It’s possible spy on users through the seemingly harmless push notifications? Apparently yes, and it is a giant of the caliber of Apple to confirm that foreign governments have actively used this solution. These governments ordered the Cupertino company and others Google to deliver the details of the pushes sent to iPhones and Android smartphones respectively.
Push notifications to monitor users: Apple and Google forced to share information with foreign governments
This surprising discovery it came to light thanks to the senator’s investigations Ron Wyden, member of the United States Senate Intelligence Committee. «In the spring of 2022, my office received a tip that government agencies in foreign countries were requesting details of push notifications sent to smartphones from Apple and Google. After the report, my staff began the investigationWyden said.
He himself provided more detailed information on the functioning of this baffling device spy mode. «Push notifications […] they are not sent directly from the app provider to users’ smartphones. Instead, they pass through a sort of digital post office run by the device’s operating system vendor. For iPhones, this service is provided by Apple’s push notification service; as for Android, it is Google’s Firebase Cloud Messaging. These services ensure timely and efficient delivery of notifications, but this also means that Apple and Google act as intermediaries in the transmission process».
«As with all other information that these companies store for or its own users», continued Wyden, «Apple and Google may be forced to secretly provide push notification details to governments».
In light of what emerged, Wyden asked the two companies involved to confirm what was described and wrote an open letter to the United States Department of Justice to request the revocation of the obligation of secrecy.
«Apple and Google should be allowed to be transparent about the requests they receive, especially those that come from foreign governments. […] These companies should be allowed to disclose whether they were forced to support this surveillance practice, […] to inform customers about specific requests on their data».
Wayden’s was a very smart move. Now that the information is out public domain, the secrecy requirements imposed on Apple and Google can no longer be enforced. Regardless of the Department of Justice’s response, the two companies can now include these details in their transparency reports.
And in fact Apple has already moved in this direction. A spokesperson for the Californian giant communicated the following to the 9to5mac editorial staff:
Apple cares about transparency and has long supported efforts to ensure that vendors are able to disclose as much information as possible to their users. In this case, the federal government prohibited us from sharing any information, and now that this news has become public, we are updating our transparency reporting to provide greater clarity.
What push notification data can reveal
In the case of services instant messaging with end-to-end encryption (like iMessage and WhatsApp), the messages are protected, so Apple and Google – even if forced – could not transmit the contents of the message to anyone who asks for it.
As for instead other servicessuch as those for food delivery (Uber Eats, Glovo, Just Eat and so on), can actually reveal information, such as the approximate location of the user.
But we can also hypothesize something else. A government could easily trace, for example, a journalist’s informant (especially if the two are in different countries) simply by monitoring the number of messages the two have exchanged in a given period. In short, despite not being able to access the content of the messages, conclusions could still be drawn.
Cover image ©TechCrunch