The office of Senator Ron Wyden received a tip that foreign governments including the Five eyes were using push notifications to spy on users. Once this information was received, an investigation was launched and a letter requesting more information that was sent to the Department of Justice:
In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple. My staff have been investigating this tip for the past year […]
Push notifications […] aren’t sent directly from the app provider to users’ smartphones. Instead, they pass through a kind of digital post office run by the phone’s operating system provider. For iPhones, this service is provided by Apple’s Push Notification Service; for Android phones, it’s Google’s Firebase Cloud Messaging. These services ensure timely and efficient delivery of notifications, but this also means that Apple and Google serve as intermediaries in the transmission process.
As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information.
The Five Eyes is an intelligence alliance between the US, UK, Canada, Australia, and New Zealand. They cooperate on sharing information gathered through surveillance, with the goal of enhancing national security.
The concern lies with the data these notifications carry. When a notification is sent, it goes through Apple or Google’s servers first. This allows them to see basic details like which app sent the notification, when it happened, and the phone it was sent to. Additionally, the content of the notification itself might not be encrypted, revealing more information.
Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.
That gives the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said. He asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying.
Governments can request this data from Apple and Google, potentially to track app usage and link anonymous users to specific accounts.
