Governments have been secretly tracking the app activity of an unknown number of people using Apple and Google smartphones, US Senator Ron Wyden (D-Ore.) revealed today.
In a letter demanding that the Department of Justice update or repeal policies prohibiting companies from informing the public about these covert government requests, Wyden warned that "Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps."
Push notifications are used to provide a wide variety of alerts to app users. A friendly ding or text alert on the home screen notifies users about new text messages, emails, social media comments, news updates, packages delivered, gameplay nudges—basically any app activity where notifications have been enabled could be tracked by governments, Wyden said.
According to Wyden, many app users do not realize that these instant alerts "aren't sent directly from the app provider to users’ smartphones" but instead "pass through a kind of digital post office run by the phone's operating system provider" to "ensure timely and efficient delivery of notifications."
Data transmitted to Google and Apple includes metadata "detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," Wyden wrote. Sometimes data shared may include "unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification," Wyden warned.
"As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information," Wyden wrote.
Wyden said his office spent the past year investigating a "tip" received in spring 2022 claiming that "government agencies in foreign countries were demanding smartphone 'push' notification records from Google and Apple."
After contacting the companies, Wyden concluded that "Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data."
Apple has since confirmed in a statement provided to Ars that the US federal government "prohibited" the company "from sharing any information," but now that Wyden has outed the feds, Apple has updated its transparency reporting and will "detail these kinds of requests" in a separate section on push notifications in its next report. Ars verified that Apple's law enforcement guidelines now notes that push notification records "may be obtained with a subpoena or greater legal process."
A Google spokesperson told Ars that Google was "the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden." That means Google's transparency report, Ars confirmed, already documents requests for push notification data in aggregated data of all government requests for user information. Google's spokesperson said that the company shares "the Senator’s commitment to keeping users informed about these requests."
It's unclear if either Apple or Google plans to provide any standalone reporting documenting all past requests for push notification data. Without such reporting, it remains unknown exactly which foreign governments have historically requested the data.
A source familiar with Wyden's probe told Reuters that "both foreign and US government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts." The source could not confirm how long agencies had been sending the requests and would only describe the foreign governments as "democracies allied" to the US.
Wyden declined to comment further but wrote in his letter that he is pushing the DOJ to not just end the secrecy but also require even more transparency about these secretive requests.
"These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data," Wyden wrote.