Apple Confirms Government Spying via Push Notifications

Apple has just shared details on a secret government order it’s been under for some time that’s required it to covertly track and surveil its users via push notifications sent to their iPhones and other Apple devices.

While Apple has been prohibited from disclosing details on this program, the company was grateful to see the gag order effectively lifted when US Senator Ron Wyden penned a letter to the Department of Justice urging it to “permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records.”

In the letter, which was reported on and shared by Reuters, Senator Wyden outlines how his office received a tip last year that “government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple.”

Sen. Wyden’s staff launched an investigation that included reaching out to the two companies, who responded that “information about this practice is restricted from public release by the government.”

In other words, the US Department of Justice has required both Apple and Google to share information on push notifications that travel through their servers, sometimes with little more than a subpoena to justify the request, and they haven’t been allowed to tell anybody about it.

Until now, that is.

It seems that once Senator Wyden let the cat out of the bag with his open letter, both Apple and Google were free to comment — and both confirmed to Reuters that this is precisely what’s been going on.

In this case, the federal government prohibited us from sharing any information. Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.

Apple

Even though messaging apps like iMessage and WhatsApp are end-to-end encrypted, and Facebook Messenger is now joining the club, most of them suffer from one dangerous loophole — the push notifications sent to your device still travel in the clear. Plus, on an iPhone, they’re associated not just with the person’s third-party messaging account but also with their Apple ID.

This means that a push notification can be used to tie a user to their Apple ID, which Apple says “may be obtained with a subpoena or greater legal process.”

Now that Apple can disclose the practice, it’s quickly updated its Legal Process Guidelines to include information on how this works and what information it may be required to supply to law enforcement and other government agencies.

AA. Apple Push Notification Service (APNs)

When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process

Notably, as John Gruber explains over at Daring Fireball, Google actually follows a more stringent procedure than Apple does before turning over this information. Google requires an actual court order rather than just a subpoena that can be issued without judicial oversight. “Score one for Google here,” Gruber adds.

Law enforcement agents can issue subpoenas on their own, so there’s no oversight here. Google, on the other hand, requires a court order:

John Gruber

While details are sparse on how long this has been going on, how many of these requests have been made, and what agencies have been making them, “a source with the matter” told Reuters that “both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.” The foreign governments weren’t explicitly identified by the source, other than being “democracies allied to the United States.”

Push Notifications: ‘A Privacy Nightmare’

While push notifications on both Apple and Android devices have always traveled through those company’s respective servers, most users aren’t fully aware of this. In the case of iPhone and iPad apps, it’s a requirement as apps aren’t permitted to continue running in the background to generate notifications on their own.

This is also partially done for efficiency; even Apple’s own Mail app uses push notifications, although in that case, these are only sent to advise the app that something has changed so that it knows to wake up and poll for new mail; the content of the notification is generated locally after the Mail app fetches the new email. This saves Mail from running in the background and depleting the battery by needlessly polling for mail every few seconds.

However, as Reuters notes, many developers and security researchers have long considered push notifications a privacy nightmare. While developers can encrypt the payloads in push notifications, such as the content of a private message, that’s not possible for metadata. Hence, Apple and Google still know which apps you’re using and how many notifications you’re receiving — and they can (and do) share that information with law enforcement and other government agencies when required, even if the content of the notifications is unreadable.

Nevertheless, it’s unclear how many developers are taking the time to encrypt push notification content since doing so is a much more cumbersome process. While a plaintext push notification can be displayed directly on your iPhone by iOS, an encrypted notification requires waking up the corresponding app to handle the decryption in the background and then generate the notification on its own.

This process can be even more insidious with third-party mail apps that offer push notification capabilities for third-party mail services. In this case, these apps are taking the extra step of logging into and monitoring your email accounts on your behalf using their servers, from which they can send push notifications to your device. This means that your email data travels not only through Apple’s servers (or Google’s) but also through servers belonging to the developer of whatever third-party mail or messaging app you’re using.

Apple has always told its developers not to include customer information or other sensitive data in a notification’s payload unless they use encryption. Apple is careful to follow this mandate, much like it does with the Mail app, where notifications contain no useful data beyond an internal token associated with the specific iCloud or other email account. However, Apple doesn’t necessarily vet how third-party developers use push notifications and what data they contain.