U.S. Senator Ron Wyden (D-OR) has warned in a letter to the Justice Department that unidentified governments are spying on Apple and Google phone users through their push notifications. The letter says his office received a tip last year that government agencies in foreign countries were “demanding” push notification records from the tech giants.
Push notifications are the pop-up messages that appear on your lock screen and home screen to alert you about new messages, updates, breaking news and other app updates. Since these push notifications pass through Apple and Google’s servers, the tech giants are “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden, who sits on the Senate Intelligence Committee, explains in the letter, which was shared with TechCrunch.
Wyden notes that Apple and Google can be “secretly compelled by governments to hand over this information.”
“Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data,” Wyden wrote in the letter.
“These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data.”
Wyden called on the Justice Department to repeal or modify “any policies that impede this transparency.”
The letter was first reported by Reuters.
The data from these push notifications gives Apple and Google information about which app received a notification and when, in addition to details about the phone and Apple or Google account associated with the notification. The letter explains that in certain instances, the companies may also receive encrypted content, which could include the actual text displayed in the notification.
Wyden’s letter does not specify which foreign governments have asked Apple and Google for push notification information.
Reuters reports, citing a source, that foreign and U.S. government agencies have asked both Apple and Google for metadata from push notifications, including information that ties pseudonymous app users to specific Apple or Google accounts.
In an email to TechCrunch, Apple spokesperson Shane Bauer said the federal government prevented the technology giant from sharing any information on the matter.
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple’s spokesperson said. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
Apple said the tech giant will start breaking out the requests for push notification tokens it has received in its next upcoming transparency report.
Google spokesperson Matt Bryant told TechCrunch that the company shares Wyden’s “commitment to keeping users informed about these requests.”
“We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden,” the statement reads.
A search warrant filed in California regarding a criminal theft case details how push notifications demands can be used to obtain information about a person. The search warrant, seen by TechCrunch, includes a section where an FBI special agent writes that when a user installs and downloads an app, the app directs their phone to obtain a push token, which is a unique identifier that allows Google to locate which device the app is installed on.
“After the applicable push notification service (e.g., Apple Push Notifications (APN) or Google Cloud Messaging) sends a Push Token to the device, the Token is then sent to the application, which in turn sends the Push Token to the application’s server/provider,” the record reads. Then, whenever a company sends a push notifications to a person’s device, it also sends Push Tokens.
The record then goes on to note that Google’s servers contain “useful information that may help to identify the specific device(s) used by a particular subscriber to access the subscriber’s Google account via the mobile application.”
404 Media previously reported another court case in which push notification records were obtained using similar boilerplate language.