‘Push’ notifications: A secret spying frontier
In this piece, Kit Klarenberg provides valuable insight into how push notifications are being used by governments to spy on users.
On December 6, US Senator Ron Wyden dispatched a strongly-worded letter to the Department of Justice (DOJ). He urged officials to “permit Apple and Google to inform their customers and the general public” about demands for “push” notification data, from “government agencies in foreign countries.”
In the spring of 2022, Wyden’s office “received a tip” that major tech firms were handing over data related to these communications upon request from state entities. His staff have been investigating the issue ever since, although Apple and Google stonewalled their approaches, as “information about this practice is restricted from public release,” by direct US government order.
Push notifications are clickable, attention-grabbing pop-up messages that appear on users’ smartphones and internet browsers. In recent years, popular apps and websites - in particular those of mainstream media outlets - have ever-more widely encouraged users to permit these notifications on their devices and browsers. While a convenient means of remaining constantly updated about news developments, or public and private social media communications, their method of transmission creates a little-considered but extremely serious vulnerability, gravely threatening individual user privacy.
These notifications aren’t dispatched directly from an app to users. Instead, a device’s operating system serves as an intermediary, receiving the information and then passing it on through its internal processing system. Along the way, the data contained within is harvested by the processor. All app stores - including those provided by Amazon and Microsoft - have in-house systems of this kind. App developers have no choice but to utilise them if they wish to offer users push notifications.
This is of enormous concern, given tech giants can be compelled to hand over this information without notifying users through a variety of means. For example, buried at the bottom of Apple’s official “legal process guidelines”, which sets out how the company cooperates with US government and law enforcement agencies, it is acknowledged:
“When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multimedia. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.”
Wyden’s letter concludes on a forceful note. He calls for the Justice Department to allow Apple and Google “to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data”:
“These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask the DOJ to repeal or modify any policies that impede this transparency.”
‘The Payload’
Given the wealth of sensitive intelligence on users produced by push notifications, it is unsurprising the US government and major tech firms alike are wary of discussing the matter candidly. Contained within these updates is extensive metadata, detailing which app received a notification and when, as well as the device and associated app store account to which the notification was delivered.
Moreover, push notification data can contain the content of texts sent via popular encrypted messaging apps - including the allegedly impenetrable Signal and Telegram - and private communications dispatched on Facebook, Instagram, Twitter, and other popular social networks. The nature of the “tipoff” received by Wyden’s office isn’t stated. Nonetheless, it is evident from a February 2021 search warrant application submitted by an FBI operative to a Washington, DC court that the import of this data has long been well-understood by US intelligence.
The Bureau special agent requested a court order for access to extensive information related to two Facebook accounts, operated by an individual allegedly embroiled in the January 6, 2021, Capitol invasion, from the social network’s parent company Meta. This included “unique application numbers and push notification tokens” associated with the accounts.
This information was of particular interest, the FBI special agent wrote, “based on my training and experience,” strongly suggesting Bureau apparatchiks are specifically tutored in exploiting this data in investigations, and officially encouraged to seek it out. The operative went on to note that when providers send push notifications to a device, this includes both a “push token” and “the payload associated with the notification (i.e., the substance of what needs to be sent by the application to the device)”:
“To ensure this process works, push tokens associated with a subscriber’s account are stored on the provider’s server(s). Accordingly, the computers of [Facebook] are likely to contain useful information that may help to identify the specific device(s) used by a particular subscriber to access the subscriber’s [Facebook] account via the mobile application.”
After this information was secured, the FBI special agent expected to unearth other “identifiers” tying suspects to particular devices, including their unique application numbers, smartphone models and serials, operating systems, network providers, telephone numbers, and much, much more. All this information could “constitute evidence of the crimes under investigation,” identifying Facebook accounts “created or accessed” by the same devices, “likely belonging” to the same users, and potentially linked to digital devices seized from the suspects.
‘Delivery Delays’
An alleged US government-enforced gag order on the provision of push notification data to state agencies can only cast significant doubt on the publicly avowed positions of tech giants on user privacy. In recent years, due to overwhelming concerns about the security of sensitive user data, leaders of the sector have made significant pledges to protect information stored on their platforms from both malign actors, and the prying eyes of states.
In September 2021, Apple’s CEO Tim Cook boldly declared that he believed “privacy is a basic human right,” and “one of the most consequential issues of our time.” He boasted of how his app store had implemented a privacy “nutrition label” system, outlining to users what information apps collect on them, and why:
“We’re all about giving the user transparency and control…It sounds simple, but it’s a profound change. We’re working for the user. It’s not about a marketing slogan or a way to sell things. It’s a core value of ours.”
Not long after, however, a sensitive FBI document released under freedom of information laws amply exposed such lofty principles to be very much “marketing slogans”. The file spelled out in concise yet shocking detail the FBI’s ability to secure messaging app content and associated metadata via warrants and subpoenas. Apple’s iMessage and WhatsApp were, markedly, the most forthcoming to approaches from US authorities.
Dated January 7, 2021, and prepared by the FBI’s Science and Technology Branch and Operational Technology Division, it lists a number of popular messaging apps, the methods by which information can be extracted from them, and what data can be secured by investigators. The file notes that a subpoena submitted to WhatsApp’s owner Meta delivers “basic” user records, a court order “information like blocked users,” and a search warrant “address book contacts and WhatsApp users” who have the “target” saved as a contact.
A surveillance request known as a “pen register” compels WhatsApp to provide the FBI with the source and destination of a user’s messages every 15 minutes. The actual content apparently won’t be disclosed. Although, even without access to messages themselves, knowing who has been texting who, and when, is still highly revealing. For example, this data could be crucial in identifying who within an organisation has been leaking information to journalists.
WhatsApp messages can in any event be accessed by the FBI if an iPhone user has enabled iCloud backups. Apple turns over iCloud encryption keys in response to FBI warrants as a matter of policy, which unlocks iMessage content. Data requests filed under 18 US Code § 2703 turn up “25 days of iMessage lookups to and from a target number.”
Meanwhile, WhatsApp is the only messaging platform listed that offers the Bureau close-to real-time disclosure of data. The guide, no doubt with some chagrin, records how the slow pace with which other apps provide information “may impact investigations due to delivery delays.”
By contrast, investigators can access little information on users of Signal, except the date and time a user registered, and the last time they were active on the app. Telegram’s strict policy of not cooperating with court orders, apart from in the context of “confirmed terrorist investigations,” when the app may disclose IP addresses and phone numbers to relevant authorities, is also noted.
Push notifications offer a significantly more intimate trove, for ready access by security and intelligence agencies the world over. Mercifully, for the time being at least, it is an individual’s discretion whether they ‘opt in’ for these updates. The vast profusion of apps and websites that today relentlessly bombard visitors and users with invitations to do so tends to suggest the option may cease to exist outright, should Wyden’s disclosures provoke sufficient controversy.