Turns Out Cops Are Super Interested In Subpoenaing Suspects' Push Notifications

More than 130 petitions seeking access to push notification metadata have been filed in US courts, according to a Washington Post investigation – a finding that underscores the lack of privacy protection available to users of mobile devices.

The poor state of mobile device privacy has provided US state and federal investigators with valuable information in criminal investigations involving suspected terrorism, child sexual abuse, drugs, and fraud – even when suspects have tried to hide their communications using encrypted messaging.

But it also means that prosecutors in states that outlaw abortion could demand such information to geolocate women at reproductive healthcare facilities. Foreign governments may also demand push notification metadata from Apple, Google, third-party push services, or app developers for their own criminal investigations or political persecutions. Concern has already surfaced that they may have done so for several years.

In December 2023, US senator Ron Wyden (D-OR) sent a letter to the Justice Department about a tip received by his office in 2022 indicating that foreign government agencies were demanding smartphone push notification records from Google and Apple.

"As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information," Wyden wrote.

Wyden wrote to the Justice Department seeking clarification because when staff asked Apple and Google to shed light on push notification data demands, they were told "information about this practice is restricted from public release by the government."

Apple has since indicated it intends to provide more insight into push data demands in its transparency report – the twice-yearly document it compiles to list government requests for its intervention. Google likewise has offered assurances it supports greater transparency.

Apple and Google operate push notification services that relay communication from third-party servers to specific applications on iOS and Android phones. App developers can encrypt these messages when they're stored (in transit they're protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.

According to the Washington Post, court filings in 14 states and in the District of Columbia demonstrate that investigators are using push notification metadata.

• Chinese 'connected' cars are a national security threat, says Biden
• Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit
• Palantir boss says outfit's software the only reason the 'goose step' has not returned to Europe
• Nevada sues to deny kids access to Meta's Messenger encryption

Zach Edwards, a security consultant who runs Victory Medium, told The Register that push notification metadata is extremely valuable to marketing organizations, to app distributors like Apple and Google, and also to government organizations and law enforcement agencies.

"In 2022, one of the largest push notification companies in the world, Pushwoosh, was found to secretly be a Russian company that deceived both the CDC and US Army into installing their technology into specific government apps," said Edwards.

"These types of scandals are the tip of the iceberg for how push notifications can be abused, and why countless serious organizations focus on them as a source of intelligence," he explained.

"If you sign up for push notifications, and travel around to unique locations, as the messages hit your device, specific details about your device, IP address, and location are shared with app stores like Apple and Google," Edwards added. "And the push notification companies who support these services typically have additional details about users, including email addresses and user IDs."

Edwards continued that other identifiers may further deprive people of privacy, noting that advertising identifiers can be connected to push notification identifiers. He pointed to Pushwoosh as an example of a firm that built its push notification ID using the iOS advertising ID.

"The simplest way to think about push notifications," he said, is "they are just like little pre-scheduled messages from marketing vendors, sent via mobile apps. The data that is required to 'turn on any push notification service' is quite invasive and can unexpectedly reveal/track your location/store your movement with a third-party marketing company or one of the app stores, which is merely a court order or subpoena away from potentially exposing those personal details." ®