Governments are spying on U.S. smartphone users through the push notifications that they receive from apps, Senator Ron Wyden wrote in a letter to the Department of Justice on Wednesday and Apple confirmed.
Wyden wrote that the federal government had restricted Apple and other companies’ ability to share information about this process. The Senator’s office “received a tip” last year that “government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden, a Democratic senator from Oregon, wrote in the letter to Attorney General Merrick Garland. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.”
Apple confirmed in a statement to Reuters on Wednesday that, “In this case, the federal government prohibited us from sharing any information. Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
The process by which push notifications are generated requires the phone company to serve as a “digital post office,” Wyden wrote. Push notifications are sent through Apple and Google’s servers, which means that the companies “serve as intermediaries in the transmission process,” and can therefore be made to hand over information to governments that request it.
According to Wyden’s letter, the information that can be gleaned from push notification requests is mostly metadata. This includes information “detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” Wyden wrote. In some cases, requesters may even receive unencrypted content such as the text that was delivered in the notification.
The senator said that companies can therefore “be secretly compelled by governments to hand over this information.”
An unnamed source confirmed to Reuters that both foreign and U.S. government agencies had been asking the companies for push notification data, for example to tie anonymous users of messaging apps to specific accounts. They did not say which government agencies had participated in this, or for how long.
Apple advises its developers to encrypt any sensitive data sent through a push notification, but does not require this practice.
Hellbound and Down 