Apple will make it harder for governments to get your push notifications

Apple will require law enforcement to obtain a court order before the company hands over details of customers’ push notifications from now on. As Reuters reports, Apple quietly updated its guidelines for law enforcement page on Monday with language specifying that search warrants and court orders are now required for it to give up “The Apple ID associated with” an Apple Push Notification Service token. The new policy follows revelations that both Apple and Google have been providing details about the notifications to governments.

Apps can “push” notifications to your phone so that you receive alerts, like a text message or incoming email, even when the app itself isn’t open. But the process involves potentially sensitive information being shared with Apple and Google, including metadata “detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” as Senator Ron Wyden (D-OR) wrote in a letter to Attorney General Merrick Garland last week.

Wyden’s letter notified the US Justice Department that his office had been investigating whether foreign governments had compelled Apple and Google to turn over personal details from smartphone push notifications. Wyden said the two companies admitted this happens, and both later confirmed it to news outlets. Apple told Reuters that the federal government had “prohibited” it from sharing the requests but added, “now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google already had a policy to require court orders in place. In a statement reported by Reuters, Wyden said Apple was “doing the right thing by matching Google and requiring a court order to hand over push notification related data.”

In his original letter, Wyden asked the Department of Justice to “repeal or modify any policies” that prevent the companies from being “transparent about the legal demands they receive, particularly from foreign governments.” Google already includes information about demands like those Wyden mentioned in its transparency reports, according to 404 Media.

Though Wyden mentioned foreign governments specifically, US law enforcement has sought the same information. 404 Media’s story details a 2020 FBI search warrant request with language very close to what Wyden wrote. In the warrant, the requesting agent said that both Apple and Google would send users’ phones a “push token” that is then routed through whatever app is being used to the servers of the company that makes it. The agent wrote that with the token comes a “payload” of information that “may help identify the specific device(s) used by a particular subscriber” to access their account.

Apps don’t always have to include identifying details when sending push notifications. As described in this post on Mastodon, the encrypted messaging app, Signal, takes care not to include data that could be traced back to a user’s account or device when sending a push notification. But, as pointed out in the thread, the existence of a notification and the associated metadata can be enough for certain surveillance purposes.