Governments Are Spying on Push Notifications

U.S. Senator Ron Wyden:

In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple. My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.

Raphael Satter, Reuters:

In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”


Wyden’s letter cited a “tip” as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

This is an entire category of stuff the U.S. government has apparently prohibited Apple and Google from disclosing and it is a good reminder that their transparency reports exist at the behest of governments, with their limitations imposed. But, also, Apple specifically blames the “federal government” — I take that to mean the U.S. federal government. Why would they be able to prevent Apple from disclosing this category of law enforcement requests from other countries?

Joseph Cox of 404 Media reviewed one warrant which mentioned push notifications in the case of an Ohio researcher, questioning whether it “is boilerplate language that has been included in the search warrant application”. I poked around on RECAP and found a lot of filings which include the same language, including a warrant (PDF) issued to Life360 for, among other things, push notifications if they are related to the geographic location history of a specific device. Both the one I found and the one Cox cites were issued by U.S. authorities for U.S. subjects. But in another warrant (PDF), this one issued to Google, there is a difference: the subjects are based in Mexico and Vietnam.

That raises questions for me about whether push notifications, having to go through servers from Apple and Google, are a vector for the U.S. surveillance campaign on the rest of the world. It is possible to encrypt notifications on iOS and Android; my understanding is that iMessage and Signal both do so. But some metadata, as noted by Wyden, remains in clear text.