https://www.404media.co/us-government-warrant-monitoring-push-notifications-apple-google-yahoo/

Account

  * Log in
  * Subscribe

Navigation

  * Home

  * About
  * Support/FAQ
  * Podcast
  * Merch
  * Advertise
  * Thanks
  * Privacy

Follow us

Twitter Bluesky Mastodon Instagram TikTok Facebook RSS
 
Sign in Subscribe

  * About
  * Support/FAQ
  * Podcast
  * Merch
  * Advertise
  * Thanks
  * Privacy

Advertisement
*
Go ad free
News

Here's a Warrant Showing the U.S. Government is Monitoring Push
Notifications

Joseph Cox Joseph Cox
* Dec 6, 2023 at 9:34 AM
The findings come on the heels of a letter from Senator Ron Wyden
warning that governments are demanding data related to push
notifications from Apple and Google.
A phone and the court record. Image: Pexels and 404 Media.

This article was produced in collaboration with Court Watch, an
independent outlet that unearths overlooked court records.

The U.S. government is demanding that tech companies provide
information related to push notifications in order to identify a
target's specific device, according to a court record reviewed by 404
Media. The finding comes as Senator Ron Wyden published a letter on
Wednesday warning that the U.S. and foreign governments are making
such surveillance demands around push notifications to Apple and
Google. 

It is not totally clear if the demand for data related to push
notifications mentioned in the court record is one and the same as
that described at a high level in Wyden's letter. Regardless, the
court record provides more clarity on the legal mechanisms being used
in at least some cases to request information related to push
notifications, and what sort of crimes this novel surveillance
technique is being used against. 

"In the spring of 2022, my office received a tip that government
agencies in foreign countries were demanding smartphone 'push'
notification records from Google and Apple. My staff have been
investigating this tip for the past year, which included contacting
Apple and Google," the letter from Senator Wyden to Attorney General
Merrick B. Garland reads. Reuters was first to report the letter.


Do you know anything else about push notification surveillance? I
would love to hear from you. Using a non-work device, you can message
me securely on Signal at +44 20 8133 5190. Otherwise, send me an
email at joseph@404media.co.

As the letter explains, push notifications are not sent directly from
an app provider to a user's smartphone. Instead, "they pass through a
kind of digital post office run by the phone's operating system
provider," typically meaning Apple or Google. 

When a user gets a push notification on their phone, Apple or Google
receive a lot of information, including metadata that shows which app
received a notification, and which phone and associated Google or
Apple account it was to be sent to, Wyden says in his letter. In some
cases, unencrypted content like the actual text displayed in the
notification may be included too, Wyden adds.

The letter does not disclose the legal mechanism used by governments
to demand this data from Apple or Google. But the court record
reviewed by 404 Media does include some specifics around push
notification demands. Court Watch shared the record with 404 Media.
The record is a search warrant application from May 2020 related to
the investigation of a person suspected of theft or bribery
concerning programs receiving federal funds.

In the search warrant application for information associated with a
specific Yahoo email account, an FBI Special Agent writes under a
section of the record entitled "Background Information Regarding
Provider Services" that when a user of a mobile app installs and
launches an app, the app will direct the device to obtain a "Push
Token." This is "a unique identifier that allows the provider
associated with the application [...] to locate the device on which
the application is installed."

[push-notifications-1]
[push-notifications-2]

Screenshots from the search warrant application.

The court record then points specifically to Apple and Google, adding
"After the applicable push notification (e.g., Apple Push
Notifications (APN) or Google Cloud Messaging) sends a Push Token to
the device, the Token is then sent to the application, which in turn
sends the Push Token to the application's server/provider." When a
company then sends push notifications, it sends both the token itself
and what the court record describes as the "payload" associated with
the notification, "the substance of what needs to be sent by the
application to the device."

The Special Agent adds that these Push Tokens are stored on the
relevant tech company's servers, and that these may help identify a
specific phone or computer used by the target. Or, as the Special
Agent puts it, "Accordingly, the computers of PROVIDER are likely to
contain useful information that may help to identify the specific
device(s) used by a particular subscriber to access the subscriber's
PROVIDER account via the mobile application."

It is not clear if this is boilerplate language that has been
included in the search warrant application or whether the agent was
specifically seeking this information from Yahoo.

As Wyden's letter continues, "as with all of the other information
these companies store for or about their users, because Apple and
Google deliver push notification data, they can be secretly compelled
by governments to hand over this information."

Wyden concludes the letter by saying that Apple and Google should be
permitted to "generally reveal whether they have been compelled to
facilitate this surveillance practice," and to publish aggregate data
on the number of demands they have received. When Reuters contacted
Apple for comment, the company told the outlet that Wyden's letter
gave them the opening needed to share more details about how
governments monitor push notifications.

"In this case, the federal government prohibited us from sharing any
information," Apple told Reuters in a statement. "Now that this
method has become public we are updating our transparency reporting
to detail these kinds of requests." Reuters cited a source familiar
with the matter who described the foreign governments involved in
making the requests as democracies allied to the U.S. government.

Apple did not immediately respond to 404 Media's request for comment
on the legal mechanisms used against push notification-related data.
A Google spokesperson told 404 Media in an emailed statement that "We
were the first major company to publish a public transparency report
sharing the number and types of government requests for user data we
receive, including the requests referred to by Senator Wyden. We
share the Senator's commitment to keeping users informed about these
requests."

The full section of the court record discussing push notifications is
included below.

    PROVIDER also allows its subscribers to access its various
    services through an application that can be installed on and
    accessed via cellular telephones and other mobile devices. This
    application is associated with the subscriber's PROVIDER account.
    In my training and experience, I have learned that when the user
    of a mobile application installs and launches the application on
    a device (such as a cellular telephone), the application directs
    the device in question to obtain a Push Token, a unique
    identifier that allows the provider associated with the
    application (such as PROVIDER) to locate the device on which the
    application is installed. After the applicable push notification
    (e.g., Apple Push Notifications (APN) or Google Cloud Messaging)
    sends a Push Token to the device, the Token is then sent to the
    application, which in turn sends the Push Token to the
    application's server/provider. Thereafter, whenever the provider
    needs to send notifications to the user's device, it sends both
    the Push Token and the payload associated with the notification
    (i.e., the substance of what needs to be sent by the application
    to the device). To ensure this process works, Push Tokens
    associated with a subscriber's account are stored on the
    provider's server(s). Accordingly, the computers of PROVIDER are
    likely to contain useful information that may help to identify
    the specific device(s) used by a particular subscriber to access
    the subscriber's PROVIDER account via the mobile application.

About the author
Joseph is an award-winning investigative journalist focused on
generating impact. His work has triggered hundreds of millions of
dollars worth of fines, shut down tech companies, and much more.
More from Joseph Cox
Joseph Cox

More like this

Verizon Gave Phone Data to Armed Stalker Who Posed as Cop Over Email
Verizon Gave Phone Data to Armed Stalker Who Posed as Cop Over Email
The data transfer is a massive failure by Verizon, which fell for a
low quality scam that may have put someone's physical safety in
danger.
Joseph Cox Joseph Cox
* Dec 8, 2023
Reuters Takes Down Blockbuster Hacker-for-Hire Investigation After
Indian Court Order
Reuters Takes Down Blockbuster Hacker-for-Hire Investigation After
Indian Court Order
The investigation gave unprecedented insight into how hacker-for-hire
shops operated. Reuters says it stands by the reporting.
Joseph Cox Joseph Cox
* Dec 6, 2023
Hidden Cameras, GPS Data, and License Plate Readers: How the USPIS
Tracks Down Mail Thieves
Hidden Cameras, GPS Data, and License Plate Readers: How the USPIS
Tracks Down Mail Thieves
A court record shows how the oft overlooked United States Postal
Inspection Service turned to all manner of tech to investigate
someone stealing from mailboxes.
Joseph Cox Joseph Cox
* Dec 6, 2023
Civitai and OctoML Introduce Radical New Measures to Stop Abuse After
404 Media Investigation
Civitai and OctoML Introduce Radical New Measures to Stop Abuse After
404 Media Investigation
The moves come after 404 Media revealed the a16z funded AI platform
was being used to generate images that "could be categorized as child
pornography."
Emanuel Maiberg Emanuel Maiberg
* Dec 9, 2023
Behind the Blog: 'Wow Technology,' AI Content Creators, and Fake Cops
Behind the Blog: 'Wow Technology,' AI Content Creators, and Fake Cops
This week, we discuss staying connected in remote places, the future
of the "content creator," and how a stalker posing as a cop tricked
Verizon.
Samantha Cole Samantha Cole
* Dec 8, 2023
Verizon Gave Phone Data to Armed Stalker Who Posed as Cop Over Email
Verizon Gave Phone Data to Armed Stalker Who Posed as Cop Over Email
The data transfer is a massive failure by Verizon, which fell for a
low quality scam that may have put someone's physical safety in
danger.
Joseph Cox Joseph Cox
* Dec 8, 2023
Advertisement
*
Go ad free
Advertisement
*
Go ad free
*
Hide

Unparalleled access to hidden worlds both online and IRL.

404 Media is a new independent media company founded by technology
journalists Jason Koebler, Emanuel Maiberg, Samantha Cole, and Joseph
Cox.

  * About
  * Support/FAQ
  * Podcast
  * Merch
  * Advertise
  * Thanks
  * Privacy

Twitter Bluesky Mastodon Instagram TikTok Facebook RSS
Join the newsletter to get the latest updates.
[                    ]
Success
Great! Check your inbox and click the link to confirm your
subscription

(c) 2023 404 Media. Published with Ghost.