Reuters reports, citing a source, that foreign and U.S. government agencies have asked both Apple and Google for metadata from push notifications, including information that ties pseudonymous app users to specific Apple or Google accounts.
In an email to TechCrunch, Apple spokesperson Shane Bauer said the federal government prevented the technology giant from sharing any information on the matter.
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple’s spokesperson said. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple’s spokesperson...
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple’s spokesperson said. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
Unless I’m misunderstanding, isn’t this basically admitting that spying has been done by the government and “Whoops we’ll admit that they’ve been spying in a later transparency report because big government told us to be silent about it”?
How could this sort of thing be prevented? Perhaps by doing polling at constant intervals, with fixed-size messages whether or not there are notifications to be delivered. That would be very...
How could this sort of thing be prevented? Perhaps by doing polling at constant intervals, with fixed-size messages whether or not there are notifications to be delivered. That would be very expensive, though.
The solution is to make mass data collection by the government illegal. Bruce Schneier had a pretty good read on why LLMs change the game for bulk data collection. I think it's going to take some...
The solution is to make mass data collection by the government illegal. Bruce Schneier had a pretty good read on why LLMs change the game for bulk data collection.
I think it's going to take some time (and having the EU lead the way) to make progress on this. We're pretty far down the rabbit hole already in the US, and neither party has shown an appetite for curbing government powers in this area.
Quote from the article: If you go back into the history of this kind of thing, most of the warrants are to put 4th amendment window dressing on things after the fact. For example, you can look at...
Quote from the article:
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
If you go back into the history of this kind of thing, most of the warrants are to put 4th amendment window dressing on things after the fact. For example, you can look at the history of parallel construction or Section 702 / FISA court abuse. The point is that they already have the data, and what we see is that if the data's already there, it's very difficult to prevent the abuse of power from improper use.
I meant that the TechCrunch article doesn't seem to describe mass surveillance. Schneier's article of course does, but it's not reporting specifically about what's going on with push messages. But...
I meant that the TechCrunch article doesn't seem to describe mass surveillance. Schneier's article of course does, but it's not reporting specifically about what's going on with push messages.
But yes, they could be combined. Once they know what they're looking for, they could get a search warrant to get some more info about specific phones.
Sorry, I misunderstood you comment. I've got it now. However, the tech crunch article merely notes that there are warrants that mention push notifications. The other part of the article, and the...
Sorry, I misunderstood you comment. I've got it now.
However, the tech crunch article merely notes that there are warrants that mention push notifications. The other part of the article, and the more important part IMO, is that Apple has just now been permitted to disclose the existence of this data sharing. Whether one wants to assume that their transparency report includes everything they have disclosed is an exercise in paranoia, but since we know these companies have been bound not to disclose their data collection in the past, I would not make that assumption.
To go back to your original comment, I understood it to mean you were thinking about technical measures that would make this kind of disclosure by the tech company "impossible". I think that's a good practice, but there should not be an arms race between tech companies and our own government to make things private, it should be a fundamental right.
I am making a US centric argument here, but the article is about US government data collection. We already know that other governments compel secret disclosure all the time, and in those cases, the government can simply compel tech companies to weaken their technical protections to permit the disclosures they require. As far as I know, that is not he case in the US. Yet.
Suppose Apple or Google is very successful in making it impossible for the company to disclose push notification data to anyone, you'd see eventually that they are forced to backdoor their own systems for government use.
So in the end the answer is not a technical one, but a policy one. The fight we should be having is not about implementing TOR for push notifications but talking about enshrining those rights in law or amendments to the Constitution to protect people more broadly.
Here is the segment that Apple has been able to add to their transparency report for US government request guidelines. I've verified via archive.org that this entry was not in the document...
In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.
"In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."
AA. Apple Push Notification Service (APNs)
When users allow an application they have installed to receive push notifications, an Apple Push
Notification Service (APNs) token is generated and registered to that developer and device. Some
apps may have multiple APNs tokens for one account on one device to differentiate between
messages and multi-media.
The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater
legal process.
I think that phrasing is so odd. I don't believe that you get much of a choice when subpoenas are involved. But the phrasing makes it sound like Apple was to blame for the bad behavior.
I think that phrasing is so odd. I don't believe that you get much of a choice when subpoenas are involved. But the phrasing makes it sound like Apple was to blame for the bad behavior.
I'm an Apple customer. I gave my money to Apple for the privacy and security it promised me. Apple was known to deny government any access to user data. This one event was exposed, how many other...
I'm an Apple customer. I gave my money to Apple for the privacy and security it promised me. Apple was known to deny government any access to user data. This one event was exposed, how many other such instances do you think they're running. You are porting user data to government behind their back, you shouldn't preach privacy and Yes Apple is to blame as well as government.
I remain unconvinced that "defying government subpoenas" was part of that promise of security. There's a difference between giving information they have and unlocking phones for the police (as the...
I remain unconvinced that "defying government subpoenas" was part of that promise of security. There's a difference between giving information they have and unlocking phones for the police (as the courts have supported). And seems likely they fought it as far as they could based on past behavior.
I'm not defending Apple, Android does it too and I don't like it either, but what would you expect them to do. It's government overreach. But it's legal overreach.
I had the same thought in response to the original GP post, that Apple likely didn't have a legal choice in the matter. However to answer the question "what would you expect them to do"... If...
I had the same thought in response to the original GP post, that Apple likely didn't have a legal choice in the matter.
However to answer the question "what would you expect them to do"... If Apple was truly a privacy focused company, there are various established technical solutions they could implement that would make it impossible for them to share a lot of what they currently share with governments because they wouldn't have direct access to it themselves.
But of course they need that data for a variety of purposes and would never give it up willingly. Apple wants to appear to be a privacy focused company for marketing purposes, they have no genuine interest in user privacy.
Which seems self evident but there's still value in pointing it out.
That's fair, and I think it's possible they didn't originally think this data was useful to police/governments until it was. Though that angle would be Apple admitting they collect this data...
That's fair, and I think it's possible they didn't originally think this data was useful to police/governments until it was.
Though that angle would be Apple admitting they collect this data rather than admitting they gave it to the police.
I do agree that it's silly to assume Apple actually cares about privacy. Which is why I sort of see little point in being mad that they're not. But I get that it's contradictory. I just thought the phrasing was off.
Someone else had a good post about this needing to be solved by the government ultimately which I agree with.
From the article:
“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple’s spokesperson said. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
Unless I’m misunderstanding, isn’t this basically admitting that spying has been done by the government and “Whoops we’ll admit that they’ve been spying in a later transparency report because big government told us to be silent about it”?
More or less, if by "spying" you mean that governments requested information about some phones after getting search warrants.
How could this sort of thing be prevented? Perhaps by doing polling at constant intervals, with fixed-size messages whether or not there are notifications to be delivered. That would be very expensive, though.
The solution is to make mass data collection by the government illegal. Bruce Schneier had a pretty good read on why LLMs change the game for bulk data collection.
I think it's going to take some time (and having the EU lead the way) to make progress on this. We're pretty far down the rabbit hole already in the US, and neither party has shown an appetite for curbing government powers in this area.
This article doesn't seem to be about mass data surveillance, though? It mentioned law enforcement getting search warrants.
Quote from the article:
If you go back into the history of this kind of thing, most of the warrants are to put 4th amendment window dressing on things after the fact. For example, you can look at the history of parallel construction or Section 702 / FISA court abuse. The point is that they already have the data, and what we see is that if the data's already there, it's very difficult to prevent the abuse of power from improper use.
I meant that the TechCrunch article doesn't seem to describe mass surveillance. Schneier's article of course does, but it's not reporting specifically about what's going on with push messages.
But yes, they could be combined. Once they know what they're looking for, they could get a search warrant to get some more info about specific phones.
Sorry, I misunderstood you comment. I've got it now.
However, the tech crunch article merely notes that there are warrants that mention push notifications. The other part of the article, and the more important part IMO, is that Apple has just now been permitted to disclose the existence of this data sharing. Whether one wants to assume that their transparency report includes everything they have disclosed is an exercise in paranoia, but since we know these companies have been bound not to disclose their data collection in the past, I would not make that assumption.
To go back to your original comment, I understood it to mean you were thinking about technical measures that would make this kind of disclosure by the tech company "impossible". I think that's a good practice, but there should not be an arms race between tech companies and our own government to make things private, it should be a fundamental right.
I am making a US centric argument here, but the article is about US government data collection. We already know that other governments compel secret disclosure all the time, and in those cases, the government can simply compel tech companies to weaken their technical protections to permit the disclosures they require. As far as I know, that is not he case in the US. Yet.
Suppose Apple or Google is very successful in making it impossible for the company to disclose push notification data to anyone, you'd see eventually that they are forced to backdoor their own systems for government use.
So in the end the answer is not a technical one, but a policy one. The fight we should be having is not about implementing TOR for push notifications but talking about enshrining those rights in law or amendments to the Constitution to protect people more broadly.
Is the method they're referring to the APN methods Beeper implemented in Beeper Mini?
No, it's referring to Senator Wyden's letter. The Senator revealed that this is happening so it's not a government secret anymore.
Ahhh I see what they meant now, thanks for clarifying
Here is the segment that Apple has been able to add to their transparency report for US government request guidelines. I've verified via archive.org that this entry was not in the document previously. I don't give Google any presumption of good faith so I didn't bother digging into anything on their end.
Apple admits to handing over push notification data to government. Apple. Privacy.
I think that phrasing is so odd. I don't believe that you get much of a choice when subpoenas are involved. But the phrasing makes it sound like Apple was to blame for the bad behavior.
I'm an Apple customer. I gave my money to Apple for the privacy and security it promised me. Apple was known to deny government any access to user data. This one event was exposed, how many other such instances do you think they're running. You are porting user data to government behind their back, you shouldn't preach privacy and Yes Apple is to blame as well as government.
I remain unconvinced that "defying government subpoenas" was part of that promise of security. There's a difference between giving information they have and unlocking phones for the police (as the courts have supported). And seems likely they fought it as far as they could based on past behavior.
I'm not defending Apple, Android does it too and I don't like it either, but what would you expect them to do. It's government overreach. But it's legal overreach.
I had the same thought in response to the original GP post, that Apple likely didn't have a legal choice in the matter.
However to answer the question "what would you expect them to do"... If Apple was truly a privacy focused company, there are various established technical solutions they could implement that would make it impossible for them to share a lot of what they currently share with governments because they wouldn't have direct access to it themselves.
But of course they need that data for a variety of purposes and would never give it up willingly. Apple wants to appear to be a privacy focused company for marketing purposes, they have no genuine interest in user privacy.
Which seems self evident but there's still value in pointing it out.
That's fair, and I think it's possible they didn't originally think this data was useful to police/governments until it was.
Though that angle would be Apple admitting they collect this data rather than admitting they gave it to the police.
I do agree that it's silly to assume Apple actually cares about privacy. Which is why I sort of see little point in being mad that they're not. But I get that it's contradictory. I just thought the phrasing was off.
Someone else had a good post about this needing to be solved by the government ultimately which I agree with.