Some governments are spying on push notifications sent to iPhone users, Apple confirmed Wednesday. By examining logs of push notifications sent by various apps, authorities can piece together surprisingly detailed information about smartphone users and their activities.
The previously undisclosed data gathering, which also affects Android devices, became public after Sen. Roy Wyden published an open letter to Attorney General Merrick B. Garland on Wednesday requesting disclosure of the surveillance method.
Push notification spying is happening
“I write to urge the Department of Justice (DOJ) to permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records,” Wyden wrote.
Unlike iMessage, which keeps messages between iPhone users secure behind end-to-end encryption, push notifications from apps flow through servers operated by Apple. And that makes them susceptible to government demands for information.
While not as sensitive as text messages, emails or phone calls, push notifications can reveal certain information about users.
Gaining access to push notifications sent by a delivery app or car-sharing service could, for instance, allow authorities to pinpoint an iPhone user’s location. Governments could even potentially piece together interactions between multiple smartphone users.
Foreign governments seek push notification logs from Apple and Google
Wyden said his office began investigating push notification spying after receiving a tip in early 2022 that “government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple.”
Just as governments sometimes request data about individuals’ devices, accounts and financial info — which Apple and Google either request or deny on a case-by-case basis — unidentified countries apparently routinely request records of push notifications.
“Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden wrote. “The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”
New type of government spying on iPhones and Android devices revealed
Wyden’s letter did not reveal which countries make these types of requests for data from Apple and Google. However, it did make this type of surveillance public. And that, in turn, freed up Apple and Google to tell their customers about the situation.
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” the company said in a statement Wednesday. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
Apple updated its Legal Process Guidelines document (.pdf) to include information on how it handles push notifications requests from law enforcement.
“When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device,” the document says. “Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.”
Apple regularly discloses government requests for user information in its semi-annual Transparency Reports.
Google told Reuters it shares Wyden’s “commitment to keeping users informed about these requests.”
And the Washington Post reported that Google holds law enforcement agencies to a higher standard before handing over users’ push notifications date.
“For U.S. requests of push notifications and other non-content information, Google said it requires a court order, not just a subpoena, that is subject to judicial oversight,” the Post wrote. “With such orders, federal officials must persuade a judge that the requested data is relevant and material to an ongoing criminal probe.”
The Post said it “found more than two dozen search warrant applications and other documents in court records related to federal requests for push notification data” from apps made by Apple, Google, Amazon and others.
Some requests pertained to investigations into the January 6, 2021, riots at the U.S Capitol. Others “sought data on suspects accused of money laundering and distributing child sexual abuse material,” the Post said.
Note: We originally published this post on December 6, 2023. We updated it with additional information on Apple’s and Google’s rules for compliance with law enforcement requests pertaining to push notifications.
