Apple Just Confirmed Governments Are Spying on People’s Phones With Push Notifications

Governments are spying on U.S. smartphone users through the push notifications that they receive from apps, Senator Ron Wyden wrote in a letter to the Department of Justice on Wednesday and Apple confirmed. 

Wyden wrote that the federal government had restricted Apple and other companies’ ability to share information about this process. The Senator’s office “received a tip” last year that “government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden, a Democratic senator from Oregon, wrote in the letter to Attorney General Merrick Garland. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.” 

Apple confirmed in a statement to Reuters on Wednesday that, “In this case, the federal government prohibited us from sharing any information. Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

The process by which push notifications are generated requires the phone company to serve as a “digital post office,” Wyden wrote. Push notifications are sent through Apple and Google's servers, which means that the companies “serve as intermediaries in the transmission process,” and can therefore be made to hand over information to governments that request it. 

According to Wyden’s letter, the information that can be gleaned from push notification requests is mostly metadata. This includes information “detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” Wyden wrote. In some cases, requesters may even receive unencrypted content such as the text that was delivered in the notification. 

The senator said that companies can therefore “be secretly compelled by governments to hand over this information.” 

An unnamed source confirmed to Reuters that both foreign and U.S. government agencies had been asking the companies for push notification data, for example to tie anonymous users of messaging apps to specific accounts. They did not say which government agencies had participated in this, or for how long. 

Apple advises its developers to encrypt any sensitive data sent through a push notification, but does not require this practice. 

An Apple spokesperson told Motherboard that the company was “committed to transparency” and had “long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users.” The spokesperson said that Apple had updated its law enforcement guidelines and would begin to break out the requests for push notifications that it had received in its next transparency report. 

Apple’s new law enforcement guidelines now include a section on the company’s push notification service. “The Apple ID associated with a registered APNs [Apple Push Notification service] token may be obtained with a subpoena or greater legal process,” the document states.

A Google spokesperson said in an emailed statement to Motherboard: “We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden. We share the Senator’s commitment to keeping users informed about these requests.” The spokesperson did not clarify any restrictions on publishing information relating to requests for push notification data. 

“Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments,” Wyden wrote. “These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.” 

The Department of Justice declined to comment.