrypted content, which could include the actual text shown in the notification.
Wyden’s letter does not specify which foreign governments requested push notification information from Apple and Google.
Reuters reports, citing a source, that foreign and US government agencies have asked Apple and Google for metadata from push notifications, including information linking pseudonymous app users to specific Apple or Google accounts.
In an email to TechCrunch, Apple spokesman Shane Bauer said the federal government has blocked the tech giant from sharing any information on the matter.
“Apple is committed to transparency, and we’ve long been supporters of efforts to ensure that carriers are able to disclose as much information as possible to their users,” an Apple spokesperson said. “In this case, the federal government prohibited us from sharing any information, and now that this method has been made public, we are updating our transparency reports to detail these types of requests.”
Apple said the tech giant will begin analyzing requests for push notification coupons it has received in its next upcoming transparency report.
Google spokesman Matt Bryant told TechCrunch that the company shares Wyden’s commitment to informing users about these requests.
“We were the first major company to release a public transparency report sharing the number and types of government requests for user data we receive, including the requests cited by Senator Wyden,” the statement said.
A search warrant filed in California in connection with a felony theft case details how push notification requests can be used to obtain information about a person. The search warrant, seen by TechCrunchincludes a section where an FBI special agent writes that when a user installs and downloads an app, the app directs their phone to obtain a push token, which is a unique identifier that allows Google to identify which device it’s installed on the application.
“After the applicable push notification service (eg Apple Push Notifications (APN) or Google Cloud Messaging) sends a Push Token to the device, the Token is then sent to the application, which in turn sends the Push Token to the server of the application/provider”, is mentioned in the file. Then, every time a company sends push notifications to a person’s device, it also sends Push Tokens.
The filing then notes that Google’s servers contain “useful information that may help identify the specific device(s) a particular subscriber is using to access the subscriber’s Google Account through the mobile app.”
404 Media previously reported another court case in which push notification records were received using similar boilerplate language.
