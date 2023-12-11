The news last week came as a surprise to internet civil liberties activists, who said they’d never before heard of using push notifications as a surveillance tool. “We didn’t know it was happening,” said Jeramie Scott, senior counsel at the Electronic Privacy Information Center in Washington. “We’re just finding out right now.”

According to Democratic US Senator Ron Wyden of Oregon, law enforcement agencies have been quietly using court orders to scoop up “push notification” data collected by tech titans Apple and Google, while banning the companies from revealing that they were sharing the data.

When a smartphone app notifies you that you’ve received a package from Amazon or a text from a friend, it might end up notifying the government as well.

Advertisement

Push notifications are those little messages that pop up on our phones telling us about some event, like an appointment or the score of a basketball game. These notifications can contain valuable and sensitive information, such as the user’s location, the contents of text messages and emails, the names and phone numbers of the user’s friends, information about online purchases, travel plans, or whether or not the household burglar alarm is switched on or off.

Get Innovation Beat Boston Globe tech reporters tell the story of the region's technology and innovation industry, highlighting key players, trends, and why they matter. Enter Email Sign Up

Many thousands of apps issue push notifications. But they don’t go straight from the app to the user’s phone. Instead, they’re routed through servers run by the phone makers.

Apple, which makes the iPhone, and Google, whose Android software runs virtually all non-Apple smartphones, each have their own servers that receive push notifications from apps and deliver them to the user’s phone. But this means all notifications pass through chokepoints where they could be intercepted and read by investigators.

Users can protect themselves from this surveillance by switching off each app’s notification feature, but “switching off your push notifications is going to come at a pretty significant usability cost,” said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group based in San Francisco.

Advertisement

For instance, a user who’s reading an ebook could get a push notification about an important email. But with notifications switched off, they must manually open the email app to check.

According to Wyden’s letter sent to the US Department of Justice, he became aware of the issue when a whistle-blower alerted his staff that foreign governments were asking Apple and Google for the same kind of access to notification data. When Wyden’s office contacted Apple and Google, “the companies told my staff that information about this practice is restricted from public release by the government,” he wrote.

Wyden urged the Justice Department to allow Apple and Google to publish statistics about how often they get court orders to hand over push notification data. He also said the two companies should be free to notify the public about requests from foreign nations and to notify individuals whose data is being collected, unless a court issues a temporary gag order.

After Wyden released his letter, Google and Apple issued statements to Reuters confirming that they provided access to push notification data in response to court orders. Apple noted that “the federal government prohibited us from sharing any information,” adding that now that the practice had become public, it would issue reports revealing how often the company received such demands.

Criminal actors could also take advantage of the sensitive information found in many push notifications. Earlier this year, university researchers in Louisiana, Missouri, and China who surveyed more than 30,000 smartphone apps found that many of them handled push notifications in an insecure manner. In a paper published by the Institute of Electrical and Electronics Engineers, the researchers said that in over half of the apps they tested, “privacy policy compliance implementations are either stagnated … or [were] never implemented in apps, resulting in billions of users suffering from privacy exposure.”

Advertisement

The authors described the security risk as “severe” and called for better regulation of push notification systems to make the messages more difficult to steal.

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him @GlobeTechLab.