Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
Senator Ron Wyden of Oregon said that governments around the world are requesting data from Apple and Google about user push notifications in order to spy on specific devices and people. Apple has already confirmed that this is true.
This week, Wyden sent an official letter to the US Department of Justice, in which he said that the federal government restricts the ability of Apple and other companies to share information about such requests publicly.
It all started with the fact that last year the senator's office received information from an unnamed source that "government agencies in foreign countries require Google and Apple to record push notifications."
"My employees have been investigating this information over the past year, including contacting Apple and Google. In response to these requests, the companies informed my employees that the government prohibits them from publicly disclosing information about this practice," Wyden said in the letter.
As the senator explains, the process of creating push notifications requires the company to act as a kind of "digital post office". In other words, notifications pass through intermediary gateways managed by device vendors (Google Firebase Cloud Messaging and Apple Push Notification Service), and app developers are required to use these Apple and Google gateways.
Since push notifications are transmitted through Apple and Google's servers, this means that companies "act as intermediaries in the process of transmitting [data]" and they can be forced to disclose this information to governments that request it.
The information that can be obtained in this way is basically metadata, "detailing which app received the notification and when, and to which phone and associated Apple or Google account, the notification should have been delivered." Even worse, in some cases, requesters may even receive unencrypted content itself, such as the text that the notification contained.
According to Wyden, as a result, governments can "secretly force companies to share this information."
"Apple and Google should be allowed to be more open about the legal demands they receive, especially from foreign governments," Wyden writes. "These companies should be allowed to generally disclose whether they were forced to facilitate such surveillance, publish summary statistics on the number of requests they receive, and, if the court has not temporarily banned them, notify specific clients of requests for their data. I ask the Ministry of Justice to cancel or change the provisions that prevent such transparency.
Apple representatives have already confirmed to Reuters that the federal government has indeed banned the company from "sharing any information" about these practices. But now that everything has become public, the company has promised to update its transparency reports and "describe such requests in detail.
At the same time, Reuters own source reports that both foreign and American government agencies regularly requested data on push notifications from companies, for example, in order to link anonymous messenger users to specific accounts. However, it is not known exactly which structures were involved in this, and how long it lasted.
It should be noted that Apple recommends that developers encrypt any sensitive data sent via push notifications, but this is not a mandatory requirement.
An Apple spokesperson told Vice Motherboard that the company has already updated its compliance guidelines and will begin disclosing information about push notification requests it has received in its next transparency report.
The journalists found that the updated documentation did indeed include a section dedicated to the push notification service. "The Apple ID associated with a registered APNs token [Apple Push Notification Service] can be obtained through a subpoena or other legal process," the document says.
In turn, Google representatives state:
"We were the first major company to release a public transparency report, revealing the number and types of government requests for user data, including those mentioned by Senator Wyden. We fully share the Senator's desire to inform users about these requests."
It is not yet clear whether Apple or Google plan to release any separate reports documenting all past requests from the authorities for push notifications.
This week, Wyden sent an official letter to the US Department of Justice, in which he said that the federal government restricts the ability of Apple and other companies to share information about such requests publicly.
It all started with the fact that last year the senator's office received information from an unnamed source that "government agencies in foreign countries require Google and Apple to record push notifications."
"My employees have been investigating this information over the past year, including contacting Apple and Google. In response to these requests, the companies informed my employees that the government prohibits them from publicly disclosing information about this practice," Wyden said in the letter.
As the senator explains, the process of creating push notifications requires the company to act as a kind of "digital post office". In other words, notifications pass through intermediary gateways managed by device vendors (Google Firebase Cloud Messaging and Apple Push Notification Service), and app developers are required to use these Apple and Google gateways.
Since push notifications are transmitted through Apple and Google's servers, this means that companies "act as intermediaries in the process of transmitting [data]" and they can be forced to disclose this information to governments that request it.
The information that can be obtained in this way is basically metadata, "detailing which app received the notification and when, and to which phone and associated Apple or Google account, the notification should have been delivered." Even worse, in some cases, requesters may even receive unencrypted content itself, such as the text that the notification contained.
According to Wyden, as a result, governments can "secretly force companies to share this information."
"Apple and Google should be allowed to be more open about the legal demands they receive, especially from foreign governments," Wyden writes. "These companies should be allowed to generally disclose whether they were forced to facilitate such surveillance, publish summary statistics on the number of requests they receive, and, if the court has not temporarily banned them, notify specific clients of requests for their data. I ask the Ministry of Justice to cancel or change the provisions that prevent such transparency.
Apple representatives have already confirmed to Reuters that the federal government has indeed banned the company from "sharing any information" about these practices. But now that everything has become public, the company has promised to update its transparency reports and "describe such requests in detail.
At the same time, Reuters own source reports that both foreign and American government agencies regularly requested data on push notifications from companies, for example, in order to link anonymous messenger users to specific accounts. However, it is not known exactly which structures were involved in this, and how long it lasted.
It should be noted that Apple recommends that developers encrypt any sensitive data sent via push notifications, but this is not a mandatory requirement.
An Apple spokesperson told Vice Motherboard that the company has already updated its compliance guidelines and will begin disclosing information about push notification requests it has received in its next transparency report.
The journalists found that the updated documentation did indeed include a section dedicated to the push notification service. "The Apple ID associated with a registered APNs token [Apple Push Notification Service] can be obtained through a subpoena or other legal process," the document says.
In turn, Google representatives state:
"We were the first major company to release a public transparency report, revealing the number and types of government requests for user data, including those mentioned by Senator Wyden. We fully share the Senator's desire to inform users about these requests."
It is not yet clear whether Apple or Google plan to release any separate reports documenting all past requests from the authorities for push notifications.
