A U.S. senator warned on Wednesday that unidentified governments are surveilling smartphone users via their apps’ push notifications. In a letter to the Department of Justice, Senator Ron Wyden said foreign officials demanded data from Alphabet’s Google and Apple. Although details were sparse, the letter lays out yet another way governments can track smartphones. Apps rely on push notifications to alert users to incoming messages, breaking news, and other updates. But almost all such notifications travel over Google and Apple’s servers, giving the companies a unique insight into the traffic flowing from apps to smartphones.
Governments could secretly compel Apple and Google to hand over the notifications, which contain information about how an app is used, such as the date and time it was opened, which phone the notification was delivered to, and in some cases, the unencrypted text displayed in the notification. The notification also contains a push token, a unique identifier for the device linked to an Apple or Google account. A search warrant filed in California in May 2020 revealed that push tokens can be analyzed to discover the name of the app that sent the notification, the phone and the Apple or Google account that it was delivered to, and, in some cases, a list of devices associated with an Apple or Google account.
In his letter, Wyden urged the Justice Department to permit Apple and Google to share with the public the number of push notification requests they receive from foreign and domestic agencies. He also pushed them to publish aggregate statistics regarding the demands they receive and to notify specific customers about requests for their data unless temporarily gagged by a court order.
In a statement, an Apple spokesman said the company is committed to transparency and will update its transparency reporting to include details about requests for push notifications in upcoming reports. Google spokesman Bob Ludwig declined to comment on the matter.
Wyden’s staff did not identify the foreign governments seeking the data from Apple and Google, citing a “tip.” However, a source familiar with the issue confirmed that foreign and domestic agencies had been asking for push notification metadata that could help them link anonymous app users to their Apple or Google accounts. The source should have said how long the surveillance had been underway.
Unlike other information stored on smartphones, push notification records are not automatically deleted. That means a government could keep them for years. Moreover, there are many ways to access and analyze push notification data. For instance, it could be compiled by analysts at an intelligence agency, who would then use the information to build profiles of individuals or groups of people or target them with political propaganda. It is unclear whether the government has been able to exploit the system in this way, but the revelation of possible surveillance raises privacy concerns.