Enlarge image

Push notifications can reveal more than you'd expect


Teera Konakan/Getty Images

According to a U.S. politician, Apple and Google have been forced by unnamed governments to hand over data to authorities via push notifications sent to iPhones and Android phones. In an open letter to the U.S. Attorney General, Ron Wyden, who represents the state of Oregon in the U.S. Senate, warns that he received a tip to this effect in the spring of 2022. According to the report, unnamed "foreign governments" would require the two companies to hand over relevant records.

The term push notification refers to all those short messages with which you are alerted to new messages or information on your smartphone. For example, you can be informed via push that new WhatsApp messages, SMS or e-mails have arrived, that you want to think about buying butter, that new videos have been uploaded to YouTube or that the doorbell camera has recognized a parcel carrier at the front door. As a rule, the information tidbits are accompanied by a short message tone or – if the mobile phone is muted – by a vibration.

On their own, these may seem insignificant to the outside world, but taken together, they can help build a personality profile. This allows you to see at what time you received notifications from which apps and which Apple or Google account is logged in to the respective device. However, the data may also contain the text displayed on the recipient's screen. The Reuters news agency writes, citing "people familiar with the proceedings," that U.S. authorities have also made such requests to the two companies, for example to get clues to the identity of anonymous users of messaging apps.

Sworn to silence

The fact that the two companies have information about such communications is because they act as middlemen between apps and users in this system. Because, as Wyden explains, push notifications are not delivered directly by the respective apps themselves. Rather, on the way from the app to the recipient's smartphone, they have to pass through a cloud system of the respective provider, which is called "Push Notification Service" by Apple and "Firebase Cloud Messaging" by Google.

In his letter, the U.S. senator explains that his staff followed up on the tip and also contacted the two companies. They had said that they had been prohibited by the government from publishing "information about this practice". Wyden is now calling on the attorney general to allow companies to notify the public of such requests for data release, "particularly from foreign governments."

"These companies should generally be allowed to disclose whether they have been coerced into supporting this surveillance practice, and they should be allowed to publish aggregate statistics on the number of requests they receive," Wyden writes. He also calls for companies to be allowed to "inform customers about requests for their data" unless they are prevented from doing so by a court order.

The silence broken

In a statement, Apple said the U.S. government had prohibited the company from publishing information on the matter. After Senator Wyden made the issue public, "these types of requests" will be detailed in the company's future transparency reports. Google said it shares the politician's desire to "inform users about these requests." The U.S. Department of Justice declined to comment on a Reuters request for comment.

According to the Washington Post, Apple also promptly updated its procedural rules for requests for data release by U.S. government and law enforcement agencies. It now states that the Apple ID linked to a push notification "can be obtained through a subpoena or other legal process." Google, on the other hand, told the newspaper that it requires at least a court order in such cases. To obtain one, investigators would have to convince a judge that "the requested data is relevant and essential to an ongoing criminal investigation."