Governments busted spying on every smartphone through push notifications

An eye-opening letter was sent to the Department of Justice by Senator Ron Wyden, and it stated foreign officials are currently spying on smartphone users through the push notifications sent to any device.

2

The letter was sent on Wednesday last week, and Wyden warns that foreign governments are requesting Apple and Google provide them with the data of push notifications sent across each of the company's servers. For those who don't know, push notifications aren't sent directly to your smartphone. They first travel over Apple and Google's servers, depending on what operating system you are running, iOS or Android.

Since the paper trail leads over the two companies' servers, they both have access to the metadata (Push Token) within those push notifications, such as which app received a notification, which phone it was sent to, a Google or Apple account associated with that device, and in some cases, the text that's within the push notification that's displayed on the devices wake screen.

Now, a court record reviewed by 404 Media has revealed the US government is demanding Google and Apple provide information on push notifications and how they can be used to identify a specific device. Wyden's letter didn't disclose the legal route used by the government to obtain this information, but one record shared by Court Watch highlights an instance of a Push Token request by US officials. The record is a search warrant application from May 2020 that's related to the investigation of an individual suspected of theft of government funds.

Notably, under the section "Background Information Regarding Provider Services," an FBI Special Agent explains that when a user downloads, installs, and launches a mobile app, the app will direct the device to obtain a "Push Token." This is "a unique identifier that allows the provider associated with the application [...] to locate the device on which the application is installed."

"Accordingly, the computers of PROVIDER are likely to contain useful information that may help to identify the specific device(s) used by a particular subscriber to access the subscriber's PROVIDER account via the mobile application," added the Special Agent

Wyden's letter calls for policies to be changed that permit Apple and Google to disclose aggregate data on the number of demands they have received in relation to governments requesting Push Token data. Apple and Google were contacted about this revelation, and Apple said that Wyden's letter gave the company the opening they were waiting for to shed more light on this situation, with the company going as far to say -

"In this case, the federal government prohibited us from sharing any information. Now that this method has become public, we are updating our transparency reporting to detail these kinds of requests," responded Apple

"We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden. We share the Senator's commitment to keeping users informed about these requests," said a Google spokesperson