Apple and Google confirm governments spy on users through push notifications
androidauthority.comA lot of discussion yesterday:
"Because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information"
What I don't understand is this: If the government wants to search your house, they show up at the door and show you a warrant. You can inspect the warrant - it's not secret. Granted, they're going to search your house anyway, but at least you know about it.
Except in truly extraordinary circumstances, you should be informed if your government has requested access to any of your private information.
This apparently goes even farther: not only have companies not been allowed to inform their customers, they haven't even been allowed to generally say that such information has ever been requested about anyone. That is seriously into dystopian territory.
The interesting thing is, the gov't cannot open your letters if it's first class mail, and may only open your letters under some well defined circumstances (https://www.rstreet.org/commentary/yes-the-government-can-op...) - it's all related to the letter being foreign, and i don't see any clause for domestic mail between US citizens being searchable warrantlessly.
SO why should electronic mail not have the same rules applied?
I believe that the government can look at the outside of the envelope or the contents of a postcard without a warrant. This was extended for phone surveillance to the phone numbers of incoming and outgoing calls, and presumably they have argued that the contents of push notifications are in this category.
>the gov't cannot open your letters if it's first class mail
Even if the government has a warrant? The article you linked to seems to say the government can do it with a warrant:
>By law, first-class mail is sealed against inspection, meaning that government officials may not open it without first getting a warrant from a judge.
I assumed that was implied - that is a warrant is always required for opening letters (first class mail), unless there are some specific circumstances that are outlined in the clauses mentioned on the page (which are related to foreign mail).
Then the obvious question is: can the government view your notifications without a warrant?
If not, then the notifications are at least as private from the government as first class mail.
Because it is more convenient for paw enforcement and the pro-surveillance forces that came into power all over the world since the war on terror and the Patriot Act?
You can thank the "patriot" act for that one. Bush Jr's lasting legacy.
Agree, but this is not new.
This data is not legally yours, since its not on equipment you own or rent.
If the same exact service was on property you owned or rented, they would need a warrant.
Speculating here, but if you paid for a service, and the terms of service were such that you had rental rights to the equipment and ownership of the data, then the US govt would need a warrant. But then the company would not be able to sell the data since it would actually be yours.
I'd pay for a service that was like that.
> I'd pay for a service that was like that.
Email was like that, until Gmail ruined it and you can no longer run your own mail server without being blacklisted everywhere.
The Fediverse is kind of like this, except it's not really designed for private data; its primary use-case is publishing.
The idea that people seem to struggle with is that this is not a new development - it has always been the case. It puts people through its education, teaches that bad is good, that the state is the best we've got, etc, and kind hearted people believe it! It's not a case of voting a better psychopathic ruler in, to help turn the ship around. It has only ever been/can only ever be a mafia extortion racket.
While the problem is not understood, there is no chance of finding a proper solution.
As Nietzsche said:
A state, is called the coldest of all cold monsters. Coldly lieth it also; and this lie creepeth from its mouth: "I, the state, am the people." It is a lie! Creators were they who created peoples, and hung a faith and a love over them: thus they served life. Destroyers, are they who lay snares for many, and call it the state: they hang a sword and a hundred cravings over them. Where there is still a people, there the state is not understood, but hated as the evil eye, and as sin against laws and customs.Amen. That kind of secret data collection should be reserved for profiteering capitalist oligarchs. Government is bad because it's government, but if you can generate personal wealth by exploiting others it's admirable.
I’m not entirely sure what you’re alluding to - but yes, neither do corporations should be allowed unrestricted access to your personal data.
I think what they're alluding to is the unspoken implication that Apple and Google deserve admiration for coming forward about the government spying, despite the fact that they obviously spy on you, too.
Push notifications are such a great way to spy on people, because so many apps send highly private information as push notification. Even if you install them on-premise, because the only well-supported battery-friendly way to send notifications is through Google's and Apple's servers.
The most serious of secure messengers moved to push notifications that just cause the app to wake up and fetch the real message from the server to show as notification, but there are still plenty of apps that just send the full message as push notification.
As far as I know, WhatsApp on iOS uses a special entitlement (com.apple.developer.usernotifications.filtering) for securely handling notifications.
They receive silent push notifications, which wake up the app (a reason for the entitlement being restricted). Once awake, the app takes over, managing the notification itself.
This approach circumvents sending notification content in cleartext through Apple's servers, thereby preserving their end-to-end encryption.
> Even if you install them on-premise,
You mean on-premises? If so, please show me where I can download and run my own APNS servers on my own hardware, because such a thing does not exist. You can run your own workers, which send through APNS/apple's servers, but there is no such way you can own the entire chain to get a push from your backends to a apple device, not if you're using native push notifications.
AFAIK, google isn't any better, with GCM, and even firebase use that from what I know.
What are the most serious secure messengers?
I personally like the approach Threema has. They provide their own push serice called Threema Push[1] which is opt-in for google play store version. The push notifications for Threema do not contain any sensitve information either way.[2] They also have a libre version on F-Droid.
Their web client is based on angular.js - i wouldn't dare trust it with private information.
I'm not a huge expert on web frameworks. Can you clarify your concerns?
Threema may very well be the Crypto AG of our times
Why would you say that? It's open source and has reproducible builds
Play Store version could be anything
i fail to see how the play store version could be "anything" considering you can reproduce the builds. can you enlighten me how something like this would be possible?
You can reproduce the builds yourself but you have no control over what happens to the app APK once it is uploaded to Google then distributed via the Play Store. I suppose you could checksum the APK before and after and make sure your app is exactly the same before and after sending it to Google to distribute via the Play Store. Google doesn't have much motivation TODAY to mess with APKs directly since they have Google Play Services which is essentially a rootkit running on your phone all the time and it is easily accessible by the NSA through Google's infrastructure, probably by a secret FISA warrant with a gag order. Maybe they don't need a warrant. Think we would ever find out?
I think I am still missing what you are referring to. The guide on Threema's site promts you to extract the APK from your phone via adb which you then `diff -r` with the locally compiled version. [1] As far as I am aware it does not matter whether Google or Threema modified the APK before uploading it to the Play Store since you would notice either way.
That works as long as you always check after each update.
I agree with you. That's the case with every software project.
Signal
Of course they do, if there's a way to get data without it being obviously illegal, it probably going to get collected. And I wouldn't be surprised if plenty of constructions like it either have a gag order or national security letter.
On the other hand, there is no universal one size fits all rule that makes society better. Especially because there are plenty of very different people, both good and bad, and no rule, however well-intentioned will work out great overall. Let's hope someone at some point does come up with a better solution.
In observation on why push messages: the same reason any other real-time communication is interesting, like calls, SMS, MMS, because that's enough bits being transceived, or enough of a cell location to find out where a device is, while not being long enough that you get some 'on the move' smear.
One way to handle this is to send a notification with data that is meaningless, like a notification id or something, to trigger the app, which then (thanks to background app refresh, etc), pings your backend server with the id and retrieves the actual notification details. The only way to be 100% sure things are not being snooped while passing through push servers (or any third party you put your trust into), is to make the data they handle meaningless without also having access to your systems after they handle your push. Government can spy on your notification UUIDS that you send all day long, it won't do them much good though.
These concerns are not unique to government. Don't trust any third party with your data. Security 101
They confirm what everyone already knew, people were called "conspiracy theorists"
https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
What are the reasons that makes this possible? The articles I have seen are not explaining what makes this different? What needs to be invented to get end to end security for push? I might be missing the obvious, apologies upfront.
Not least for the sake of power management, the central push provider needs to authenticate (and e.g. rate limit) notifications to a particular device. The identities of apps communicating with a particular device therefore seem to need to be known
This still seems like something that could be fixed with smarter design without losing functionality.. e.g. decoupling device registrations from push channels, and treating the push channel ID a particular device is using as toxic for sharing and intermingling as other kinds of personal identifiers like phone numbers, including with the OS provider itself, or creating a unique push channel ID for every app registration, etc.
This is actually a bummer.
P2P mobile applications cannot wake themselves up to sync with peers (short of relying on exploits).
The same is true of browser service workers.
The architectures I’ve explored for mobile and web based P2P apps, they’ve all needed a central trusted push notification server fallback to wake up the process so it can check for messages.
Even then the APIs will fight you.
Unless the fallback server syncs for you, it can only wake you up on an interval. It can’t know if there is a notification worthy event for you to sync.
If you wake up the process and there are no messages from its peers that generate a notification, you “consume” some of your background notification budget.
Consume too much and the system stops waking your app on push events, so you stop syncing in the background.
There are apps, like WhatsApp on iOS, that receive silent notifications and are started upon receiving them, allowing them to process these notifications locally (as explained in my other comment in this thread).
This method enables them to bypass the need for sending clear text content through Apple's servers, upholding their end-to-end encryption.
However, this practice can slightly impact battery consumption, which is probably why this specific entitlement is not freely available to all apps. It's a balance between enhanced security and a marginal increase in battery usage.
I see power management mentioned often, but I'm not convinced. How does centralizing the push service reduce power? Why can't a developer just implement the service in the same way? (if Apple/Google let them)
I self-host Gotify, which just uses a websocket for the push part, and battery consumption is only 2%/day even with the app white listed from "optimization"
It already exists for push, but most apps don't implement it and on Apple devices you need a special permission from Apple to be able to do it