Hat tip to Debbie Reynolds for the heads up on this story! More than 130 petitions seeking access to push notification metadata have been filed in US courts, according to a Washington Post investigation also reported on by The Register – a finding that illustrates a new method for identifying alleged criminals, but one that also underscores the lack of privacy protection available to users of mobile devices.

Consider this opening to the story as reported by The Post:

The alleged pedophile “LuvEmYoung” had worked to stay anonymous in the chatrooms where he bragged about sexually abusing children. A criminal affidavit said he covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself last month with a sleeping 4-year-old boy.

But the FBI had a new strategy. A foreign law enforcement officer got TeleGuard to hand over a small string of code the company had used to send push alerts — the pop-up notifications that announce instant messages and news updates — to the suspect’s phone.

An FBI agent then got Google to quickly hand over a list of email addresses this month linked to that code, known as a “push token,” and traced one account to a man in Toledo, an affidavit shows. The man, Michael Aspinwall, was charged with sexual exploitation of minors and distribution of child pornography and arrested within a week of the Google request.

The breakthrough relied on a little-known quirk of push alerts, a basic staple of modern phones: Those tokens can be used to identify users and are stored on servers run by Apple and Google, which can hand them over at law enforcement’s request.

Drew Harwell and Aaron Schaffer, The FBI’s new tactic: Catching suspects with push alerts (Washington Post, February 29, 2024)

Great, right?

Sure, but as always, this investigative technique has multiple sides to it. The use of push notifications in criminal investigations has raised alarms from privacy advocates, who worry the data could be used to surveil Americans at a time when police and prosecutors have used cellphone data to investigate women for potentially violating state abortion bans.

When I said that push notifications are the “latest” law enforcement evidence source, that’s not exactly true – it may simply be the latest we know about. The practice was not widely understood until last December, when Sen. Ron Wyden (D-Ore.), in a letter to Attorney General Merrick Garland, said that his office had discovered that “government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple.” He also said that Apple and Google “told my staff that information about this practice is restricted from public release by the government” – including government agencies like the Department of Justice (DOJ). Three applications and court orders reviewed by The Post indicate that the investigative technique goes back as far as 2019.

Apple confirmed the government restriction in a statement that month to The Post but said it intended to provide more detail about its compliance with the requests in an upcoming report now that the method has become public. Google said in a statement then that it shared Wyden’s “commitment to keeping users informed about these requests.”

Google has said it requires court orders to hand over the push-related data. Apple said in December that it, too, would start requiring court orders, a change from its previous policy of requiring only a subpoena, which police and federal investigators can issue without a judge’s approval. But in three of the four cases reviewed by The Post, Apple and Google handed over the data without a court order — probably as a result of the requests being made on an emergency, expedited or exigent basis, which the companies fulfill under different standards when police claim a threat of imminent harm.

“This is not just U.S. law enforcement,” Daniel Kahn Gillmor, a senior technologist at the American Civil Liberties Union said. “This is true of all the other law enforcement regimes around the world as well, including in places where dissent is more heavily policed and surveilled.”

Want more to be concerned about? As The Register reported, “In 2022, one of the largest push notification companies in the world, Pushwoosh, was found to secretly be a Russian company that deceived both the CDC and US Army into installing their technology into specific government apps,” said Zach Edwards, a security consultant who runs Victory Medium.

So, just like any other device convenience we use these days, push notifications contain private data that can be accessed and utilized – for good and bad. We should not be surprised by this. Will it stop people from using them? Of course not.

But as Sen. Wyden noted, we need Apple and Google to inform their customers and the general public about demands for their push notifications – which apparently extend far beyond just the DOJ in terms of requesting government agencies. Hopefully, they will follow through on their recent statements.

Anyone who uses a smartphone these days knows about push notifications – we get them from all types of apps, including email, chat apps, news apps, etc. I get them so frequently – on both my iPhone and my Apple Watch – that I sometimes have to take the watch off and set the phone to silent so that I can concentrate on work tasks. Reading these two articles about the privacy considerations associated with push notifications certainly gives me pause – at least to re-evaluate whether I need push notifications from as many apps as I currently do. Does it give you pause as well? It should.