We at the Home Assistant Companion for iOS team have been wanting to implement end to end encryption for our push notifications for a while now but Apple has denied our request for the com.apple.developer.usernotifications.filtering [0] entitlement multiple times. Wondering if with today's news we could apply again and get it.<p>For context, we are sending ~35 million push notifications per month on iOS and ~67 million on Android, see more at [1]<p>[0]: <a href="https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_usernotifications_filtering" rel="nofollow noreferrer">https://developer.apple.com/documentation/bundleresources/en...</a><p>[1]: <a href="https://threadreaderapp.com/thread/1721717002946191480.html" rel="nofollow noreferrer">https://threadreaderapp.com/thread/1721717002946191480.html</a>
Ron Ryden has been barking up this tree for a long time:<p><a href="https://www.wyden.senate.gov/issues/secret-law" rel="nofollow noreferrer">https://www.wyden.senate.gov/issues/secret-law</a><p><a href="https://www.wyden.senate.gov/news/press-releases/wyden-colleagues-introduce-legislation-to-ban-data-brokers-from-selling-americans-location-and-health-data" rel="nofollow noreferrer">https://www.wyden.senate.gov/news/press-releases/wyden-colle...</a><p><a href="https://www.wyden.senate.gov/news/press-releases/wyden-introduces-comprehensive-bill-to-secure-americans-personal-information-and-hold-corporations-accountable" rel="nofollow noreferrer">https://www.wyden.senate.gov/news/press-releases/wyden-intro...</a><p><a href="https://www.wyden.senate.gov/priorities/gps-act" rel="nofollow noreferrer">https://www.wyden.senate.gov/priorities/gps-act</a><p><a href="https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy" rel="nofollow noreferrer">https://www.wyden.senate.gov/news/press-releases/wyden-relea...</a>
> "<i>"In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."</i>"<p>When they were building the CSAM detector: "what if the government asks you to extend the detection to include other media such as political meme images?" "we would refuse".
Legitimately scary stuff but not surprising. Snowden risked everything to tell us what was going on and where things were headed yet here we are. At this point, it seems the only way to not be subject to this type of treatment by our governments is to completely unplug from the system, but of course, practically speaking, this isn’t feasible for the overwhelming majority of our society. So what are the alternatives here?
Would be great to see an example of notification metadata that can supposedly link it to real users.<p>Seems like this is what is being implied:<p>Given:<p>- users with notifications enabled<p>- have X app installed<p>- targeted user(s) reside in USA<p>- targeted users(s) following “foo” on X app<p>When:<p>- issue FISA warrant for all smartphone users that received notifications in regards to “foo” user<p>Then:<p>- able to pull all Apple/Google accounts that match this criteria<p>- able to get real addresses and names<p>- can crosscheck names with other details to narrow down suspect<p>Or maybe it’s something even worse where notifications somehow leak location data
This reminds me, whatever happened to mesh networks? If you wanted to be out and about in public, you could simply carry a very anonymized device that had only more basic abilities. But among those abilities, you could certain send messages and maybe even smaller-sized files - all over a mesh network. Feds could infiltrate it, but it wouldn't be nearly as trivial as it is right now. And users could rotate their devices. Furthermore, if the device in question wasn't a real phone, but rather something more generic (a wifi-capable device with a keyboard, virtual or physical), then it wouldn't even need to have an IMEI.
Some issues could be prevented if push messages added end-to-end encryption by default, something that shouldn’t be particularly hard to use if it was built into the dev tooling. Instead, developer recommendations like this one [0] suggest that you should put content into your push messages and <i>optionally</i> use a separate library to encrypt them. Clearly developers aren’t doing this, hence the opportunity for surveillance.<p>[0] <a href="https://android-developers.googleblog.com/2018/09/notifying-your-users-with-fcm.html" rel="nofollow noreferrer">https://android-developers.googleblog.com/2018/09/notifying-...</a>
Metadata in this case apparently means Apple and Google are helping find “this real user connected to that real user at this time”. So governments may or may not be able to decrypt a push message payload, or data delivered because of that payload.
The only way out of this mess is with new laws and that will require new lawmakers. Any other solution - relying on the kindness of corporations, toiling away with obscure technologies, gong 'off the grid' - are all foolish or unrealistic for 99% or so of people and shouldn't even be considered.<p>The most promising starting point is probably at the state level.
This, to me, is the more disturbing part of the article:<p>> In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.<p>What is the point of transparency reports if they don't include major vectors of government surveillance?<p>IMO such gag orders shouldn't be legal when applied to dragnet surveillance. If you want to gag a company from notifying an individual they're being surveilled (with a warrant), then fine. But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.
Push notifications are sent from an app server to an individual device, correct? And the device enrolls with the server for receiving push notifications.<p>Why isn't there key exchange happening at the time of enrollment? Why is it something apps have to manually do? We moved the web to https everywhere for a reason, why are apps behind the web in privacy?<p>Potentially stupid question - how is iMessage encrypted end to end if the notifications aren't?
"The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"<p>- why not identify them?
I know Pinephone isn't ready for daily use from all the threads here, but I just ordered one to get some stick time with it. Getting real tired of having to fight my phone to keep my data mine.<p>I just want the equivalent of debian, but on mobile. I understand I'll have to give up a bunch of apps, but honestly I think its worth it. As soon as its possible I'd like off this ride.
One question I have as someone who tries to maintain (some) data sovereignty: is there any way as an end-user to circumvent/mitigate this kind of surveillance — aside from abandoning iOS and Android completely?
It's a huge problem for both privacy and the open source ecosystem that Apple and Google mandate use of their own notification system for apps to be included in their stores.
Pardon my ignorance but would block all push notifications stop this specific act of surveillance? I usually don't need any notifications' content on the screen apart from "you have a new message on <app>, go check it". Or is that what's being discussed here?
Why didn't Apple pull the plug on these services as soon as the government started spying with them? Why didn't they rearchitect them to use E2E encrypt? Do they actually have principles about privacy or is it just a thing they want us to believe?
A paranoid part of me has wondered if some of the text/phone spam we all receive is actually used to stimulate cellphones for tracking purposes.<p>If you have deeper access to the OS, then fingerprint unlock or FaceID also seem important for positive identification prior to, for example, a Predator strike.
It's fascinating that about half hese comments appear to be from younger people unfamiliar with "USA PATRIOT" Act gag orders, FISA, Five Eyes, Least Untruthful Response and related controversies that were big in the news 10-20 years ago.<p>Amusingly and sadly, the law was called PATRIOT as a normal "give a bad law a Good name", but over time "patriot" has become synonym for "traitor" in common use.
Unifiedpush to save the day!
And an XMPP server with Conversations can be the basis for it: Https://unifiedpush.org/users/distributors/conversations/
Another case of <a href="https://en.m.wikipedia.org/wiki/Third-party_doctrine" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/Third-party_doctrine</a> in motion
I'm surprised hyper-private services like Signal haven't foreseen this as a potential vector and given you options to eg. exclude different details from push notifications (or warned you to disable them altogether if you're worried about it)
This is yet another example of: If the data can be collected it will be used by governments<p>You can slow this down by making data explicitly built to be impossible to read in transit (eg e2e) and then deleting or never saving it, but the fact that data flows through multiple stops means each transition is an opportunity for third party observation<p>This is deterministic and is built into the structure of data production transport and consumption. This is part of the infrastructure and cannot be extricated
It'd be cool if Signal and other privacy-focused apps added an option to delay push notifications. That would obfuscate the connection between two accounts.<p>Its a band-aid, but its something.
It's time for a privacy bill of rights. You have to attach inalienable rights to people and then enforce them at the civil rights level.<p>These things are troubling now. In the post AGI world these are much more difficult problems because the data becomes training for purposes far beyond anything that could be foreseen in the data collection questions.
With respect to the US, I would be more worried about Apple and Google spying on users through push notifications. Americans have legal protections against government spying but they have basically zero protections against spying by so-called "tech" companies. Neither Apple nor Google can demand information about citizens from the government, but the government can demand this from Apple or Google, which they do, successfully, with increasing frequency. People share details of their lives with Apple and Google they would probably never share with the government but the government has little trouble getting it from these so-called "tech" companies, without any notice to the user, so sharing these details with Apple and Google is arguably even worse. The ability for people to fight against this sharing of information is nonexistent; it's up to the companies to resist. Given the number of users whose data they hold, that simply is not feasible. These companies do not care about peoples' privacy. They seek to profit from learning every detail of peoples' lives. Commercial surveillance.<p>When the government asks citizens for information it's usually for a specific purpose and can only be used for that purpose. When so-called "tech" companies collect information, it is for any purpose. They might assure users that "the information is only used to improve the software or service". What limits does this create, if any. How dow we verify that the company is not using our information in ways that compromise our interests if we are not allowed to learn how the company is using the information. Imagine if the government assured people that the information it collects "will only be used to improve the government".<p>Not every computer is a national security threat or even a common criminal, i.e., a person that the government has some need to spy on. That's not who I am referring to in this comment. These so-called "tech" companies spy on <i>everyone</i>. And they don't just want to know about one thing, for one purpose, they want to know <i>everything</i> for <i>any</i> purpose.
UnifiedPush[0] seems like a great alternative to notifications passing through Apple/Google's hands, and I wish it was implemented in more apps.<p>[0] <a href="https://unifiedpush.org/" rel="nofollow noreferrer">https://unifiedpush.org/</a>
I must be fundamentally missing something here. I thought all this data scooping was to find the bad guys. Are the bad guys really so stupid as to use Apple or Android (or any closed system) to communicate? Cryptonomicon was written 25 year ago.
> In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.<p>> "In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."<p>If Apple knew about this why wouldn't they limit their exposure to this user data?
My startup (LaunchKey, now part of TransUnion) encrypted the data in our push authentication requests as late as a decade ago. This was painful until they expanded the size of the message allowing for more encrypted data. It is possible to do so (I would use pub/priv ec keys now) but remember you are limited in the amount of data you can include so you might need a “pull” to deliver all of the content necessary.
That's why we at Tuta do not send any information with the push on Apple and have built our own push notification for Android (we'd never use Google Push): <a href="https://tuta.com/blog/posts/open-source-email-fdroid" rel="nofollow noreferrer">https://tuta.com/blog/posts/open-source-email-fdroid</a>
Completely unrelated, but sort of related. With all this surveillance and spying going on, what's a normal citizen to do?<p>For example; Cloud storage? Streaming music? Online note-taking?<p>Should the more technically-inclined, but average, person start looking at taking more and more of these things off-line given the state of mass surveillance going on and the crazy push towards all things AI?
Is this a timing side channel attack, where say I am a member of a Signal group, or have a Proton email client or Matrix/Element or something, are they sending patterns of beacon messages that may look normal, and then watching the traffic across mobile networks (or directly on platforms) that matches, and then narrowing endpoints that show it?
I guess you have to assume that any message in transit over a public network is public. Of course, you can use something like PGP to encrypt messages before sending them, provided that the recipient has your key. I know of a few people who do that.<p>Outside of that kind of thing, we're probably yelling everything out loud to anyone who wants to listen.
What sort of metadata or information can be gathered from a push notification from an app like iMessage? I know a timestamp is there and most likely the sender's phone number.<p>But is there some sort of sensitive info that these governments are trying to glean? Or is it more so they can build info maps and communication maps on targets?
> "The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"<p>Oh look! The US end-running constitutional protections again via 5+Eye proxy governments. Who could ever have guessed.
> …a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.
In the past, Google, Apple, Amazon, Facebook, and a slew of other companies would have been broken up using anti-trust laws. These aren't just monopolies at this point, they are clusters of monopolies. This is leading us down a dark path.
It should only[0] be meta data, though. The push notification should signal the app that there is data to fetch, then the app goes and fetches it. The push notification itself should carry none of the data.<p>[0] still bad though and they should stop.
If you wish privacy then just get a linux phone. May not have the coolest features but if you need more than a classic phone, linux phones will do fine. Less apps means fewer distractions - a win win situation.
Must be interesting to work on the teams responsible for compliance at Apple/Google. Would talking to someone about these kinds of orders qualify as treason under US law?
Great news considering we're now getting an extreme-right fascist government in Holland. Why not give them all our data on a platter, they can be trusted.
How does this apply to whatsapp's e2ee promise? Do they use this system? Do google and apple have plain text messages that were supposedly private?
Is anyone surprised? Why would there be pen registers, and tap and trace for phone calls and email, but not for other traffic? The ability of governments to do secret surveillance of such metadata is well established in law and jurisprudence, variously in various countries.<p>It is a Weird Nerd Thing to believe that old laws can't apply to new computer thing.
>> Reuters' source would not identify which governments were making the data requests but described them as "democracies allied to the United States."<p>It feels so liberating to be spied upon by "democracies allied to the United States." vs. others.<p>LOL.
It's crazy to me that so much effort is being expended pretending that companies and the government are doing anything in the name of privacy, when we have all the proof by Assange and Snowden that they're doing realtime surveillance of ALL communications, 24x7 -- no matter what any laws say -- and we don't even talk about it any more. What's the point of any of this? All we can do is assume that our every position, purchase, and electronic communication is being tracked and saved, and act accordingly. The Constitution no longer matters, and there's no one coming to save us.
Hey other states, can you elect a few more Ron Wydens? He's been doing a ton of the heavy lifting lately. Every time we hear about the intelligence community egregiously violating civil liberties, it's always Wyden.
Given a lot of journalists and activists use encrypted communications to be able to do their job without being unduly or unjustly persecuted (yes, the bad guys use them too!), and 12 US State Attorney Generals just signed a letter and delivered it to the major news agencies (NYT, CNN, Reuters, AP, etc.) that warns of any "support to terrorist organizations" and specifically points out Hamas, but is not very clear on what "support" or "business relationship" means (sending a camera to do a report where the press is not allowed due to Israel's complete control of the media - echoes of US journalist access during the Iraq War), and puts them on notice. Nothing is safe from Big Brother, anywhere, any country.
I noted that Apple says the governments in question are allies of the United States. I wonder if this is a case of American intelligence outsourcing the surveillance of American citizens to foreign intelligence. If that is indeed the case, I’d expect a quid pro quo.
Why do they need to confirm an already known fact: FAANG platforms are built to spy on users? We've known about this fact for at least a decade since the Snowden revelations.<p>Nothing has materially changed since then, technically, politically, legally, or even culturally. Yet people still believe for-profit corporations have their best interests in mind, thanks to clever marketing and groupthink, clutching to "encrypted apps" and empty "we value your privacy" double-speak: neither will defend you.<p>There is no privacy on proprietary closed source platforms - it is simply infeasible; it is trying to squeeze blood from a stone. I know this truth will likely trigger and upset people with their $1,000+ iPhones, MacBooks and other iToys, and this sunk cost fallacy is really pathetic to witness in grown adults.