US senator claims Google and Apple reveal push notification data to foreign govs

Government agencies in unspecified countries have compelled Apple and Google to hand over push notification data without telling anyone, thanks to US government regulations, according to US senator Ron Wyden (D-OR).

Wyden on Wednesday sent a letter to the US Department of Justice (DOJ) asking that the department revise its rules to allow Apple and Google to reveal demands for push notification records.

"In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone 'push' notification records from Google and Apple," Wyden's letter [PDF] says.

"My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government."

Wyden has asked the DOJ to repeal any policies that prevent transparency about compelled surveillance, and to allow individual customers to be notified if they are under surveillance, unless barred by a court order.

The US Justice Department did not immediately respond to a request to say whether it intends to honor Wyden's request, or to say whether US law enforcement agencies have also sought push notification data. Apple and Google did not immediately respond to requests for comment.

Following the publication of Wyden's letter, Apple told Reuters that it intends to update its transparency reports to reflect receipt of push notification data requests.

Apple and Google each offer push notifications, alerts managed at the operating system level that allow mobile apps to notify users about specific events, like the receipt of messages or updated content. There are also third-party notification services like Pushover that rely on Apple or Google infrastructure.

As operators of push notification servers, Apple and Google are uniquely situated to serve government surveillance efforts, Wyden said.

"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," Wyden wrote.

"In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."

App developers who integrate these services may, despite best practice advice, include unencrypted sensitive data in these notifications. Push notifications (but not metadata) are typically encrypted in transit (TLS) but are not necessarily protected on Apple's or Google's servers unless developers have taken the necessary additional steps.

Some app developers have expressed concern over the lack of protection for push notification data. David Libeau, a Paris-based developer, published a report about the problem in January titled "Push notifications are a privacy nightmare."

Libeau told The Register that the French data protection authority, CNIL, is aware of the data protection implications of push notification systems and has said that mobile phone operating systems should support third-party servers for notifications and that developers should encrypt transmitted data. ®