Apple Adds Push Notification Data to Law Enforcement Guidelines

[MacRumors]

Apple has updated its Legal Process Guidelines to reflect the company's legal obligation to comply with law enforcement requests for Apple ID information associated with its push notification service. The change follows yesterday's revelation that governments are actively using smartphone notification data as a user surveillance tool.

In the section titled "Information Available from Apple," Apple has appended an alphabetical list with the subsection "AA. Apple Push Notification Service (APNs)," which reads:

When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.

Apple and Google have been forced by governments at home and abroad to provide users' data from notifications they get on their devices, US Senator Ron Wyden revealed on Wednesday in a letter to the Justice Department, drawing attention to a new smartphone privacy concern.

The Justice Department declined to comment on the letter, but Apple and Google confirmed that they have been subject to the requests. The companies explained that they had been prohibited from sharing information about how governments monitored push notifications until Wyden's letter had been made public and given them the legal opening they needed.

With push notifications enabled, Apple and Google create a small bit of data, known as a token, that links the user's device to the account information they've given the companies, such as their name and email address.

A Reuters source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for user information related to push notifications. The data is said to have been used to attempt to tie anonymous users of messaging apps to specific Apple or Google accounts.

The Washington Post said on Wednesday it had found more than two dozen search warrant applications and other documents in court records related to federal requests for push notification data. Though many were redacted, nine of the documents pertained to the federal hunt for U.S. Capitol rioters on January 6, 2021.

Article Link: Apple Adds Push Notification Data to Law Enforcement Guidelines

 

[contacos]

So as a residence of the EU, how can I opt out of this.

this may or may not be a rhetorical question

 

[cyanite]

So as a residence of the EU, how can I opt out of this, especially since the US is already classified as „unsafe“ when it comes to the data of Europeans.

Note that there is very little data associated with this. You can “opt out” by not using app push notifications.

 

[k1121j]

Is the EU developing a “data safe” phone?

 

[contacos]

Note that there is very little data associated with this. You can “opt out” by not using app push notifications.

Doesn’t necessarily mean, that it’s not being sent, just that it is not being shown. We use a tool for example, which tracks if an app is still installed by sending a „silent“ push every night and if it bounces back, the tool knows, that the app has been uninstalled on device XY

 

[Mac Fly (film)]

Have 99% of notifications turned off already.

 

[andrewxgx]

So as a residence of the EU, how can I opt out of this, especially since the US is already classified as „unsafe“ when it comes to the data of Europeans.

this may or may not be a rhetorical question

dont use phone or a computer

cant escape internet surveillance no matter how hard people try

only pros of this situation, this kind of surveillance can only be used on a fraction of users before becoming public so it only makes sense to use them in handful of cases (ie. terrorism/national security stuff).

 

[andrewxgx]

Is the EU developing a “data safe” phone?

no, they are developing mass surveillance that bypasses encryption: https://last-chance-for-eidas.org/

 

[cyb3rdud3]

So as a residence of the EU, how can I opt out of this, especially since the US is already classified as „unsafe“ when it comes to the data of Europeans.

this may or may not be a rhetorical question

Is the US classified as unsafe for our data? Is it really? Would you like to reconsider in light of the EU-US Data Privacy Framework and the GDPR Adequacy Decision?

PS. You do realize that a normal process is required to get this data. It's not like Trump or Biden can just say give me contacos push notifications. Very similar to how the EU, and UK, and any other civilized country operates.

 

[hagar]

no, they are developing mass surveillance that bypasses encryption: https://last-chance-for-eidas.org/

That’s not at all a correct interpretation. They are preparing the legislative framework for an online identity. For instance EU-citizens will be able to use the online ID mechanism of one country in another.

There are some serious safety concerns expressed by experts and scientists, but that’s still something entirely different than “mass surveillance”.

 

[JosephAW]

And why do I have this feeling that even turning off notifications doesn't disable this token? Disabling notifications just mutes the alert of data being exchanged?

 

[contacos]

Is the US classified as unsafe for our data? Is it really? Would you like to reconsider in light of the EU-US Data Privacy Framework and the GDPR Adequacy Decision?

PS. You do realize that a normal process is required to get this data. It's not like Trump or Biden can just say give me contacos push notifications. Very similar to how the EU, and UK, and any other civilized country operates.

Interesting. Just looked into it and I had no idea the Privacy Framework was already approved. Didn’t make the news here at all. I still get bothered with „are you sure we can use Google Analytics?“ questions

 

[JosephAW]

If Apple should provide an update to anonymize and secure the push notifications it probably won't roll out to older iOS versions because it's a major rewrite of the notification center.

 

[JosephAW]

Just takes one ping to track you.

 

[iBluetooth]

Doesn’t necessarily mean, that it’s not being sent, just that it is not being shown. We use a tool for example, which tracks if an app is still installed by sending a „silent“ push every night and if it bounces back, the tool knows, that the app has been uninstalled on device XY

Does this work on iPhones too?

 

[contacos]

Does this work on iPhones too?

yes, it is done with CleverTap. With the right SDK you can track basically anything everyone does in an App so as long as Apple does not really block 3rd party SDKs within Apps, their whole privacy speech does not mean anything.

Here is an example of myself using our app. The SDK from CleverTap basically lets me see anything a user does as long as I know the user ID

 

[cyb3rdud3]

Interesting. Just looked into it and I had no idea the Privacy Framework was already approved. Didn’t make the news here at all. I still get bothered with „are you sure we can use Google Analytics?“ questions

It was never not going to happen. The US is getting a better, shame it is just so fragmented across each state, and not only that, too many people (including lawyers that I work with) just haven't got a clue and often question even question the need. Distractions I don't need and so futile. So I do agree in a perverse manner with you, and where I can, I'd like to keep data out as the cultural behaviors just aren't there.

 

[centauratlas]

Is the EU developing a “data safe” phone?

As long as it has a back door for them. If you trust the EU for a data safe phone, that's being naive. The EU (all the governments worldwide) want no anonymity, no uncontrolled speech, and access to all data "when needed."

 

[tridley68]

Bug brother has to have its nose in everything and now Apple opened the door for this hopefully there is a way to opt out of this.

 

[phenste]

And why do I have this feeling that even turning off notifications doesn't disable this token? Disabling notifications just mutes the alert of data being exchanged?

because you’re correct, depending on how the dev has…well, developed the app! (see below)

Doesn’t necessarily mean, that it’s not being sent, just that it is not being shown. We use a tool for example, which tracks if an app is still installed by sending a „silent“ push every night and if it bounces back, the tool knows, that the app has been uninstalled on device XY

this is clown sh** on Apple’s part. kinda surprised nobody is more bluntly addressing that. anyone catch the article on DF noting how Google requires a court order for push notifications—i.e., a judge has to find it reasonable—where Apple requires only a subpoena?

because privacy!

 

[ginkobiloba]

The Justice Department declined to comment on the letter, but Apple and Google confirmed that they have been subject to the requests. The companies explained that they had been prohibited from sharing information about how governments monitored push notifications until Wyden's letter had been made public and given them the legal opening they needed.

now, that’s the real worrying part …it also means there must be other things that the companies are forced to do while being prohibited from disclosing it to users..

 

[dominiongamma]

Why is the EU is spying?

 

[brofkand]

Have 99% of notifications turned off already.

It sounds like having any notifications enabled is enough. Even having your iCloud account locked down in TNO encryption mode doesn't protect you from this surveillance.

 

[andrewxgx]

That’s not at all a correct interpretation. They are preparing the legislative framework for an online identity. For instance EU-citizens will be able to use the online ID mechanism of one country in another.

There are some serious safety concerns expressed by experts and scientists, but that’s still something entirely different than “mass surveillance”.

the whole concept of "online identity" is basically tying all of your online stuff to a single ID.

tell me again that this aint a mass surveillance tool.

 

[Dwalls90]

Apple still values privacy more than other tech companies that operate in the same industries. Unfortunately no company is perfect in this regard and I’m not sure ever will be.

People hate to hear this, but if you want to be truly private, stay away from the internet and technology.