Update: Apple issued the following statement to 9to5Mac:
Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users. In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests
Apple has confirmed that foreign governments have been carrying out what has been described as “push notification spying,” stating that the company was not previously allowed to disclose the practice.
Governments have been serving both Apple and Google with secret legal orders to hand over details of the push notifications sent to iPhones and Android smartphones …
Push notification spying
The privacy concern came to light after Senator Ron Wyden – a member of the Senate intelligence committee – received a tip, and decided to investigate.
In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple. My staff have been investigating this tip for the past year […]
Push notifications […] aren’t sent directly from the app provider to users’ smartphones. Instead, they pass through a kind of digital post office run by the phone’s operating system provider. For iPhones, this service is provided by Apple’s Push Notification Service; for Android phones, it’s Google’s Firebase Cloud Messaging. These services ensure timely and efficient delivery of notifications, but this also means that Apple and Google serve as intermediaries in the transmission process.
As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information.
Wyden says that he wrote to both Apple and Google, asking them to confirm that this was happening, and both told him that information on this was “restricted from public release” by the US government.
Importantly, this means that Apple has not been able to reveal the practice in its annual transparency reports, intended to let people know what data it provides to governments and law enforcement agencies.
Wyden has now made the matter public
Sen. Wyden has now written an open letter to the US Department of Justice, asking them to rescind the secrecy requirement.
Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data. These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.
That’s a clever move, because by putting the information into the public domain, it means that the secrecy requirements previously imposed on Apple and Google no longer apply. That means that – regardless of the DOJ’s response – Apple can now include the data in its transparency report. Indeed, the company told Reuters that it is already doing so.
“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
What can push data reveal?
The first important point to make is that, if you are using end-to-end encrypted messaging services like iMessage and WhatsApp, that encryption still protects the messages – even if you’ve set your iPhone to preview the content.
Your iPhone still needs to carry out the decryption on receipt, so Apple would not have the message content to pass onto any government demanding it.
But push data can still reveal a lot about you. Even push notifications from apps as innocuous as food delivery services might reveal where a delivery is coming from, and therefore your approximate location. An Uber notification might contain a message from a driver telling you where to meet. And so on.
Patterns of data could also reveal a lot. For example, if a foreign government was obtaining your iMessage push data – and that of one of your contacts – then even without the actual message content, they could see the two of you were exchanging lot of messages on a particular day. That could be tied to known events to draw conclusions about the likely content of those messages.
For example, imagine a US journalist exchanging messages with a Chinese whistleblower about human rights abuses. A report on the abuses appears today, and the push data shows that the source and journalist exchanged many back-and-forth messages yesterday. That could easily be enough to confirm the source of the leak.
What will happen now?
Now that the practice is public, Apple will begin including the data in its transparency reports. While these don’t reveal the targets of such surveillance, we will at least be able to see the scale of the issue, and the nation states involved.
You can read Wyden’s letter here.
Photo: Jamie Street/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments