In a letter to the US Department of Justice, Senator Ron Wyden of Oregon — one of the most Internet savvy elected officials at the Federal level — raised concerns about the ability for tech companies like Apple and Google to use push notifications from applications to capture data on users that could be used for nefarious purposes.
Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.
Apple used the open letter as an opportunity to confirm these concerns — which they had apparently been prevented from discussing.
“In this case, the federal government prohibited us from sharing any information,” Apple said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
The entire letter appears below:
Dear Attorney General Garland:
I write to urge the Department of Justice (DOJ) to permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records.
In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple. My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.
Push notifications are the instant alerts delivered to smartphone users by apps, such as a notification about a new text message or a news update. They aren’t sent directly from the app provider to users’ smartphones. Instead, they pass through a kind of digital post office run by the phone’s operating system provider. For iPhones, this service is provided by Apple’s Push Notification Service; for Android phones, it’s Google’s Firebase Cloud Messaging. These services ensure timely and efficient delivery of notifications, but this also means that Apple and Google serve as intermediaries in the transmission process.
As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information. Importantly, app developers don’t have many options; if they want their apps to reliably deliver push notifications on these platforms, they must use the service provided by Apple or Google, respectively. Consequently, Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps. The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.
Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data. These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.
Thank you for your attention to this pressing matter. If you have any questions or require clarification, please contact Chris Soghoian in my office.
Sincerely,
Ron Wyden
United States Senator
MacRumors and AppleInsider have coverage. 404 has a warrant.
This story will be especially interesting to track at a local level given that Portland company Airship is a major provider of push notification infrastructure for mobile applications.
[Full disclosure: I am a shareholder in Airship.]
