Governments Can Spy on Your Push Notifications
If I told you that governments are spying on you through your smartphone, would you be surprised? Probably no. We all know those little black mirrors are a privacy nightmare, even with the extensive data protection features Apple and Google have added over the years.
However, you might be surprised to learn that governments aren’t necessarily tracking your location via your phone’s GPS or listening to your phone calls (who knows, though): we now know that they’re actually spying on you through your push notifications. , of all things.
How governments are stealing your push notification data
The only reason we know about this is because of Ron Wyden. An Oregon senator on Wednesday sent a letter to the Department of Justice (DOJ), urging them to allow Apple and Google to warn their customers about requests to use their smartphones.
In the letter, Wyden explains that in the spring of 2022, his office received a tip alleging that foreign governments were demanding that Apple and Google hand over records of push notifications from users. Wyden’s office has since investigated the matter: When they contacted Apple and Google about the allegation, both companies said the federal government had blocked them from commenting on the practice. It scares.
As the letter explains, push notifications do not represent an individual connection between your smartphone and the app or service that sends the alert. These notifications must first go through Apple and Google’s servers: on Apple’s side, it’s Apple’s push notification service, while Google uses Firebase Cloud Messaging. All of your push notifications, which rely on an Internet connection, pass through these servers before reaching your iPhone or Android, meaning they’re all susceptible to abuse by government agencies.
These push notifications also contain quite a bit of data. When Apple and Google receive push notification data on their servers, they intercept metadata (data about the app that receives the push notification), as well as information about the phone and account to which the notification belongs. If Duolingo tried to send a notification to “Jake’s iPhone 14 Pro” at 10 a.m. on Thursday, governments demanding information about my push notifications from Apple could see exactly that.
This is a great time to ask you to use encrypted messaging services for your text messages. Encrypted content won’t show up in the data third parties receive from Apple and Google, so governments won’t actually be able to read your iMessages, RCS texts or WhatsApp alerts, for example. However, if they intercept push notifications from unencrypted alerts, such as messages sent via SMS or unencrypted Instagram DMs, they may see this as part of the data they receive. The secrets you send unencrypted are stored by you, your friend and governments around the world.
According to Wired , governments and law enforcement agencies that want this data must first obtain a push notification “token” from the app developer. The apps you download to your devices assign you a token that connects you to their push notifications. The government can then share your token with Apple or Google to request the account information associated with that token. This has already happened in the US: in 2021, in a case related to January 6, the FBI requested push notification data for two meta accounts . Meta did not respond to Wired’s request for comment.
Wyden is pleading with the Justice Department to allow Apple and Google to be more transparent with the public about these requests. Apple, for its part, said that this letter now gives them the opportunity to talk more publicly about this practice , and it appears they are already working on it. A few days after the report was published , Apple quietly updated its law enforcement guidelines , which now confirm that the company will not share push notification data with anyone without a judge’s order. As it turns out, Google already had this policy, so Apple had to do some catching up here.
What You Can Do to Protect Your Data from Push Notification Spyware
Now that both Google and Apple will ban organizations from asking for your push notification data without a warrant, the situation is a little less dire than it was. However, what you may be unhappy with is that if a judge rules against you, your push notification data will be essentially free to use.
If you want to take extreme measures, you should disable push notifications for all your apps. I’m a big proponent of turning off notifications for almost all apps except the ones you really need, and recent news only strengthens my position. There is absolutely no reason why governments, foreign or domestic, should be allowed to see what my apps are notifying me about, but it’s especially egregious to allow them to do so when Snapchat is desperately asking me to open the app.
I think you’ll find that 90% of the apps that send you alerts on your iPhone or Android are crap anyway, so turning them off will give you peace of mind and strengthen your privacy. Of course, turning off notifications for certain apps can backfire: You’ll likely fall behind in group chats if you turn off notifications for your messaging apps, and you might miss meetings and appointments by turning off notifications for your calendar. (Sorry, boss.)
In the end, as always, it’s a balance between privacy and convenience. Even with this news, I would have trouble turning off notifications for messages, although it helps that iMessage is encrypted. But other apps I’m more than happy to leave disabled so I can work on them in my free time. (Looking at you, Snapchat.)
At the same time, a larger solution must come from larger forces. You don’t have to turn off notifications to preserve your privacy, and governments shouldn’t be allowed to ask for this information anyway. Let’s hope Senator Wyden’s letter continues to bring some changes to Washington.