I didn't flag it as a dupe, just helpful to have links between discussion threads (and try to avoid beating dead horses, although that's always a lost cause).
Apple and Google have been recommending that actual data not be sent through these push notifications and only a “ping” for the app to go check the source of truth.
Maybe it’s time to actually enforce this and remove the ability for arbitrary content to be sent?
In effect, yes. The notification delegates in Swift only call the notification callbacks if you tap the specific notification (if you just go to the App the notification callbacks are not fired)
This is the third time in a week that I read about this and, to me, the most important question has remained unanswered: If a push notification's payload is E2E-encrypted (consider, e.g., push notifications for Signal running on GrapheneOS with sandboxed Google Play Services), is there still a data leak? Like, what metadata are people referring to? The fact that I use Signal at all?
Of course, depending on the app, it coupd be possible to correlate even E2E-encryped push notifications with other data on that app's backend server etc. But beyond specific apps is there a generic vulnerability here?
The data leak, more of an oracle than anything else, is that you have an active account with the business sending the push. And it's not really even a data leak because it's data generated in the course of activity the user has requested.
The approximate size of the payload, the application, the time, maybe where you received it (if you were on a cellular network). All of this has a lot of value. You don't exactly need the message or the recipient.
The payload of Signal's push notifications should have roughly the same length every time as they are only used to wake up the app. The time I receive a push notification doesn't depend on me, but on when my contacts send messages. (Yes, you could use this to narrow down someone's time zone but not much more than that. Plus there are a million other ways to determine the time zone.)
I don't still understand what risk push notifications represent here. Google & Apple maintain a list of all your apps, anyway. Any government can easily subpoena that list without having to put in much effort or analyze push notifications.
Time of day that you're awake/active, the frequency of message push notifications vs your travel patterns when you might be expected to be offline, weekday vs weekend message traffic volumes per day, traffic volumes on holidays, all these sorts of things are valuable metadata for an NSA-like organization.
Depends on how deeply you want to protect yourself.
Disabling push notifications would help, especially if you disable notifications through individually app settings first. That should make sure an app doesn't continue trying to send notifications entirely, if you just disable notifications globally Apple or Google may still see notifications that they just don't route to your device.
If you really want better protection, use GrapheneOS or a similar de-Googled android device and don't install any Google services. That's the best way to still have a modern smartphone with limited risk that Apple or Google is somehow tracking most use.
Yep I don't blame you, I've heard that from others as well.
Personally I see Graphene as a lesser of two evils compared to the guaranteed spying of Apple and Google for anyone that can't avoid having a smartphone all together.
Depends. Since Apple/Google are monitoring it on their end, and I believe (at least on Android) turning off notifications at the OS level just blocks it from showing on your phone, these would still be sniffable.
If the application in question has the ability to disable notifications inside the application itself, that should work.
You stop using your cell phone for anything important, or anything that can't be gotten through other means trivially.
Practically, this means you use your cell phone for phone calls (the metadata is public, and I assume anyone who wants to listen in can already do so), and for SMS/MMS messages (see above, except I don't think the contents are quite as protected as voice).
You disable location services, you don't install anything of any interest on your "daily carry" phone, and you regularly shut it down for periods of time to build the expectation that your device is regularly offline. Let it run out of battery. Cultivate the "senile old senior" approach to using your phone. Leave it behind.
And then carry a small laptop, preferably running Qubes, for "everything else," and either use Tor or your own VPN infrastructure (ideally shared with friends) for access.
... and start cultivating ways of life that are offline first, that don't rely on consumer electronics (or the upstream companies) to behave as anything other than the data-grubbing, data-selling sorts they've reliably proven to be.
Yeah. It sucks. The past 20 years of consumer electronics turn out to have been rotten on the vine, actively working against your own interests, comically insecure (so even if they're not just streaming your data off to whoever pays/demands, it's not hard to extract), etc.
I don't have any better answers. I've been trying for about the last 5 years to figure out a solution, and I just can't come up with anything reasonable that still involves using consumer electronics for much more than toy uses. Apple looked better for a while, but then lost their head with the on-device CSAM scanning stuff and, while I like it, Lockdown is a simple admission that they cannot build secure software against nation-state level adversaries. Plus, most of their updates are "Oh, yeah, so, update this now, we have reason to believe [solid proof and won't say it, usually...] that this fixes things under active exploit." But, hey, we've got MeMojis and such now!
We have built too much complexity into our systems (see all the uarch vulns that are fundamentally a result of chasing performance over everything) to understand, to reason about, and we can't fix the problems of complexity with yet more complexity (as the last 5 years of papers demonstrate, often to comedic effect, about how the uarch vuln mitigations open up this other channel). And the software isn't any better.
I don't see the path forward other than simply opting out, and building systems that no longer rely on vulnerable pocket computers that leak literally everything you're doing to whoever might care.
The US have -among others- a privacy regulations problem, little regulations to protect users privacy and many more to violate it, as much as the direct blame is on big tech, but the real blame should be toward who you have voted for, and you - US citizen- ultimately for voting for someone not working for your interests.
Already had ntfy set up and took the time to setup MollySocket so I can get signal notifications without firebase or a dedicated websocket connection (even if no message data is included). Here's to hoping more apps are brought on board.
I bridge my Signal communications through my self-hosted Matrix server, so I'm already going to get the benefit of Signal not going through Google's servers.
That said, MollySocket is a pretty neat hack that I had never heard of until now. I'll keep it in mind for a future use.
Maybe I’m confused but the warrant seems to suggest they’re not monitoring them. It’s asking for the notifications. If they were monitoring them, they wouldn’t need to subpoena them.
In the US, a particular form is evidence laundering, where one police officer obtains evidence via means that are in violation of the Fourth Amendment's protection against unreasonable searches and seizures, and then passes it on to another officer, who builds on it and gets it accepted by the court under the good-faith exception as applied to the second officer. This practice gained support after the Supreme Court's 2009 Herring v. United States decision.
See also the sibling about Fruit of the Poisonous Tree, the principle of law that Parallel Construction has rendered moot.
reminds me of algebra equation solving encountering square root of -1, then naming it an introduced variable “i”, rather than being stuck, and moving on, in hopes “i” vanishes later in the set of equations being solved or simplified.
Illegally obtained evidence can't be used, so they must build the story using only legal means, which can be difficult and take longer or not possible at all sometimes.
That rule been so undermined in so many respects that is has little effect.
When the government illegally spies on the public it goes in knowing that it has to cover for its actions.
The evidence rules tend to only catch genuine errors where they failed to do the required parallel construction or set things up for the inevitable discovery doctrine because the unlawful search was inadvertent rather than intentional.
Learn something from illegal/inadmissible/secret source, use that info to find other evidence you can actually present in a public court, that you otherwise might not have found.
Standard tinfoil hatter stuff - it is impossible to prove the government is not monitoring everything. From there you can build any theory - one being the government finds out you are doing something illegal, and then they go back and find legal ways to prove it.
Has this happened - probably. Does it happen a lot - probably not. But none of that matters - the uncertainty is enough to build a whole online community that believes hard.
On iOS historically, you needed a special dispensation for your app to run when a push is received. So your choice was to let Apple see the content, or to have a push like 'you've got a new message'. I don't know the current status, but this used to be called a voip push or silent push; and Apple kept track to make sure you were at least posting notifications, otherwise future notifications would be dropped/delayed.
A lot of apps clearly do notifications separately from content though: you'll get a notification, but when you tap on it, the content has to load.
Show me any large US ISP, and I'll find you a locked room few know about with government network sniffers that sit at the head of all regional traffic to get a copy of everything going in and out there. Everyone does it, but like fight club, no one talks about it. If they're not in yours, it's because they've already gotten upstream of traffic to see it all anyways.
The problem comes with sifting through the data, but now that you have tireless AI doing that work for tired humans, who's to say what they actually don't see.
Years back I was touring a local datacenter that was more than a bit quirky, but their offer was basically that they had fiber loops into the main carrier hotel a few blocks away. This was useful because the guy than ran the carrier hotel wouldn't even return your email unless you were from BigCo.
But anyhow, walking around he pointed out one cage and said something like "And that's the NSA's cage, we don't ask what they do haw haw." At the time I mostly thought he was just exaggerating or joking around. But later after revelations of the scale of bulk collection I had to wonder if it really was true and simply banally that much in the open.
So much was revealed in the European Parliament's ECHELON report back in 2000 that I found it hard to understand why Snowden made the big splash that he did. It all seemed pretty old hat to me.
The chattering classes love counter-cultural packaging. That is why they embraced Greta Thunberg much more than they embraced Al Gore despite the messaging being the same.
The ECHELON report revelations were packaged into a formal (boring) European Parliament report. Meanwhile Edward Snowden had the counter-cultural packaging of a cool dissident hacker.
And the Utah data center that stores days worth of the entire Internet and then they just keep the most interesting parts and the parts they can't hack into for later analysis.
At least as of a few years ago, AT&T still owned most of the core network in the US and leased it out to other ISPs. The government has a direct pipe into AT&T which allowed (still does?) them to sniff everything regardless of ISP since AT&T almost certainly owned the underlying pipe.
could see these "statistics" being used to gauge to public response to political decisions. That's pretty dystopian. "President Biden, the 'data' shows your response to Palestine was not very popular".
Where are the popular personalities telling people to not use VPNs? I swear sometimes I theorize about gov agencies using people to spread insecurities like that.
VPN providers that are run by reputable people/orgs and make security promises are liable to lawsuits and criminal prosecution if they sniff your traffic or sell info about you, unlike ISPs complying with gov requests/partnerships and who want another revenue stream by selling your info to the highest bidder with no specific privacy guarantees.
I renew my question of why this is surprising or objectionable. "Pen register" surveillance has been a thing that applies to actual mail, email, telephone networks, IP networks, and any other thing with a real or metaphorical envelope.
> I renew my question of why this is surprising or objectionable.
It's surprising because the government doesn't exactly talk about it a lot. Thus, most people who don't follow security issues don't hear about it very often. It's not like the government advertises these activities with billboards and TV spots. The reason they don't is because this broad interpretation of their responsibilities makes them look pretty bad without having a long discussion with a lot of context. As it is, people might just ask them to stop reading their emails. So, if the people doing it don't talk about it, why would you be surprised that other people don't know it's happening? It sounds like you're saying "I'm surprised that not everybody pays careful attention to the specific domains I pay attention to", but remember that it takes all kinds of people to make the world go round.
This isn't the police reading your emails. It is envelope metadata (to/from). This type of surveillance is not even a search under the 4th Amendment (Smith v. Maryland). Having a warrant makes the activities described in the article completely legitimate. It is the definition of "due process".
It may not be a search under that case, but plenty of folks disagree with that assessment. It's not like the telcos publish metadata for anyone to read. It is private data, and the fact that government officers think they have carte blanche to get it, and worse, can find judges that agree with them, is disagreeable to a significant portion of the population.
Is it warranted (figuratively, not literally) in this instance? Perhaps. But nonetheless, it re-opens the conversation about the wider implications about warrantless searches.
That's what the conversation would be about, without a long discussion and a lot of context. That's why we don't have the conversation: it's too hard, and people would just say "stop listening to my phone calls, you government perverts". And because we don't have that conversation, it's a surprise when things like this come up.
Automatization has made it possible to do all these stuff at such a scale that Google can spy on everyone all the time.
Stasi was limited by that the whole of DDR can't work at Stasi.
Instead of the government joining in on the fun, maybe it would be good to e.g. close down Google (split up the spy and search parts, which essentially is closing down Google since they have relatively nothing without the spying).
You obviously do not have a realistic appreciation for the scale or centralization of the post office or AT&T, nor any understanding of American 4th Amendment jurisprudence. If the only thing you bring to the discussion is an equivalation of Google and Apple with the Stasi, that's nothing more than fulfilling a variant of Godwin's Law.
He said Stasi was limited so it is not equivalation. The US government and its infrastructure oligopolies monitor citizens far more than the Stasi ever did. We are pleading to a reduction down to a Stasi-like intelligence service.
Tangentially, J. Edgar Hoover was politically opposed to feminism, and COINTELPRO had a massive secret police action against feminists and feminist groups in the 1970s. Some of us want these issues hashed out at the ballot box, not by some giant secret political police force.
> Since 2001, the Postal Service has been effectively conducting mail covers on all American postal mail as part of the Mail Isolation Control and Tracking program.[1]
No, and they don't keep a record of all APNS traffic, either. They get a court to order the push operator to log the envelope metadata of messages to and from enumerated parties who are the subject of the warrant.
