Surprised if I told you the government could spy on you through push notifications? Chances are, you're not. We all know that our beloved little black mirrors, or smartphones, pose quite the nightmare for privacy concerns, despite Apple and Google implementing extensive data protection features over the years.
What might surprise you, however, is learning that governments don't necessarily track your location using GPS on your phone or eavesdrop on your phone calls (though who really knows); they can actually spy on you through your phone—specifically, push notifications and such.
How governments steal your push notification data
Thanks to Senator Ron Wyden from Oregon, we now know this. He sent a letter to the Department of Justice (DOJ) on a Wednesday, asking them to allow Apple and Google to inform their users about government requests for smartphone usage information.
In the letter, Wyden outlined that back in the spring of 2022, his office received a tip that foreign governments were demanding push notification data sets from Apple and Google. After investigating, Wyden's office found that both tech giants claimed the US government had stopped them from discussing the practice. Spooky, right?
As explained in the letter, push notifications don't involve a one-on-one connection between your smartphone and the app or service sending the notification; they require transitioning through Apple's and Google's servers before reaching your iPhone or Android device. On Apple's side, this service is Apple Push Notification (APNS), while Google uses Firebase Cloud Messaging (FCM). In essence, all your push notifications are vulnerable to excessive access from government agencies, making them an enticing target for spying.
Not only that, but push notifications contain a wealth of data. When the servers of Apple and Google receive push notification data, they log metadata (app-specific information) as well as details about the phone and the account associated with the notification. So, if Duolingo tried to send a push notification to "Jake's iPhone 14 Pro" on a Thursday at 10 a.m., the government, should they ask Apple for your push notification details, might just see that.
It's definitely a good time to encourage using an end-to-end encrypted messaging service for your SMS needs. Encrypted messages are not included in the data that third parties like Apple and Google receive, meaning the government can't read your iMessages, RCS texts, or WhatsApp messages (and similar). However, if the government intercepts unencrypted push notifications, such as from SMS or unencrypted Instagram DMs, they may count these in the data they collect.
According to Wired, governments and law enforcement agencies interested in this data must first obtain your push notification "token" from the app developer. The app you've downloaded assigns you a token that connects it to your push notifications. The government can then send this token to Apple or Google to request information about the account connected to the token. This has already happened in the US; in 2021, the FBI requested push notification data from two Meta accounts in a similar case, with Meta not commenting on WIRED's enquiry.
Wyden urged the Department of Justice to allow Apple and Google to be more transparent about these requests. Apple, for its part, said the letter now allows them to publicly discuss the practice, but the extent of their transparency will have to be seen.
What you can do to protect your data from push notification spies
The details surrounding this situation are still unclear, but that doesn't mean we should just sit back and wait for Apple and Google to comment.
If you want to go all out, you could disable push notifications for all apps except those you really need, like apps that support current news. There's no reason to allow a foreign or domestic government to see what messages your Snapchat is sending you, especially when it's begging you to open the app.
You'll likely find that over 90% of the apps on your iPhone or Android that send you push notifications are junk. If you disable them, not only will you feel better—knowing you've protected your privacy—but you'll also be free from the annoyance of receiving irrelevant push notifications.
However, deactivating push notifications for specific apps could be counterproductive. For example, disabling push notifications for a messaging app might cause you to miss group chats and important meetings, if calendar reminders are deactivated. As always, it's a delicate balance between privacy and convenience. Even with today's messaging apps, it's hard to disable push notifications for messages that are encrypted—I can't help but wonder when I'll have to let go of unencrypted messages. But I continue to close other apps in my free time to catch up later. (Looking at you, Snapchat.)
Larger solutions will need to come from greater powers. You shouldn't have to disable push notifications to protect your privacy, and it shouldn't even be permitted for governments to ask for this information in the first place. Fingers crossed the letter from Senator Wyden will bring change to Washington.
Related Reads:
The government could also use push notifications as a means to spy on diplomatic communications. Consider the instance of monitoring push notifications sent during private government conversations with foreign entities. In this case, the government could identify the origin of these notifications and track their delivery flow.
One way to protect your push notifications is by using tech applications like Secret mail, which encrypt push notifications. These apps ensure that no third parties acquire personal information, protecting your privacy in the process. By using encrypted push notifications, you can safely use this feature while avoiding spying by tech firms and governments alike.
Source:
Enrichment Data:
Governments can access and use push notification data to spy on individuals through various methods, although the specific techniques might vary depending on the platform and the level of access granted. Here are some general ways this could be done:
- Unauthorized Access: If a government agency or its allies gain unauthorized access to a push notification service, they could potentially intercept and analyze the data transmitted between the application and the user's device. This could include the unique tokens generated by services like Google FCM (Firebase Cloud Messaging) or Apple APNS (Apple Push Notification Service), which are used to identify devices and send notifications.
- Malware and Spyware: Governments or their agents could use malware or spyware to infect devices, allowing them to intercept push notifications and extract sensitive information. For example, commercial spyware like Paragon's hacking software has been used to target journalists and civil society members, potentially compromising their devices and accessing their communication data.
- API Access: If a government agency or its allies have legitimate access to an application's API, they could potentially request and receive detailed information about user interactions, including push notification data. This could be particularly concerning if the API access is not properly secured or if there is no clear justification for the level of access granted.
- Data Collection: Governments might also collect push notification data through legitimate means, such as requesting it from the application developers under the guise of national security or law enforcement. This could involve obtaining user tokens and using them to track user activities, although this would typically require legal authorization and oversight.
- Data Privacy Concerns: Even with legitimate access, there are concerns about how push notification data is handled and protected. For instance, if an application does not properly secure user tokens or if the push notification service does not implement robust security measures, it could leave users vulnerable to data breaches and unauthorized access.
In summary, governments can access and use push notification data to spy on individuals through unauthorized means, malware, API access, or legitimate data collection under legal auspices. The key to protecting privacy lies in robust security measures and transparent data handling practices.
