acm-header
Sign In

Communications of the ACM

ACM News

Governments Are Spying on Your Push Notifications


View as: Print Mobile App Share:
Receiving push notifications.

Reuters confirmed that both the U.S. and foreign governments have been asking Apple and Google for metadata related to push notifications.

Credit: Shutterstock

We all get push notifications on our smartphones, but we don't all feel the same about them. Some of us find them helpful, like when we're pinged that our Amazon package has arrived. Some of us get so irritated with inane app alerts that we disable them the moment we download new apps.

Few of us, however, consider them dangerous, and it turns out they just might be.

In December 2023, U.S. Senator Ron Wyden (D-OR) sent a letter to the U.S. Department of Justice that said certain governments were using push notifications to spy on users of Apple and Google devices.

In the letter, Wyden said his office had received a tip in 2022 that unidentified "government agencies in foreign countries'' were pressuring Apple and Google to turn over push notification records.

The push notifications generated by nearly every app on your smartphone travel through Apple and Google servers on their way to users, and they leave behind records on those servers. According to the letter, this includes metadata "detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered." In certain cases, it may also include "unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."

Wyden's claims have been verified. Reuters confirmed via a source that both the U.S. and foreign governments have been asking the two companies for metadata related to push notifications. In a statement, Apple revealed it has been pressured by governments to share push notification data for some time. The company also indicated it has previously been prohibited by the U.S. government from sharing this information.

Now that the issue is public, Apple has updated its Legal Process Guidelines to disclose that it may share push notification data with government authorities when it has a legal obligation to do so via "a subpoena or greater legal process."

With enough push notification metadata, it is possible that government agencies could decode how someone has used a particular app. It also means governments may be able to associate which Apple and Google accounts have sent anonymous messages. In the case of the "actual text displayed to a user in an app notification" cited in Wyden's letter, it also means governments might actually be able to see what you've sent in an anonymous messaging app.

This metadata could have legitimate law enforcement applications when obtained through proper legal channels, but it also could have a devastating impact on user privacy, individual civil rights, and the overall security of anonymous messaging apps.

That last target is particularly worrisome.

Anonymous messaging apps often are used by citizens and dissidents under oppressive political regimes to communicate without suffering harassment, persecution, or oppression. Journalists regularly rely on anonymous messaging apps to communicate securely with sources revealing sensitive information. They also are used extensively in the financial services industry to safely raise awareness about unethical companies or practices, says Luigi Wewege, president of Belize-based Central American financial institution Caye International Bank.

The Justice Department has not yet commented on Wyden's letter or the issue at large. While Apple and Google have confirmed that governments are compelling them to share push notification metadata, it's still unclear what type of data is being shared—or how often it's being shared.

"The hosting companies and app service providers should have full access to the push notifications, and this is how this technology is designed," says Dezhi Wu, a professor at the University of South Carolina who does research on push notification design. "Depending on the agreement levels between tech companies and governments, there is the potential for governments to access the text of the notification itself."

Right now, no one seems to know if governments can specifically access the text of notifications themselves. If they can, every anonymous messaging app on the planet just became tremendously less anonymous.

We also don't know how long Apple and Google have had agreements with governments to turn over push notification metadata. However, we do know that these agreements are not new.

In recent reporting, The Washington Post found more than two dozen U.S. government requests for push notification data from Amazon, Apple, Google, and Microsoft, some of which were related to federal law enforcement's investigation into the Capitol riots that took place on January 6, 2021. How this news will change the world of digital privacy remains to be seen.
 

Logan Kugler is a freelance technology writer based in Tampa, Florida. He is a regular contributor to CACM and has written for nearly 100 major publications.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account