We at the Home Assistant Companion for iOS team have been wanting to implement end to end encryption for our push notifications for a while now but Apple has denied our request for the com.apple.developer.usernotifications.filtering [0] entitlement multiple times. Wondering if with today's news we could apply again and get it.
For context, we are sending ~35 million push notifications per month on iOS and ~67 million on Android, see more at [1]
We implemented APNS encryption for Firefox iOS without much trouble. Keys are negotiated out of band and message decryption is done in a Notification extension that allows you to pre process incoming notifications. Did not need any special entitlements.
Not saying you are obviously compromised, but the simplest explanation after this news is that maybe they relay the authorization to NSA et al, and they OK'ed your case and not theirs for some reason...
The filtering entitlement allows us to decrypt messages and, depending on the content, choose to not send any notification (for example if a user sends an app specific command, like asking for a location update). The example you linked requires that a notification is emitted at the end, which we don't want.
Zac also just let me know the other reason we need filtering is so we can properly unsubscribe users from notifications when one is received from a server they no longer are connected to.
for my understanding, you need that entitlement so you can send an encrypted invisible notification which you can then decrypt locally in your app and push out again as a local notification that doesn't go over the network (i.e. not use apns)? Or is doing this kind of stuff just weirdly tied to that specific entitlement?
No, you do not need this just for decryption. This entitlement is only required if you want your Notification Extension to be able to silently eat the notification. Normally an extension must transform the notification then the system presents it to the user.
APNS is not a "let my server wake up my app in the background whenever and however often I like" mechanism.
Defer handling other things until either your extension or your app would have run anyway and do them at that time.
Yup that is also a great way. Just send a message ID and fetch the actual content in the notification extension that can pre process incoming notifications.
They are not currently as we need to roll out e2ee with iOS and Android in lockstep as they both use the same mobile_app component as well as the local push stuff which bypasses Apple and Google but we would also like to encrypt.
He even inspired Snowden to expose the illegal mass surveillance programs. IIRC Snowden reached a breaking point when James Clapper, then director of national intelligence, lied under oath to Congress when pressed about domestic surveillance by senator Wyden.
It's sad we don't hear more about people like this in positions of power.
The entire time period of the Bush admin is a microcosm for unresolved issues of today: Voting machines, government over reach and spying, security, encryption, copyright, bad behavior by corporate entities (M$ has a cohort).
Nine times out of ten, when there's a news piece about a senator advocating for privacy and constitutional rights with regards to tech, it's senator Wyden. He's on the senate intelligence committee and has a decent track record of getting shit done with bipartisan support, so he's not just virtue signaling for votes either (not to mention that he's basically unbeatable in state election with all the support he has in Oregon). He's 74 years old, I do hope someone will step up and carry the torch when he retires. It's a losing battle but it's still important that we have someone who is competent and well respected to fight it for us.
I know it's the Oregonian in me and getting to meet him as a kid where he spent a decent amount of time with my class, but he strikes me as a senator that Oregon can be proud of. I might not agree with him on everything, but in my personal opinion, he's advocating and pushing for change on what he personally believes in. Makes me wish my current senator was more like that.
Gosh I am so happy to have like the best senator in the senate next to Bernie Sanders in Oregon.
Oregon is an extremely based state. Y'all crap on PDX but the reality is that we have more freedom and less tyranny here than in any other state in the nation, and possibly in the world. PDX is "bad" because it's one of the only places in the world that hated the cops enough to actually muzzle them - and not living in fear of the boot is worth needing to deal with homeless people.
Want to smoke weed? Check (lowest prices in the world). Want to do psychedelics? (functionally legalized) Check. Want to shoot guns? (relatively lax gun laws for a blue state) Check. Want to not be spied on? As check as Ron Wyden can make it!
The tyranny of the masses is still a tyranny. I'd personally like to move to a state where all smoking, but at least weed smoking, is illegal. I really don't like second hand smoke, especially when it smells and hangs as much as weed smoke does.
> ""In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.""
When they were building the CSAM detector: "what if the government asks you to extend the detection to include other media such as political meme images?" "we would refuse".
Being prohibited from disclosure does not in any way refute their promise to refuse. It would make it hard to prove one way or the other, but that is not the same problem.
We can safely assume they are already doing it, it's just that laws are coming slowly to normalize this survelance so they can't tell us just yet. Vote for those laws to learn more.
Legitimately scary stuff but not surprising. Snowden risked everything to tell us what was going on and where things were headed yet here we are. At this point, it seems the only way to not be subject to this type of treatment by our governments is to completely unplug from the system, but of course, practically speaking, this isn’t feasible for the overwhelming majority of our society. So what are the alternatives here?
Are powerful mobile phones packed with Apps and constant notifications so necessary to a full, fun, enjoyable techy life, really?
I am legitimately surprised that more tech-heads didn't see this state-of-affairs (and all the other obvious drawbacks of The World's Most Featureful Spy Device, controlled end-to-end by a giant multinational, becoming ubiquitous in peoples back pockets) as an obvious, absolute given, right from the very start of the whole smartphone trend. Instead we all seem to have bought into it, hook-line-and-sinker.
The really scary thing is that, forget what you said, they're starting to become more and more necessary for the bare minimum existence. We're not quite there yet, but it's becoming harder and harder to simply exist without one of these things.
Conduct yourself on your phone the way you would in public in front of friends and family. Only text/browse with stuff you'd be okay with a stranger knowing. I've operated this way for many years for the exact reason that this article highlights.
Stop being wilfully ruled by war criminals and start prosecuting their crimes.
The civil means for wresting back control over our government exists - we have to have the courage to use it. That means, prosecuting our own war criminals.
After all, it is the criminals with the most blood on their hands which want to use the tools of the state to repress the public, from which they derive their actual power, and who are the only ones with the resources to actually do something effect about the criminals getting away with it.
These rights-violating mechanisms exist to protect the criminal ruling elite only.
Seriously, to clean up our government: prosecute our war criminals. The war crimes are real, the crimes against humanity are real, the human rights violations are real. What isn't, is the general publics' stomach for the embarrassment they must experience in order to confront the fact of their own wilful rule by dyed-in-the-wool war criminals.
This discomfort at the fallacy of our own moral authority over nations considered to be 'worse human rights violators' has to be replaced with outrage at the actual human rights violations we are allowing to be committed in our name, or else we continue the slide into the abyss..
You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
Then to extend to services, a lot of it depends on your ability to deploy your own stuff. This can involve a lot of time reading how-to guides after you've installed Linux on a machine in your house. Given how much documentation is readily available online most people with a high school diploma can probably figure it all out, but you have to be motivated enough to refuse to be helpless.
Today you can purchase a Pixel 7[|a|Pro] and flash GrapheneOS on it. There's a lot you can get from F-Droid, but if you really want Google Play Store apps, GrapheneOS does a reasonable job sandboxing it. Create a new Google account just for that installation of Google Play Store.
Never sign into anything Google, Microsoft, Apple, Facebook, Twitter/X, LinkedIn, or whatever from your phone. Or at least if you absolutely have to, use a trusted web browser in Incognito or Private Browsing Mode.
Keep location tracking disabled for everything but your favorite maps app. Put your phone in Airplane Mode when you're traveling if you don't want cell towers to capture your location info. GPS reception still works.
WG Tunnel can get you to your server when you're not on your home network. Some people swear by Tailscale, but you have to trust them with your node info.
Syncthing works for backup for a lot of people.
For private maps I've been using Organic Maps with some success. Searching for places isn't necessarily trivial, but the navigation feature has always worked well for me.
For private comms you really need it to go both ways (you and the recipient). The weak point is likely to be the recipient's environment, but at least something like Signal gives you a chance.
Something like Fastmail works for email and calendar, since they're probably not building a profile on you and selling that to advertisers. DAVx5 is free from F-Droid for calendar sync.
Kagi works really well for search. Also, they probably haven't sold out to advertisers. DuckDuckGo is another option with another set of trade-offs.
For music you can serve FLAC files via minidlnad to VLC. minidlnad was a 3-minute tweak to a config file after I apt-got it. There are tons of options here.
Explore F-Droid for stuff that might do better for privacy, like Spotube, FreeOTP, Podverse, Librara FD, Cheogram, etc. I'm not claiming that the F-Droid apps will all give you perfect privacy, but in general they're probably better than a lot of the stuff that's pushed in the Play store.
Check out e-books and audiobooks from your local library. Or copy them to your device via Syncthing after feeding your e-books through Calibre's DeDRM extension. The idea is to keep from having to context license servers from your phone.
Give up on Apple or Google Pay, credit cards, and loyalty programs if you don't want your eReceipts collected and added to your consumer profile by companies that do that sort of thing.
None of this is a surefire way to give yourself perfect privacy, but it can greatly reduce the amount of your personal information that your government and/or corporations collect on you via your mobile device.
> You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
I agree with all of this, but realistically it's not just a simple matter of being willing to live with less features - this is a significant amount of work to investigate, implement, and upkeep for someone who is techy, let alone a less technically-inclined person.
I can barely get my family to use Signal, let alone install F-Droid or learn how to configure Syncthing.
Ultimately, this does indeed come down to "if you use a big product, you're likely being spied on", but this shouldn't be the individual consumer's fault.
This is an excellent reference. It is worth emphasising though, this does not make the device secure.
No matter what OS you put on, there's still a proprietary baseband blob with executuon permissions underneath. All of these devices are built compromised.
We are headed in a direction where you will need the Google Play store or Apple's store to do groceries, read messages from the government, use two-factor authentication, pay, show your ID, order food, and much more. Web sites are being phased out and so are physical / legacy alternatives.
Build parallel networks for sections of society to operate and associate outside of what govt has their hands in or with technological guarantees of privacy and safety. I understand this is a tricky constraint to scale but it’s not impossible, current iterative solutions are at hand, and people have coordinated before around successfully building alternative societies in terms of communications, mutual aid, and safety provided to public regardless of family; these are a threat to gov and business though as they minimize people’s reliance on those institutions which is a kind of power money alone can have less control over (so they lean on violence historically - eg battle of blair mountain). I believe technology uniquely makes it possible to scale potential solutions because of how much it’s cheapened unit cost and labor cost thru automation and commodity and open src
California with the support of Gavin Newsom is building "no go" zones for wildfire response. Sounds OK except - a video recording of a local Mayor at a wildfire update press conference, asking with deference, when the main highway to his town will re-open, and the response from a tense and aggressive CHP leader was "maybe that road will be closed for six months, maybe next year" with no respect... instantly snapped at a Mayor, on camera. How are these zones decided upon? "immediate area" is not what was being done in that event.
If they use IP to deliver notifications, then the gov can demand they hand over the IP address a notification was delivered to. From there, location isn’t hard.
Just to make it crystal clear, we recently learned that the FBI served Twitter a search warrant for Trumps account which gave then access to all of his twitter followers. https://www.bbc.com/news/world-us-canada-66365643.amp
Protip: the harder a company pushes you to download their app, the more they have to gain from it. 99.999% of the time it's because they want access to as much of your data as they can sneak out of your device, usually for selling it.
One notable corollary is, the shittier the mobile browser webapp implementation is, the more they want to push people onto their app. See: Facebook, Twitter, Reddit, etc.
This reminds me, whatever happened to mesh networks? If you wanted to be out and about in public, you could simply carry a very anonymized device that had only more basic abilities. But among those abilities, you could certain send messages and maybe even smaller-sized files - all over a mesh network. Feds could infiltrate it, but it wouldn't be nearly as trivial as it is right now. And users could rotate their devices. Furthermore, if the device in question wasn't a real phone, but rather something more generic (a wifi-capable device with a keyboard, virtual or physical), then it wouldn't even need to have an IMEI.
Apple AirDrop was basically this, but they neutered it at the request of the Chinese government. It still works, but it automatically turns itself off every 30 minutes, so you can't (for instance) opt-in to allowing people to automatically push uncensored news to your phone during your daily commute (without interacting with the phone every half hour).
(It isn't technically a mesh, since it doesn't support multi-hop routing. Still, it is peer to peer, and doesn't require a data connection.)
Apple also has an API called MultiPeerConnectivity[0] that handles this better than AirDrop. I’ve long wanted to try building a mesh network with this. Not sure about multi-hop, maybe that could be part of the business logic.
A better example is perhaps Apple's Find My network in which they explicitly said that locations of your Apple devices (including AirTags) would be transmitted over a mesh network and eventually to Apple's servers so you can see them on your iCloud console.
They're still a thing, and more of a happening thing than ever because they're useful for IOT. There's a bunch of private LoRa network operators offering a mix of free and paid services. Amazon is already a large player in this space because of their delivery network.
Some issues could be prevented if push messages added end-to-end encryption by default, something that shouldn’t be particularly hard to use if it was built into the dev tooling. Instead, developer recommendations like this one [0] suggest that you should put content into your push messages and optionally use a separate library to encrypt them. Clearly developers aren’t doing this, hence the opportunity for surveillance.
The timing would still give you away - with a privileged network position you can tell that a user sent a message to an messaging service, and that some set of users got notifications from that messaging service moments later. Observe that enough times and you'll have good confidence in the members of a group.
If you're trying to hide from that type of attack you need to send a fixed rate stream of messages (most of which are dummy messages, except the occasional message containing genuine content -- like number stations). Furthermore, every point in the chain also needs to avoid revealing which messages are genuine (by fetching the encrypted message from the server when it receives a genuine notification, you're giving data away).
The operator of the app could send messages at fixed intervals to make it more difficult to correlate the messages (more samples required to have confidence in the recipient). If they send dummy notifications they'd probably fall foul of Apple/Google's constraints around invisible-to-the-user notifications (I know Apple prohibits them, I assume Google does as well)
I can't see that frustrating this type of attack would be interesting to Apple/Google: it would push up power & radio bandwidth requirements for everybody pretty significantly.
In fact, at least on Android, the contents of most push notifications are not the actual messages to be displayed to the user, but just empty notifications letting the app know it must poll for something on the server or some other activity which may result in a notification.
It's all about the timing (and meta-data like which app), not about the contents.
Isn’t this somewhat defeated if the service is large enough?
E.g: if I get a signal notification and the notification has no data except “event happened, call server for updates” - and then you fetch updates as a batch - doesn’t the sheer number of people making that same generic batch update call somewhat mask it?
I’m curious where Apple prohibits dummy notifications, by the way - I used them for a financial app I worked on a few years back and never got dinged for it.
What you're talking about is achieving perfect privacy/security.
Even just E2EE on the notifications themselves would be an improvement over the current situation. It would make certain categories of data unavailable to eavesdroppers. The fact that it would not protect against 100% of all types of data/metadata exfiltration is not sufficient reason to oppose implementing it.
If it’s metadata they’re after (according to the article) would it really matter if the push notifications themselves were encrypted? As long as you’re using Apple/Google’s servers to manage push notifications it seems like there would be some metadata that could be useful for surveillance purposes, encrypted or not.
Getting rid of all metadata is fundamentally hard, unless providers are willing to deploy PIR or anonymity networks. But I think it's a mistake to assume metadata means "just the timing of a message": these push messages may include a lot of detailed content that is being described in this article as metadata, and all of that stuff can and should be encrypted.
Additionally, with a little bit of work (well, really quite a lot) the push messages can be made to hide the source. This would make it harder to distinguish a Gmail or DoorDash notification from a WhatsApp notification.
Some apps actually do that. I know at least Rocket.Chat has an option to handle push that way. I'd like to believe other similar chat apps used by groups and communities have it too.
But as others have pointed out, just having the timestamp and target of the notifications already tells a lot.
Encryption wouldn’t help as the whole point would be to look for coincident timings. I.e. after activity from one user to a known service you see a push occur going to another user. If this pattern repeats you can build confidence they are in contact.
Differential privacy, meet notifications: just add random notifications as noise to everyone. If payload decrypts to junk, then drop/ignore as a faux-notification; else, trigger notification.
Eh, what’s a few orders of magnitude increase in notification infrastructure overhead anyway? /s
I don't see why. The system operator knows to whom the message is being sent. They get a court order, ordering them to track messages sent to enumerated entities and they have to comply.
Metadata in this case apparently means Apple and Google are helping find “this real user connected to that real user at this time”. So governments may or may not be able to decrypt a push message payload, or data delivered because of that payload.
how will actual data not be more informative? you can easily infer what the appointment was because the phone call will mention the name of the doctor or office and you can look that up plus all the details they discuss
you'd still have to look up who the doctor they called is from the metadata; it's still info but absolutely not more informative than the real data
so this line of thought makes no sense, and glenn greenwald should be looked at very skeptically in general, he sounds smart but when you look at his logic closer it breaks down
This is tangential to a comment I read (probably on HN) perhaps a decade ago, when scandals were being reported that laptop webcams could (surprise!) be activated remotely and people/kids being spied on (I think the article was a school-issued laptop disciplining a child from evidence gathered by the webcam at the child's home).
Someone pointed out that, while being watched is creepy, the real damning information on people actually comes from being listened to.
The only way out of this mess is with new laws and that will require new lawmakers. Any other solution - relying on the kindness of corporations, toiling away with obscure technologies, gong 'off the grid' - are all foolish or unrealistic for 99% or so of people and shouldn't even be considered.
The most promising starting point is probably at the state level.
Just because laws don't matter 100% of the time does not mean they don't matter. And the solution to better enforcement of laws is the same as the solution to passing better laws: elect better lawmakers.
This legal structure of governance already kills so many people unintentionally, it's unethical to keep trying to reform it when it was designed from flawed principles. Time for a full redesign.
The Libertarian party might fit our needs for privacy, but very few people belong to the party. As a liberal, I started listening to the Ron Paul (Libertarian, retired US Senator) podcast at least once a week. Maybe because I am older, but what he says mostly makes sense to me.
(Now I expect to get in trouble here because I mentioned a third party, that is fine with me.)
This, to me, is the more disturbing part of the article:
> In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.
What is the point of transparency reports if they don't include major vectors of government surveillance?
IMO such gag orders shouldn't be legal when applied to dragnet surveillance. If you want to gag a company from notifying an individual they're being surveilled (with a warrant), then fine. But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.
> But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.
I see you have not read the Patriot Act, an Orwellian double-speak of a title if there ever was one.
The first "paper" I ever wrote was an anti-USA PATRIOT Act paper for a scholarship competition in 2003 when I was 17 where I was awarded $1,000. Literally the only thing I remember is what the acronym USA PATRIOT stands for.
Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
It really is one of the best double-speak bill titles ever.
Seems like a pretty open and shut case of unconstitutional restriction of speech in the US. Especially when you consider the wording of the Apple communication saying that they can talk about it openly now that it's public knowledge.
Given the US has a 4th Amendment-free zone within 100 miles of all national borders in the name of national security, I expect the same justification and level of oversight here.
If I’m not mistaken they’re called NSLs and the legality of them when challenged are reviewed by a secret court with secret laws that have secret interpretations of words. The whole thing as far as I can tell is an out of control nightmare and our corrupt congress doesn’t give a shit.
Actually quite a few members of congress do give a shit. Unfortunately they're the same members of congress maligned as MAGA extremists or whatever (in some cases that might be accurate, but it doesn't mean they're wrong about every political position they hold).
If you actually take a second to listen to Matt Gaetz, for example, you might be surprised to learn his (rather principled) positions are much closer to those of AOC than to President Orange, at least in some dimensions. He wants to require single-issue bills, and to completely eliminate FISA-702. Ironically, it seems like FISA will be reauthorized as part of an omnibus spending bill...
This is why warrant canaries can be useful in privacy policies, at least for smaller/startup companies. The apple/google/microsoft/amazon/metas of the world would have had to remove the canary long ago, though.
No competent startup or small business would take on such a legal risk. And anyway, a sure conclusion can already be reached on the basis of reasoning about the complete and total lack of warrant canaries anywhere.
I think companies publishing whatever they can is a good thing. We would be worse off if they took the attitude of if we can't publish everything we might as well publish nothing.
Nine times out of ten, the person saying this will turn around and complain about all the "political hacks" running things, referring to political appointees with no experience or background in the area of government they are tasked to run.
The term "unelected bureaucrats" applies to people like...I dunno, the director of the NIH and field office managers. Heck, even a police captain is an "unelected bureaucrat". Sheesh.
I'm not sure why you're being downvoted. That's been a common charge against our vast unelected bureaucracy, most of whom hold qualified immunity. We're trillions of dollars in debt, maybe it's time to peel some of it back a little.
Push notifications are sent from an app server to an individual device, correct? And the device enrolls with the server for receiving push notifications.
Why isn't there key exchange happening at the time of enrollment? Why is it something apps have to manually do? We moved the web to https everywhere for a reason, why are apps behind the web in privacy?
Potentially stupid question - how is iMessage encrypted end to end if the notifications aren't?
Apps can still do what they want in the content of the notification. This includes encrypting the content however they'd like. By default, though, apps don't encrypt the content. And the metadata (what appleID is receiving notifications from what app) is still known to Apple.
"The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"
Because the requests likely contain legal cladding to forbid disclosing the request, as is the case in Australia. A lot of people would be vindicated if it turned out one of the “democracies” making these requests was Australia.
Most likely group, since they info share and this is the standard end-around on laws prohibiting "domestic" surveillance; government has some other country run the surveillance on their nationals.
I know Pinephone isn't ready for daily use from all the threads here, but I just ordered one to get some stick time with it. Getting real tired of having to fight my phone to keep my data mine.
I just want the equivalent of debian, but on mobile. I understand I'll have to give up a bunch of apps, but honestly I think its worth it. As soon as its possible I'd like off this ride.
PostmarketOS (based on Alpine Linux rather than Android, and what's used in Pinephones): https://postmarketos.org/ (for some reason the site is currently down)
Does Waydroid work well on mobile Linux GUIs like Phosh and Plasma Mobile? If it does it could be real handy to sandbox some Android apps you need for work or whatever while still using a proper Linux base
Librem needs to do something PR-wise to fix the reputation they developed regarding massive product/delivery delays.
They exist in the frustrating spot of “I want to like them, but I can’t trust the purchase based off of everyone I know who tried getting burned, so now I’ll just look at a Pinephone because it’s easier”.
One question I have as someone who tries to maintain (some) data sovereignty: is there any way as an end-user to circumvent/mitigate this kind of surveillance — aside from abandoning iOS and Android completely?
Google-free Android will allow you (force you) to use alternative push servers. That could be your own server (using something like Unified Push) or querying your apps' servers directly. This comes at the cost of battery life, sometimes significantly so, but it does decentralise the notification system.
Of course, your data will still be in the hands of app vendors unless you choose your apps wisely.
You should also block analytics on the network level (using firewall apps or alternative means) because these days developers like to send analytics events for every button pressed, all associated with your phone's unique identifier. If the government can use push notifications for tracking, imagine the tracking they can do through Firebase Analytics or one of its many data hoarding alternatives.
You're suggesting a deviation from the norm (99.99% of users) by installing a custom operating system (which they will now also be on the hook to secure and update regularly) by developers with nothing to lose.
This will greatly increase scrutiny on you, or colloquially speaking definitely put you on a watch list, the opposite of what is allegedly desired. Rather, accept the plain fact electronic communications are subject to government surveillance and adjust your threat model accordingly. Don't try to fight the bear with a flyswatter.
Governments view legibility of their constituencies as a feature, not a bug. They want to be able to query the population like a database in order to manage it better. This is exactly like a product manager at a tech company who wants to know whether a certain feature is being used, and asks for more instrumentation in the next release of the product if needed. Over time the product (the population) becomes better and better instrumented.
Of course, the other side of the coin of better legibility is worse privacy. Their feature is your bug.
Are there ways to circumvent or mitigate what's happening? For you, personally, sure. You can turn on all the buried options, add VPNs, proxies, additional profiles/accounts, etc. And for a while it will work.
But you're defeating legibility by doing that, so you're fighting against a very strong opposing force. Over time, the bugs that reduce legibility coverage will be fixed. The options will go away, VPNs will be banned or at least instrumented well enough to nullify their utility, COPPA and porn age-verification laws will extend to make multiple or anonymous identities impractical, and so on. And the few of us who do manage to go online fully anonymously might as well be wearing a "CRIMINAL" hat, because the public will have been trained that only bad actors want privacy, but not to worry if they themselves have nothing to hide.
You can see this already happening with financial transactions. Try to conduct a significant low-legibility transaction (in other words, buy something big with cash). Your bank will ask why you want to withdraw $20,000. Cops might seize the cash, legally and without probable cause, while you're driving to the seller. And when the seller deposits the cash, the bank might file a SAR. This is all working as designed. You're being punished for adding friction to legibility.
Even on HN, where you think people would be ahead of the curve, the PR campaign against financial privacy and censorship resistance is winning. Mention The Digital Currency That Shall Not Be Named, and suddenly the Four Horsemen of the Infocalypse are in control. Why HNers are pro-VPN but anti-Bitcoin, when both stand for privacy and censorship resistance at the price of reduced legibility, is beyond me.
The battle to fight is not just protecting your own privacy. It's protecting your right to protect your privacy without being ipso facto declared a criminal for doing so. Turn on all the options, hold Bitcoin, use VPNs, pay with cash, delete cookies, etc. But above all, be an ordinary, conscientious, law-abiding citizen. Render unto Caesar what is Caesar's. Be average. Be unremarkable. Privacy should be the default. Not unsavory, not for those with something to hide. Just the default.
Oh boy. I was shaking my head in agreement while reading your comment, until that part:
> Why HNers are pro-VPN but anti-Bitcoin, when both stand for privacy and censorship resistance at the price of reduced legibility, is beyond me.
neither vpn nor btc are "for privacy and censorship resistance". Maybe in some dystopian neoliberal every-man-is-an-island way. I think you were thinking about "overlay networks (tor et al) and communal economies" maybe? Those would fit with the rest of the claims.
On iOS, all notifications must go via the centralized APNS, but on non-Google Android (eg Graphene) it is possible to run the device with the Google FCM stuff blocked off. Some apps will break, but stuff that runs in the background for polling or does non-Google notifications will continue to work.
The Reuters article says that the government is getting this data from Apple and Google, which means it doesn't matter if your phone displays or even receives the notifications, no?
> aside from abandoning iOS and Android completely?
These platforms are so opaque and completely controlled by US corporations (so we know they are beholden to NSLs etc). If you care about your data and privacy, the best suggestion is to avoid phone platforms completely for anything important.
Absolutely and confidently incorrect. Local notification settings have no bearing on this metadata, which is generated, collected and stored with your consent by using Apple/Google app stores.
It's a huge problem for both privacy and the open source ecosystem that Apple and Google mandate use of their own notification system for apps to be included in their stores.
There were huge downsides for battery life before, and privacy is somewhat orthogonal since you’d be at risk from more companies and they’d all be subject to the same legal demands, so I think the answer has to be regulatory. In the EU, that seems possible but I’m not sure the U.S. government is currently functional enough to do anything about this.
It is driven entirely by battery life. Android used to allow 3rd party apps to receive push notifications, and it caused battery life to be terrible compared to Apple. Forcing a single path was done for that reason.
Pardon my ignorance but would block all push notifications stop this specific act of surveillance? I usually don't need any notifications' content on the screen apart from "you have a new message on <app>, go check it". Or is that what's being discussed here?
The article says that Google and Apple know about the push notifications being shown on the phone and governments can make these companies turn over customer data.
I'm not sure if it only covers (for example) the unified notification service on Android or whether Apple and Google know of notifications that don't make use of that API. It's not clear from the article.
I don't know about Apple but on Android it's almost a capital sin to strive to use other services, and they work a lot worse than GCM (because of all the artificial limitations that Google imposed over the years).
It does seem to be notifications on the phone, but (a) that's incredibly surprising and disturbing and (b) it's really unclear why or how that would work when a phone is disconnected from the network. In any event, Google inserting themselves into notifications would be tantamount to reading all my email, texts and everything else, so ... why wouldn't this be restricted to opt-in? Many questions.
Why didn't Apple pull the plug on these services as soon as the government started spying with them? Why didn't they rearchitect them to use E2E encrypt? Do they actually have principles about privacy or is it just a thing they want us to believe?
Apple uses “privacy” as a marketing term. They market themselves as protecting your “privacy” from advertisers unlike Google.
Apple open complies with all data requests from government agencies and law enforcement. It is not a hard process for law enforcement to get someone’s iCloud data with a warrant.
A paranoid part of me has wondered if some of the text/phone spam we all receive is actually used to stimulate cellphones for tracking purposes.
If you have deeper access to the OS, then fingerprint unlock or FaceID also seem important for positive identification prior to, for example, a Predator strike.
Plus, you can always ask the carriers to which tower(s) a phone is connected and simply triangulate from there, without sending any (user) data to the phone.
It's important to know that the entire worldwide mobile phone network needs to have a reasonable estimation of the location of each device in order to work.
"Phone call for XYZ", "SMS for XYZ", "Establish TCP connection to XYZ". Every single device that hears this has to decode the message to the point that it can say "Nope, this isn't for me. Ignore". You've got billions of devices online at once, doing things that require messages to be sent to them. The network has to find a way to broadcast these messages to the tiniest geographic area that it possibly can, or else the whole thing breaks down. So yes, there are plenty of completely normal, standard ways that the network can make your phone say "I'm over here" without anything showing up on your screen.
(I worked at Motorola in infrastructure tech for many years)
It's fascinating that about half hese comments appear to be from younger people unfamiliar with "USA PATRIOT" Act gag orders, FISA, Five Eyes, Least Untruthful Response and related controversies that were big in the news 10-20 years ago.
Amusingly and sadly, the law was called PATRIOT as a normal "give a bad law a Good name", but over time "patriot" has become synonym for "traitor" in common use.
There’s probably some you’ve missed but yeah, I like the “they can’t do this because of * “ comments.
Reminds me of the Eufy issue where they said everything was encrypted except for push notification images.
Hard to pick the most appropriate Orwellian quote. "All tyrannies rule through fraud and force, but once the fraud is exposed they must rely exclusively on force." ~ George Orwell
Why would it be unusual for a generation that’s been under surveillance since they were in the incubator to not hold quaint and obsolete views of privacy?
If we held a poll, what percentage of privacy-loving HN parents don’t have tracking on their kids phone? 5%? 10%?
You do _not_ need push notifications in the first place. Most definitely not for messaging programs anyway. The "saves battery" arguments are always very fluffy and devices/clients who don't do push notifications (or at least don't force you to) sometimes even have better battery life than devices/clients which do.
Stop promoting and trusting Conversations. Is it bad software which never did OTR verification properly before yanking it unexpectedly and without explanation. To my knowledge it has never been independently audited let alone taken seriously enough by any infosec professionals to warrant such study.
AIU deanonymization happens due to pseudonymity. There are 3 pseudonyms: chat id, push id, phone number. Since all three are constant and linked, they can deanonymize the user. You need some sort of anonymous or confidential protocol to work around it.
It is ultimately ignorant to think one is not spied upon in daily comings and goings, when the entire human economy is based on data and the study of it (especially at scale), whether by government, private enterprise or sole evil individual.
With Apple/Google you get the comfortable padded jail cell with 24/7 guards to protect - and monitor you; the digital equivalent of having a police officer live with you. You can't go outside of the walled garden and you're told this is for good reason.
Without them, you're totally on your own; you better be prepared and know how to defend yourself. No one will care about your security and privacy. But don't for a second think you're not still under the all-seeing eye of panopticon surveillance, and possibly additional scrutiny therein.
They mention metadata in the article. Imagine sending a message to a Signal account at time X, then asking Apple a list of all users that received a Signal notification at that specific time.
This ^. approach and modified forms of it can bu used to track lots of things, and have be done so for decades by some goverment agencies. You can use a method like this even if people are using encryption and lot of anonymous tunnels. You simply shape the traffic and watch where the shape of that traffic stops. Can track people realtime across almost any link, including things like Tor, etc.
Unless I’m mistaken - and I might be or it may have changed - Signal notifications on iOS just tell the app “hey, something happened, call the service and check for updates”.
I.e, the push notification itself contains little to nothing in terms of data/metadata.
You can also of course decrypt a notification by shipping an extension to do so, and maybe Signal does - it’s been awhile since I poked around it. I’d just be surprised if the Signal team didn’t analyze the issue to death and find the gaps.
That doesn't make sense. I would expect Signal notifications to happen completely out-of-band with "normal" push notifications (e.g. NYT news alert). Otherwise that completely defeats the purpose of the service. Basically you're saying Apple/Google are MITM'ing Signal.
Others have mentioned the timing attacks but also payloads are not encrypted unless the app developers remember to build that. This linked essay discusses both threats:
Thank you I was wondering about that. A couple of days ago I heard somebody mention that push notifications go through the backend and that it was a huge privacy issue, and I just couldn't believe that messaging apps that are "encrypted" would go through all that work just to then send the unencrypted message to Google's servers
I'm surprised hyper-private services like Signal haven't foreseen this as a potential vector and given you options to eg. exclude different details from push notifications (or warned you to disable them altogether if you're worried about it)
Fortunately, they did foresee this! The push notification only contains enough information to tell the phone that it should fetch the actual notification content from Signal's servers.
My Signal notifications on iOS just say 'Message received!', not sure what else is in the payload but nothing else is displayed... It seems unfathomable that they would push any unencrypted message content or information relating to who is messaging you through notifications that travel over third party servers, so I very much doubt there's much of interest in the payload...
Unless my memory is seriously off, Signal push notifications just tell your device to call and fetch. It’s not like they’re unaware and just sending you stuff in plain text.
This is yet another example of: If the data can be collected it will be used by governments
You can slow this down by making data explicitly built to be impossible to read in transit (eg e2e) and then deleting or never saving it, but the fact that data flows through multiple stops means each transition is an opportunity for third party observation
This is deterministic and is built into the structure of data production transport and consumption. This is part of the infrastructure and cannot be extricated
See [1] for an overview of "state of the art" metadata-protecting communications protocols. There has been much research into this problem over decades and the effectiveness of such protocols very much depends on real world use cases and practicalities. For example, protocols may require 100 seconds to send a message to ensure adequate mixing, and then may be limited to always-transmitting-24/7 endpoints consuming much power, and then also requiring participants in the network to trust each other not to mount a denial of service attack.
[1] SoK: Metadata-Protecting Communication Systems, Sajin Sasy and Ian Goldberg, Cryptology ePrint Archive, Paper 2023/313, https://eprint.iacr.org/2023/313.pdf
This depends on how the app implements notifications, and which mechanism is used to disable them. I know FCM/Android, not APNS/iOS, so here's a breakdown:
1. The app registers a push token with their backend. This can happen without granting notification permissions, and without notifying the user. So the backend is free to start sending push messages immediately after registration, which is typically done on the first app launch.
2. The controls available in Android's per-app notification settings have nothing to do with push messaging. These allow the user to limit or change how the app displays notifications, regardless of the reason the app is displaying them. Some apps have additional options to disable push messages, but that preference must be communicated to the app's backend to prevent the backend from sending pushes in the first place. Some apps may consider Android's notification settings to determine this preference, but it's extra work to do so.
The concepts of "push messaging" and "notifications" are often used interchangeably, but at least on Android these are separate systems that are tied together with client code. The push messages may also contain notification data, and the official FCM client will display these automatically, so this confusion is understandable.
I’m no expert but in my experience developing mobile applications & push notifications, I’ve only registered a device for notifications (and subsequently sent notifications) if the user opted in. Based on my own experience, I would say if you didn’t enable notifications for a particular service or app, they don’t get sent.
It'd be cool if Signal and other privacy-focused apps added an option to delay push notifications. That would obfuscate the connection between two accounts.
You'll never be a criminal with that level of opsec.
You have to randomly leave your phone at home for criminal and non-criminal things. That way, there's a plausible alibi that your phone was at home or on you at the time of the crime.
It's time for a privacy bill of rights. You have to attach inalienable rights to people and then enforce them at the civil rights level.
These things are troubling now. In the post AGI world these are much more difficult problems because the data becomes training for purposes far beyond anything that could be foreseen in the data collection questions.
With respect to the US, I would be more worried about Apple and Google spying on users through push notifications. Americans have legal protections against government spying but they have basically zero protections against spying by so-called "tech" companies. Neither Apple nor Google can demand information about citizens from the government, but the government can demand this from Apple or Google, which they do, successfully, with increasing frequency. People share details of their lives with Apple and Google they would probably never share with the government but the government has little trouble getting it from these so-called "tech" companies, without any notice to the user, so sharing these details with Apple and Google is arguably even worse. The ability for people to fight against this sharing of information is nonexistent; it's up to the companies to resist. Given the number of users whose data they hold, that simply is not feasible. These companies do not care about peoples' privacy. They seek to profit from learning every detail of peoples' lives. Commercial surveillance.
When the government asks citizens for information it's usually for a specific purpose and can only be used for that purpose. When so-called "tech" companies collect information, it is for any purpose. They might assure users that "the information is only used to improve the software or service". What limits does this create, if any. How dow we verify that the company is not using our information in ways that compromise our interests if we are not allowed to learn how the company is using the information. Imagine if the government assured people that the information it collects "will only be used to improve the government".
Not every computer is a national security threat or even a common criminal, i.e., a person that the government has some need to spy on. That's not who I am referring to in this comment. These so-called "tech" companies spy on everyone. And they don't just want to know about one thing, for one purpose, they want to know everything for any purpose.
Are the legal protections against government spying actually worth anything though?
Eg. Parallel construction, FISA, etc etc.
But also, you're whispering right in that if Google and Apple are able to do this, then is that "laundered" spying, I'm that various law enforcement and government agencies can buy this information?
I must be fundamentally missing something here. I thought all this data scooping was to find the bad guys. Are the bad guys really so stupid as to use Apple or Android (or any closed system) to communicate? Cryptonomicon was written 25 year ago.
> In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.
> "In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."
If Apple knew about this why wouldn't they limit their exposure to this user data?
My startup (LaunchKey, now part of TransUnion) encrypted the data in our push authentication requests as late as a decade ago. This was painful until they expanded the size of the message allowing for more encrypted data. It is possible to do so (I would use pub/priv ec keys now) but remember you are limited in the amount of data you can include so you might need a “pull” to deliver all of the content necessary.
That's why we at Tuta do not send any information with the push on Apple and have built our own push notification for Android (we'd never use Google Push): https://tuta.com/blog/posts/open-source-email-fdroid
Completely unrelated, but sort of related. With all this surveillance and spying going on, what's a normal citizen to do?
For example; Cloud storage? Streaming music? Online note-taking?
Should the more technically-inclined, but average, person start looking at taking more and more of these things off-line given the state of mass surveillance going on and the crazy push towards all things AI?
Is this a timing side channel attack, where say I am a member of a Signal group, or have a Proton email client or Matrix/Element or something, are they sending patterns of beacon messages that may look normal, and then watching the traffic across mobile networks (or directly on platforms) that matches, and then narrowing endpoints that show it?
I guess you have to assume that any message in transit over a public network is public. Of course, you can use something like PGP to encrypt messages before sending them, provided that the recipient has your key. I know of a few people who do that.
Outside of that kind of thing, we're probably yelling everything out loud to anyone who wants to listen.
What sort of metadata or information can be gathered from a push notification from an app like iMessage? I know a timestamp is there and most likely the sender's phone number.
But is there some sort of sensitive info that these governments are trying to glean? Or is it more so they can build info maps and communication maps on targets?
This is not necessarily true. You’re assuming that all the info is in push notifications themselves.
E.g: if I get a push notification that is simply “you have a new event, poll the server”, and then I poll the server for (encrypted) batch updates, where exactly do you see the leak that ties an anonymous profile to an Apple ID? Given a large enough service, that same generic batch update endpoint would be getting hammered and I have to think it would effectively be camouflaged to a degree.
Granted, not every app is going to use this design - but if or when done properly I don’t see that much of an issue here.
If you were able to do this, and you also had control of the person's ISP/cell network (not unusual for the threat model here), then one thing you could do is interfere with their communications, "shadowbanning" them from their friends/contacts. Say you used a particular app, like LINE, to speak to one particular friend who your "benefactors" didn't want you speaking with, they could drop connections between your device and that app's servers whenever they intercept a push notification from Google or Apple targeted to that app on your device. Effectively preventing the two parties ever communicating.
Depending on specifics, it seems it would be possible to do this cleverly, so the app still thinks it's connected, but just never receives these messages.
I'm not an expert on this, it just seems a plausible possibility. Best effort response to your question! :)
This would only work if the protocol doesn’t have the concept of retries, which it does. They’d have to block all communications which would be highly noticeable - especially since you’d get a flurry of messages any time you opened the app or migrated onto a Wi-Fi network.
I know iMessage is E2E encrypted, and I wonder if that extends to the content shown within a push notification. Maybe the push notification servers receive the content encrypted, pushes it to the device, and then decrypted on-device?
> "The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"
Oh look! The US end-running constitutional protections again via 5+Eye proxy governments. Who could ever have guessed.
> …a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.
In the past, Google, Apple, Amazon, Facebook, and a slew of other companies would have been broken up using anti-trust laws. These aren't just monopolies at this point, they are clusters of monopolies. This is leading us down a dark path.
It should only[0] be meta data, though. The push notification should signal the app that there is data to fetch, then the app goes and fetches it. The push notification itself should carry none of the data.
I so hate when people put words "only" and "metadata" in the same sentence...
They know you rang a phone sex line at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.
They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
They know you got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour. But they don't know what was in the email or what you talked about on the phone.
They know you received an email from a digital rights activist group with the subject line “Let’s Tell Congress: Stop SESTA/FOSTA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion.
They know you called a gynecologist, spoke for a half hour, and then called the local abortion clinic’s number later that day.
You're using the internet afterall which isn't your network- it's someone else's! When you send a packet there is a header w/ information required for routing. Some call this the "outside of the envelope" if using the mail analogy. We can pass the buck by using a VPN but this also adds a VPN org that we need to trust. On the other hand, it's not your network! Why do you think you have a right to absolute secrecy and anonymity on someone else's network?
Push notifications don't signal an active line of communication like that though nor do they connect who's talking, only the means. In all your examples the equivalent would be "They know someone called you."
If you wish privacy then just get a linux phone. May not have the coolest features but if you need more than a classic phone, linux phones will do fine. Less apps means fewer distractions - a win win situation.
Must be interesting to work on the teams responsible for compliance at Apple/Google. Would talking to someone about these kinds of orders qualify as treason under US law?
Great news considering we're now getting an extreme-right fascist government in Holland. Why not give them all our data on a platter, they can be trusted.
> I'm probably naive, but what insights could a government gleam from Push Notifications?
Looking at my own phone right now, it just got a push notification that my wife has arrived at home. That could be useful if you wanted to track my wife.
> And why aren't push notifications E2EE?
That's a great question. And I hope the answer is "we're on it, they will be E2EE in the next release."
If the notifications were to be truly E2EE, it would have to work something like this:
1. Generate a local key pair per app (never uploaded to Apple).
2. Each app can request their public key from iOS (or provided with (void) application:(UIApplication )application
didRegisterForRemoteNotificationsWithDeviceToken:(NSData )deviceToken andPublickKey: (NSData *)publicKey;).
3. App uploads token + public key to their own server.
4. Server encrypts notification payload with the public key before sending to APNS.
5. Apple forwards encrypted payload to device.
6. Device uses the bundle name to look up the local private key and uses it to decrypt the payload.
Is anyone surprised? Why would there be pen registers, and tap and trace for phone calls and email, but not for other traffic? The ability of governments to do secret surveillance of such metadata is well established in law and jurisprudence, variously in various countries.
It is a Weird Nerd Thing to believe that old laws can't apply to new computer thing.
It's crazy to me that so much effort is being expended pretending that companies and the government are doing anything in the name of privacy, when we have all the proof by Assange and Snowden that they're doing realtime surveillance of ALL communications, 24x7 -- no matter what any laws say -- and we don't even talk about it any more. What's the point of any of this? All we can do is assume that our every position, purchase, and electronic communication is being tracked and saved, and act accordingly. The Constitution no longer matters, and there's no one coming to save us.
I think where we go wrong is to allow the conversation to revolve around what evil corporations are doing with our information, rather than what the evil government is doing with it. I believe the risk to our freedom is much greater from the latter. Of course governments can extract the information from corporations that have it, but let's keep the spotlight on the government itself, and use THAT as a reason to give corps less information about us.
Corporations showing me better-targeted ads is the least of my troubles.
> Of course governments can extract the information from corporations that have it, but let's keep the spotlight on the government itself, and use THAT as a reason to give corps less information about us.
Yep. Treating the two as distinct makes no sense. Corporate dragnet surveillance collecting forever-datasets isn't meaningfully different from the government doing the same thing, directly. People who fear government power ought to support outlawing corporate collection of the same types of things they don't want government collecting.
Granted that's relying on the government to prevent corporations from doing things in order to limit... the government (and, incidentally and IMO beneficially, also the corporations themselves). However, that's the only effective mechanism we've got—and the basis of all the other mechanisms we have available, ultimately, short of violence and strikes and such—and I think it's implausible that, even assuming a great deal of bad-faith behavior, such a move wouldn't significantly curb this activity.
> I think where we go wrong is to allow the conversation to revolve around what evil corporations are doing with our information, rather than what the evil government is doing with it.
I think it would be wrong to ignore either. Especially since most of the data the government gets is from corporations.
> Corporations showing me better-targeted ads is the least of my troubles.
You're right about that. That data sure isn't only used for ads. Companies use it to decide what services you're allowed to get and under what terms. The policies a company tells you they have are different from the polices they tell others they have. Companies use it to set prices so that what you pay can be different from what your neighbor does for the same goods/services. Companies even use that data to determine how long to keep you on hold when you call them.
Employers use it to make hiring decisions. Landlords use it to decide who to rent to. It's sold to universities who use it to decide which students to accept or reject. It's sold to scammers who use it to select their victims. Extremists use it to target and harass their enemies. Lawyers use it in courtrooms as evidence in criminal cases and custody battles. Insurance companies use it to raise rates and deny claims.
The data companies are collecting about will cost you again and again in more and more aspects of your life. Ads are absolutely the least of your troubles.
“Better-targeted advertisements” is not the most nefarious way this information is used. That’s just one of the selling points to entice advertisers. It’s also been used extensively to determine content that you will find the most engaging, regardless of whether it’s to your benefit or not, so that ad-driven marketplaces may harvest and sell your attention.
If you have any contemporary examples of the way the government has used the same information, in a way that’s been more widely destructive, I would be curious to know more.
Wouldn't the exact opposite focus have a better effect? Going after the "evil corporations" would mean nobody was collecting the data in the first place, which would also take away the "evil government" as they have nobody to buy that data from.
Right now they just write fat checks to Google, Apple, Amazon and the telcos and badda bing, badda boom it's done.
Assembly 2023 had a fantastic presentation[1] from @BackTheBunny (from X) about precisely this. When the US really wants to do something, the constitution is a parchment guarantee and the media runs cover for them. Many US gov agencies are basically supranational and extrajudicial.
I don't agree with everything he said but the information was well presented and enjoyable.
I don't think many people actually care much about privacy. There are a few, and they're loud. But look at what matters in politics -- both major political tribes in the US are only interested in privacy and protection from the government as it relates to their own interest, but they are perfectly happy to use that power against their perceived opponents.
Thirty years ago, one perceived element of moral superiority in the West was revelations of the extensive internal surveillance in places like East Germany and own-spying. There used to be news items and documentaries mocking this behavior and intimating how backward and uncouth those governments were to stoop to furiously wiretapping irrelevant private conversations.
So, whether the world has changed enough to justify it, people still do care and when adequately informed about some magistrate furiously eavesdropping on private matters, people universally recognize this is antisocial bizarre conduct.
> I don't think many people actually care much about privacy.
People absolutely care about their privacy. If you don't believe me try going outside and following someone in public with a video camera. They'll scream at you about how horrible and illegal what you're doing is. They'll probably call the police on you. Upset as they are, they ignore the fact that they've been being filmed from the moment they stepped outside and have in fact been being extensively tracked and recorded even while they were still inside their homes.
People don't understand the extent that their privacy is being violated. It's mostly out of sight/out of mind. They also don't understand the impact the data they give up has on their daily lives. They aren't allowed to know when or how much that data costs them. The moment they are confronted with the reality of the situation, they suddenly care very much about their privacy. Mostly they feel powerless against the invasion of their privacy.
While I believe that you can't solve (at least permanently) political problems with technology, and we need political action, you can prevent a good bit of surveillance with technology if you invest in setting it up.
E2EE for chats (Matrix, Signal, or XMPP) is pretty solid I think.
More shaky, Tor/reputable VPNs or some combo for browsing.
FOSS ROMs for phones (Graphene), or Librum/PinePhone if you can deal with not always having a working phone.
It's not a great situation, but it's not hopeless!
Unfortunately, the constitution isnt very clear on privacy. It should be. There should be a new amendment which makes it crystal clear that the Patriot Act, for example, is completely unconstitutional.
But what the 14th amendment says is that people and their property are protected against searches by the government wherever there is a “reasonable expectation of privacy.” That and some combination of other details imply a right to privacy, but its mot very explicit and clearly limited. In light of this, the Supreme Court has actually ruled quite favorably In practice, the Supreme Court has actually ruled pretty favorably towards a right to privacy, considering whats actually in the constitution.
> IX. The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
> X. The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
Operating a surveillance apparatus isn't an enumerated power of the federal government. The courts screwed up by reading its enumerated powers so unreasonably broadly that this even came up.
The only real way to fix this in the US is via election reform.
The GOP is trying to create an apartheid state where minority rural areas dictate the laws for the majorities that live in urban areas while they extract resources from those areas.
They know this is incredibly unpopular, so they don't even pretend they're trying to get the majority of the vote in most places. Instead, they've been trying to set vote thresholds to > 60% for ballot measures and stripping authority from all elected offices that aren't subject to gerrymandering.
It's also crazy to me that people are frequently arguing over what is the best security app to use for communication arguing over privacy maximalist viewpoints but not considering the old and have forgotten the major flaw we learned about from PGP: can't decrypt, please resend unencrypted. It doesn't matter how good your encryption is if no one will use it. Pareto is a bitch. (This is a crack at the Signal vs Threema or whatever app is hot this month and we discuss next month. But when usernames?)
You're kidding yourself if you think three letter agencies don't have LOS users on a list and have capabilities to spy on them on demand with tailored access.
Hey other states, can you elect a few more Ron Wydens? He's been doing a ton of the heavy lifting lately. Every time we hear about the intelligence community egregiously violating civil liberties, it's always Wyden.
I believe he sits on intelligence committees and has a security clearance so he gets briefed on all kinds of outrageous things he can’t publicly talk about. But he does his best with what he can.
In May 2017, Wyden co-sponsored the Israel Anti-Boycott Act, Senate Bill 720, which made it a federal crime, punishable by a maximum sentence of 20 years imprisonment,[88] for Americans to encourage or participate in boycotts against Israel and Israeli settlements in the occupied Palestinian territories if protesting actions by the Israeli government. The bill would make it legal for U.S. states to refuse to do business with contractors that engage in boycotts against Israel.[89]
https://en.wikipedia.org/wiki/Ron_Wyden#Israel
Given a lot of journalists and activists use encrypted communications to be able to do their job without being unduly or unjustly persecuted (yes, the bad guys use them too!), and 12 US State Attorney Generals just signed a letter and delivered it to the major news agencies (NYT, CNN, Reuters, AP, etc.) that warns of any "support to terrorist organizations" and specifically points out Hamas, but is not very clear on what "support" or "business relationship" means (sending a camera to do a report where the press is not allowed due to Israel's complete control of the media - echoes of US journalist access during the Iraq War), and puts them on notice. Nothing is safe from Big Brother, anywhere, any country.
At this point any “both sides are the same” argument should be seen as either incredibly misguided or intentionally malicious.
Look for representatives who represent more or at least some of our actual interests.
An ideologically united group which has been working to actively disrupt the election process and turn women into breeding property, combined with unlimited surveillance? Might not be the “same”.
I noted that Apple says the governments in question are allies of the United States. I wonder if this is a case of American intelligence outsourcing the surveillance of American citizens to foreign intelligence. If that is indeed the case, I’d expect a quid pro quo.
> I wonder if this is a case of American intelligence outsourcing the surveillance of American citizens to foreign intelligence. If that is indeed the case, I’d expect a quid pro quo.
Yet it is the US government who revealed it: "In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet's (GOOGL.O) Google and Apple (AAPL.O). Although details were sparse, the letter lays out yet another path by which governments can track smartphones." - https://www.reuters.com/technology/cybersecurity/governments...
Less "the government" and more "a member of government", the same member who has revealed and demanded accountability when discovering domestic government overreach.
Wyden is far removed from the part of the government which engages in surveillance. He's the same person who was questioning James Clapper in Congress about mass surveillance before the Snowden leaks [1].
That's how they circumvent the ban on domestic spying. The US spies on Australians* and the Australians spy on US citizens, then they exchange the data. Easy.
Why do they need to confirm an already known fact: FAANG platforms are built to spy on users? We've known about this fact for at least a decade since the Snowden revelations.
Nothing has materially changed since then, technically, politically, legally, or even culturally. Yet people still believe for-profit corporations have their best interests in mind, thanks to clever marketing and groupthink, clutching to "encrypted apps" and empty "we value your privacy" double-speak: neither will defend you.
There is no privacy on proprietary closed source platforms - it is simply infeasible; it is trying to squeeze blood from a stone. I know this truth will likely trigger and upset people with their $1,000+ iPhones, MacBooks and other iToys, and this sunk cost fallacy is really pathetic to witness in grown adults.
From the companies not needing this, it does not follow that various governments don't need this.
My first thought is that this is looking like an especially fun (for the rest of us) popcorn session where someone in one government is shocked to discover that other governments pull the same stunts that they think should be reserved for "our people"… but then I looked up Senator Ron Wyden's Wikipedia page and he seems to be genuinely opposed to such shenanigans from everyone including the US.
In what way would ignoring a viable SIGINT source be incompetent?
Just thinking about only my push notifications yesterday and they revealed that I am clearly a developer or technologist (push notifications from Git/AWS/etc), who got a haircut (time and location were revealed in the message, but I'm sure government-level agencies could have tracked which SportClips location the appointment belonged to), that I am interested in generative AI, and working out.
Another day might have yielded far more interesting facts, but those bits added to a record of my interests and habits can become quite powerful over time.
> Just thinking about only my push notifications yesterday
See, the gist in the letter is this sentence:
"As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information."
Do you really think that a foreign government is interested in push notifications when issuing a demand to disclose data from a phone?
We at the Home Assistant Companion for iOS team have been wanting to implement end to end encryption for our push notifications for a while now but Apple has denied our request for the com.apple.developer.usernotifications.filtering [0] entitlement multiple times. Wondering if with today's news we could apply again and get it.
For context, we are sending ~35 million push notifications per month on iOS and ~67 million on Android, see more at [1]
[0]: https://developer.apple.com/documentation/bundleresources/en...
[1]: https://threadreaderapp.com/thread/1721717002946191480.html
We implemented APNS encryption for Firefox iOS without much trouble. Keys are negotiated out of band and message decryption is done in a Notification extension that allows you to pre process incoming notifications. Did not need any special entitlements.
Source code on GitHub.com/mozilla-mobile
Maybe their keys are safer than yours?
Not saying you are obviously compromised, but the simplest explanation after this news is that maybe they relay the authorization to NSA et al, and they OK'ed your case and not theirs for some reason...
3 replies →
Just curious, why do you need filtering permissions for your use case?
Decrypting a push notification appears to be supported using 'mutable-content' with a notification service.
In fact that is the example used here: https://developer.apple.com/documentation/usernotifications/...
The filtering entitlement allows us to decrypt messages and, depending on the content, choose to not send any notification (for example if a user sends an app specific command, like asking for a location update). The example you linked requires that a notification is emitted at the end, which we don't want.
Zac also just let me know the other reason we need filtering is so we can properly unsubscribe users from notifications when one is received from a server they no longer are connected to.
for my understanding, you need that entitlement so you can send an encrypted invisible notification which you can then decrypt locally in your app and push out again as a local notification that doesn't go over the network (i.e. not use apns)? Or is doing this kind of stuff just weirdly tied to that specific entitlement?
Correct, we need to be able to filter to properly unencrypt notifications and pass them on as a local notification.
No, you do not need this just for decryption. This entitlement is only required if you want your Notification Extension to be able to silently eat the notification. Normally an extension must transform the notification then the system presents it to the user.
APNS is not a "let my server wake up my app in the background whenever and however often I like" mechanism.
Defer handling other things until either your extension or your app would have run anyway and do them at that time.
4 replies →
[dead]
Naive question: why not remove all sensitive data, or all data, from the notification and leave the context for a secondary API call?
Yup that is also a great way. Just send a message ID and fetch the actual content in the notification extension that can pre process incoming notifications.
1 reply →
It is quite insane how Apple filters entitlements and denies usage of them in a seemingly arbitrary way...
Are the ones on Android encrypted i wonder? I hope so
They are not currently as we need to roll out e2ee with iOS and Android in lockstep as they both use the same mobile_app component as well as the local push stuff which bypasses Apple and Google but we would also like to encrypt.
Ron Ryden has been barking up this tree for a long time:
https://www.wyden.senate.gov/issues/secret-law
https://www.wyden.senate.gov/news/press-releases/wyden-colle...
https://www.wyden.senate.gov/news/press-releases/wyden-intro...
https://www.wyden.senate.gov/priorities/gps-act
https://www.wyden.senate.gov/news/press-releases/wyden-relea...
He even inspired Snowden to expose the illegal mass surveillance programs. IIRC Snowden reached a breaking point when James Clapper, then director of national intelligence, lied under oath to Congress when pressed about domestic surveillance by senator Wyden.
It's sad we don't hear more about people like this in positions of power.
His position on it has been clear for a while:
2008: https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla...
The votes: https://www.govtrack.us/congress/votes/110-2008/s168
But this is a MUCH older issue: https://en.wikipedia.org/wiki/Room_641A
And if you don't know about Quest: https://en.wikipedia.org/wiki/Joseph_Nacchio
The entire time period of the Bush admin is a microcosm for unresolved issues of today: Voting machines, government over reach and spying, security, encryption, copyright, bad behavior by corporate entities (M$ has a cohort).
Good thing there is no penalties for lying under oath anymore. That pesky rule of law was so long in the tooth.
25 replies →
Nine times out of ten, when there's a news piece about a senator advocating for privacy and constitutional rights with regards to tech, it's senator Wyden. He's on the senate intelligence committee and has a decent track record of getting shit done with bipartisan support, so he's not just virtue signaling for votes either (not to mention that he's basically unbeatable in state election with all the support he has in Oregon). He's 74 years old, I do hope someone will step up and carry the torch when he retires. It's a losing battle but it's still important that we have someone who is competent and well respected to fight it for us.
I know it's the Oregonian in me and getting to meet him as a kid where he spent a decent amount of time with my class, but he strikes me as a senator that Oregon can be proud of. I might not agree with him on everything, but in my personal opinion, he's advocating and pushing for change on what he personally believes in. Makes me wish my current senator was more like that.
1 reply →
Gosh I am so happy to have like the best senator in the senate next to Bernie Sanders in Oregon.
Oregon is an extremely based state. Y'all crap on PDX but the reality is that we have more freedom and less tyranny here than in any other state in the nation, and possibly in the world. PDX is "bad" because it's one of the only places in the world that hated the cops enough to actually muzzle them - and not living in fear of the boot is worth needing to deal with homeless people.
Want to smoke weed? Check (lowest prices in the world). Want to do psychedelics? (functionally legalized) Check. Want to shoot guns? (relatively lax gun laws for a blue state) Check. Want to not be spied on? As check as Ron Wyden can make it!
> Want to shoot guns? (relatively lax gun laws for a blue state)
Your DA is determined to destroy this right by spending tax dollars appealing 114 until they find a judge who agrees with them.
2 replies →
> Want to smoke weed?
The tyranny of the masses is still a tyranny. I'd personally like to move to a state where all smoking, but at least weed smoking, is illegal. I really don't like second hand smoke, especially when it smells and hangs as much as weed smoke does.
26 replies →
> Want to smoke weed? Check (lowest prices in the world)
One of the biggest reasons I'm happy I moved away from my home in Oregon. The second-hand weed smoke is gross.
> ""In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.""
When they were building the CSAM detector: "what if the government asks you to extend the detection to include other media such as political meme images?" "we would refuse".
Being prohibited from disclosure does not in any way refute their promise to refuse. It would make it hard to prove one way or the other, but that is not the same problem.
But if they fail in their refusal, we would not know. So you have to treat it as if they have already failed and plan accordingly.
2 replies →
wow. Yahoo have a better track record than google or apple on figthing against that https://money.cnn.com/2014/09/11/technology/security/yahoo-f...
I guess now the yahoo phone doesn't sound like that bad of a joke https://www.slashgear.com/wp-content/uploads/2010/05/nokia_y...
Better public track record. It's very difficult to reason about a hidden private track record.
1 reply →
https://www.wbur.org/npr/190723995/google-asks-permission-to...
https://www.reuters.com/article/usa-security-google/update-2...
1 reply →
We can safely assume they are already doing it, it's just that laws are coming slowly to normalize this survelance so they can't tell us just yet. Vote for those laws to learn more.
Legitimately scary stuff but not surprising. Snowden risked everything to tell us what was going on and where things were headed yet here we are. At this point, it seems the only way to not be subject to this type of treatment by our governments is to completely unplug from the system, but of course, practically speaking, this isn’t feasible for the overwhelming majority of our society. So what are the alternatives here?
Are powerful mobile phones packed with Apps and constant notifications so necessary to a full, fun, enjoyable techy life, really?
I am legitimately surprised that more tech-heads didn't see this state-of-affairs (and all the other obvious drawbacks of The World's Most Featureful Spy Device, controlled end-to-end by a giant multinational, becoming ubiquitous in peoples back pockets) as an obvious, absolute given, right from the very start of the whole smartphone trend. Instead we all seem to have bought into it, hook-line-and-sinker.
> I am legitimately surprised that more tech-heads didn't see this state-of-affairs
Didn't see or didn't bite the hand that feeds?
The really scary thing is that, forget what you said, they're starting to become more and more necessary for the bare minimum existence. We're not quite there yet, but it's becoming harder and harder to simply exist without one of these things.
> So what are the alternatives here?
Conduct yourself on your phone the way you would in public in front of friends and family. Only text/browse with stuff you'd be okay with a stranger knowing. I've operated this way for many years for the exact reason that this article highlights.
> So what are the alternatives here?
Stop being wilfully ruled by war criminals and start prosecuting their crimes.
The civil means for wresting back control over our government exists - we have to have the courage to use it. That means, prosecuting our own war criminals.
After all, it is the criminals with the most blood on their hands which want to use the tools of the state to repress the public, from which they derive their actual power, and who are the only ones with the resources to actually do something effect about the criminals getting away with it.
These rights-violating mechanisms exist to protect the criminal ruling elite only.
Seriously, to clean up our government: prosecute our war criminals. The war crimes are real, the crimes against humanity are real, the human rights violations are real. What isn't, is the general publics' stomach for the embarrassment they must experience in order to confront the fact of their own wilful rule by dyed-in-the-wool war criminals.
This discomfort at the fallacy of our own moral authority over nations considered to be 'worse human rights violators' has to be replaced with outrage at the actual human rights violations we are allowing to be committed in our name, or else we continue the slide into the abyss..
> So what are the alternatives here?
You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
Then to extend to services, a lot of it depends on your ability to deploy your own stuff. This can involve a lot of time reading how-to guides after you've installed Linux on a machine in your house. Given how much documentation is readily available online most people with a high school diploma can probably figure it all out, but you have to be motivated enough to refuse to be helpless.
Today you can purchase a Pixel 7[|a|Pro] and flash GrapheneOS on it. There's a lot you can get from F-Droid, but if you really want Google Play Store apps, GrapheneOS does a reasonable job sandboxing it. Create a new Google account just for that installation of Google Play Store.
Never sign into anything Google, Microsoft, Apple, Facebook, Twitter/X, LinkedIn, or whatever from your phone. Or at least if you absolutely have to, use a trusted web browser in Incognito or Private Browsing Mode.
Keep location tracking disabled for everything but your favorite maps app. Put your phone in Airplane Mode when you're traveling if you don't want cell towers to capture your location info. GPS reception still works.
WG Tunnel can get you to your server when you're not on your home network. Some people swear by Tailscale, but you have to trust them with your node info.
Syncthing works for backup for a lot of people.
For private maps I've been using Organic Maps with some success. Searching for places isn't necessarily trivial, but the navigation feature has always worked well for me.
For private comms you really need it to go both ways (you and the recipient). The weak point is likely to be the recipient's environment, but at least something like Signal gives you a chance.
Something like Fastmail works for email and calendar, since they're probably not building a profile on you and selling that to advertisers. DAVx5 is free from F-Droid for calendar sync.
Kagi works really well for search. Also, they probably haven't sold out to advertisers. DuckDuckGo is another option with another set of trade-offs.
For music you can serve FLAC files via minidlnad to VLC. minidlnad was a 3-minute tweak to a config file after I apt-got it. There are tons of options here.
Explore F-Droid for stuff that might do better for privacy, like Spotube, FreeOTP, Podverse, Librara FD, Cheogram, etc. I'm not claiming that the F-Droid apps will all give you perfect privacy, but in general they're probably better than a lot of the stuff that's pushed in the Play store.
Check out e-books and audiobooks from your local library. Or copy them to your device via Syncthing after feeding your e-books through Calibre's DeDRM extension. The idea is to keep from having to context license servers from your phone.
Give up on Apple or Google Pay, credit cards, and loyalty programs if you don't want your eReceipts collected and added to your consumer profile by companies that do that sort of thing.
None of this is a surefire way to give yourself perfect privacy, but it can greatly reduce the amount of your personal information that your government and/or corporations collect on you via your mobile device.
> You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
I agree with all of this, but realistically it's not just a simple matter of being willing to live with less features - this is a significant amount of work to investigate, implement, and upkeep for someone who is techy, let alone a less technically-inclined person.
I can barely get my family to use Signal, let alone install F-Droid or learn how to configure Syncthing.
Ultimately, this does indeed come down to "if you use a big product, you're likely being spied on", but this shouldn't be the individual consumer's fault.
This is an excellent reference. It is worth emphasising though, this does not make the device secure.
No matter what OS you put on, there's still a proprietary baseband blob with executuon permissions underneath. All of these devices are built compromised.
3 replies →
We are headed in a direction where you will need the Google Play store or Apple's store to do groceries, read messages from the government, use two-factor authentication, pay, show your ID, order food, and much more. Web sites are being phased out and so are physical / legacy alternatives.
1 reply →
You have to do both unfortunately, otherwise the lack of a trackable identity in itself will make you a huge target for surveillance.
Unshackle yourself from Google/Apple and use F-Droid/LineageOS or something similarly FOSS minded.
Would be great to see an example of notification metadata that can supposedly link it to real users.
Seems like this is what is being implied:
Given:
- users with notifications enabled
- have X app installed
- targeted user(s) reside in USA
- targeted users(s) following “foo” on X app
When:
- issue FISA warrant for all smartphone users that received notifications in regards to “foo” user
Then:
- able to pull all Apple/Google accounts that match this criteria
- able to get real addresses and names
- can crosscheck names with other details to narrow down suspect
Or maybe it’s something even worse where notifications somehow leak location data
Why bother with this whole process when you can get everything + store & index it yourself?
Who knows? Maybe you want to retroactively look at shit peopke received and decide on new crimes.
They already do this, I think;
https://en.m.wikipedia.org/wiki/Utah_Data_Center
But since PRISM was exposed ~10 years ago, they have had to resort to using FISA court to scrape data
\s
Build parallel networks for sections of society to operate and associate outside of what govt has their hands in or with technological guarantees of privacy and safety. I understand this is a tricky constraint to scale but it’s not impossible, current iterative solutions are at hand, and people have coordinated before around successfully building alternative societies in terms of communications, mutual aid, and safety provided to public regardless of family; these are a threat to gov and business though as they minimize people’s reliance on those institutions which is a kind of power money alone can have less control over (so they lean on violence historically - eg battle of blair mountain). I believe technology uniquely makes it possible to scale potential solutions because of how much it’s cheapened unit cost and labor cost thru automation and commodity and open src
Apple's own developer documentation outlines how notifications can trigger when crossing a physical boundary.
Apps notifications can trigger if you enter a "protest zone" for example then gov will know everyone who was there.
California with the support of Gavin Newsom is building "no go" zones for wildfire response. Sounds OK except - a video recording of a local Mayor at a wildfire update press conference, asking with deference, when the main highway to his town will re-open, and the response from a tense and aggressive CHP leader was "maybe that road will be closed for six months, maybe next year" with no respect... instantly snapped at a Mayor, on camera. How are these zones decided upon? "immediate area" is not what was being done in that event.
3 replies →
Hey, that's easier than having to go there and setup a stingray!
That location determination is done on-device.
1 reply →
Need a set of preparation rules for attending protests these days.
No mobile, no identification, obscure any way to uniquely be identified.
If they use IP to deliver notifications, then the gov can demand they hand over the IP address a notification was delivered to. From there, location isn’t hard.
IP geolocation isn’t exactly the most precise though. 600M+ IPs have a default location to some farm in Kansas [1]
[1] https://www.washingtonpost.com/news/morning-mix/wp/2016/08/1...
4 replies →
Just to make it crystal clear, we recently learned that the FBI served Twitter a search warrant for Trumps account which gave then access to all of his twitter followers. https://www.bbc.com/news/world-us-canada-66365643.amp
Isn’t an account’s follower list basically public, though?
So, don’t have Twitter account and/or app installed and you should be good?
Protip: the harder a company pushes you to download their app, the more they have to gain from it. 99.999% of the time it's because they want access to as much of your data as they can sneak out of your device, usually for selling it.
One notable corollary is, the shittier the mobile browser webapp implementation is, the more they want to push people onto their app. See: Facebook, Twitter, Reddit, etc.
2 replies →
I think your comment comes after reading this line:
> - targeted users(s) following “foo” on X app
It seems "X app" means just any placeholder app (not the new Twitter rebrand), although I might be wrong.
1 reply →
no it's more like: don’t have a smartphone and you are good (perhaps).
3 replies →
no, need to get rid of your smartphone completely.
1 reply →
Also, no Signal.
6 replies →
This reminds me, whatever happened to mesh networks? If you wanted to be out and about in public, you could simply carry a very anonymized device that had only more basic abilities. But among those abilities, you could certain send messages and maybe even smaller-sized files - all over a mesh network. Feds could infiltrate it, but it wouldn't be nearly as trivial as it is right now. And users could rotate their devices. Furthermore, if the device in question wasn't a real phone, but rather something more generic (a wifi-capable device with a keyboard, virtual or physical), then it wouldn't even need to have an IMEI.
Apple AirDrop was basically this, but they neutered it at the request of the Chinese government. It still works, but it automatically turns itself off every 30 minutes, so you can't (for instance) opt-in to allowing people to automatically push uncensored news to your phone during your daily commute (without interacting with the phone every half hour).
(It isn't technically a mesh, since it doesn't support multi-hop routing. Still, it is peer to peer, and doesn't require a data connection.)
Apple also has an API called MultiPeerConnectivity[0] that handles this better than AirDrop. I’ve long wanted to try building a mesh network with this. Not sure about multi-hop, maybe that could be part of the business logic.
[0]: https://developer.apple.com/documentation/multipeerconnectiv...
A better example is perhaps Apple's Find My network in which they explicitly said that locations of your Apple devices (including AirTags) would be transmitted over a mesh network and eventually to Apple's servers so you can see them on your iCloud console.
1 reply →
They're still a thing, and more of a happening thing than ever because they're useful for IOT. There's a bunch of private LoRa network operators offering a mix of free and paid services. Amazon is already a large player in this space because of their delivery network.
I wonder if Apple's Airtag devices use mesh networking of some sort.
I imagine they designed it the way they did specifically to prevent law enforcement from tapping them.
2 replies →
Some issues could be prevented if push messages added end-to-end encryption by default, something that shouldn’t be particularly hard to use if it was built into the dev tooling. Instead, developer recommendations like this one [0] suggest that you should put content into your push messages and optionally use a separate library to encrypt them. Clearly developers aren’t doing this, hence the opportunity for surveillance.
[0] https://android-developers.googleblog.com/2018/09/notifying-...
The timing would still give you away - with a privileged network position you can tell that a user sent a message to an messaging service, and that some set of users got notifications from that messaging service moments later. Observe that enough times and you'll have good confidence in the members of a group.
If you're trying to hide from that type of attack you need to send a fixed rate stream of messages (most of which are dummy messages, except the occasional message containing genuine content -- like number stations). Furthermore, every point in the chain also needs to avoid revealing which messages are genuine (by fetching the encrypted message from the server when it receives a genuine notification, you're giving data away).
The operator of the app could send messages at fixed intervals to make it more difficult to correlate the messages (more samples required to have confidence in the recipient). If they send dummy notifications they'd probably fall foul of Apple/Google's constraints around invisible-to-the-user notifications (I know Apple prohibits them, I assume Google does as well)
I can't see that frustrating this type of attack would be interesting to Apple/Google: it would push up power & radio bandwidth requirements for everybody pretty significantly.
In fact, at least on Android, the contents of most push notifications are not the actual messages to be displayed to the user, but just empty notifications letting the app know it must poll for something on the server or some other activity which may result in a notification.
It's all about the timing (and meta-data like which app), not about the contents.
Isn’t this somewhat defeated if the service is large enough?
E.g: if I get a signal notification and the notification has no data except “event happened, call server for updates” - and then you fetch updates as a batch - doesn’t the sheer number of people making that same generic batch update call somewhat mask it?
I’m curious where Apple prohibits dummy notifications, by the way - I used them for a financial app I worked on a few years back and never got dinged for it.
What you're talking about is achieving perfect privacy/security.
Even just E2EE on the notifications themselves would be an improvement over the current situation. It would make certain categories of data unavailable to eavesdroppers. The fact that it would not protect against 100% of all types of data/metadata exfiltration is not sufficient reason to oppose implementing it.
If notification is malformed or erroneous it should be invisible, shouldn't it?
2 replies →
If it’s metadata they’re after (according to the article) would it really matter if the push notifications themselves were encrypted? As long as you’re using Apple/Google’s servers to manage push notifications it seems like there would be some metadata that could be useful for surveillance purposes, encrypted or not.
Getting rid of all metadata is fundamentally hard, unless providers are willing to deploy PIR or anonymity networks. But I think it's a mistake to assume metadata means "just the timing of a message": these push messages may include a lot of detailed content that is being described in this article as metadata, and all of that stuff can and should be encrypted.
Additionally, with a little bit of work (well, really quite a lot) the push messages can be made to hide the source. This would make it harder to distinguish a Gmail or DoorDash notification from a WhatsApp notification.
Some apps actually do that. I know at least Rocket.Chat has an option to handle push that way. I'd like to believe other similar chat apps used by groups and communities have it too.
But as others have pointed out, just having the timestamp and target of the notifications already tells a lot.
Encryption wouldn’t help as the whole point would be to look for coincident timings. I.e. after activity from one user to a known service you see a push occur going to another user. If this pattern repeats you can build confidence they are in contact.
It would very much help if you wanted to stop the government hoovering up the content of chat messages sent as push notifications
2 replies →
Differential privacy, meet notifications: just add random notifications as noise to everyone. If payload decrypts to junk, then drop/ignore as a faux-notification; else, trigger notification.
Eh, what’s a few orders of magnitude increase in notification infrastructure overhead anyway? /s
I don't see why. The system operator knows to whom the message is being sent. They get a court order, ordering them to track messages sent to enumerated entities and they have to comply.
Metadata in this case apparently means Apple and Google are helping find “this real user connected to that real user at this time”. So governments may or may not be able to decrypt a push message payload, or data delivered because of that payload.
An interesting point in Glenn Greenwald’s book is that metadata is often more informative than the “real” data.
Consider:
1. A phone call in which Mrs. Smith talks to a receptionist to set an appointment with a doctor for 9:30 next Wednesday.
Vs.
2. Knowing that Mrs. Smith called an abortion clinic.
#2 seems like a bigger violation of privacy. Metadata is the real data.
Exactly. Metadata is how you go from pwning the phone of one dissenter to learning about their whole group.
how will actual data not be more informative? you can easily infer what the appointment was because the phone call will mention the name of the doctor or office and you can look that up plus all the details they discuss
you'd still have to look up who the doctor they called is from the metadata; it's still info but absolutely not more informative than the real data
so this line of thought makes no sense, and glenn greenwald should be looked at very skeptically in general, he sounds smart but when you look at his logic closer it breaks down
4 replies →
This is tangential to a comment I read (probably on HN) perhaps a decade ago, when scandals were being reported that laptop webcams could (surprise!) be activated remotely and people/kids being spied on (I think the article was a school-issued laptop disciplining a child from evidence gathered by the webcam at the child's home).
Someone pointed out that, while being watched is creepy, the real damning information on people actually comes from being listened to.
1 reply →
God forbid if you are just going on a date with someone who works at an abortion clinic.
3 replies →
They already "kill people" based on metadata alone, at least since 2014.[0]
[0]: https://www.nybooks.com/online/2014/05/10/we-kill-people-bas...
This is a widely under-appreciated fact!
FCM messages are not encrypted end-to-end, that's up to the app backend/client to do themselves.
The only way out of this mess is with new laws and that will require new lawmakers. Any other solution - relying on the kindness of corporations, toiling away with obscure technologies, gong 'off the grid' - are all foolish or unrealistic for 99% or so of people and shouldn't even be considered.
The most promising starting point is probably at the state level.
I'm not sure new laws will matter much considering they've been breaking the existing laws through creative interpretation.
Just because laws don't matter 100% of the time does not mean they don't matter. And the solution to better enforcement of laws is the same as the solution to passing better laws: elect better lawmakers.
This legal structure of governance already kills so many people unintentionally, it's unethical to keep trying to reform it when it was designed from flawed principles. Time for a full redesign.
4 replies →
You want the state to write laws to prevent it spying on its citizens?
I want legislators to pass laws that prevent spying by the executive branch. I don't care who writes them.
3 replies →
The Libertarian party might fit our needs for privacy, but very few people belong to the party. As a liberal, I started listening to the Ron Paul (Libertarian, retired US Senator) podcast at least once a week. Maybe because I am older, but what he says mostly makes sense to me.
(Now I expect to get in trouble here because I mentioned a third party, that is fine with me.)
Problem is that US has two party system.
This, to me, is the more disturbing part of the article:
> In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.
What is the point of transparency reports if they don't include major vectors of government surveillance?
IMO such gag orders shouldn't be legal when applied to dragnet surveillance. If you want to gag a company from notifying an individual they're being surveilled (with a warrant), then fine. But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.
> But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.
I see you have not read the Patriot Act, an Orwellian double-speak of a title if there ever was one.
The first "paper" I ever wrote was an anti-USA PATRIOT Act paper for a scholarship competition in 2003 when I was 17 where I was awarded $1,000. Literally the only thing I remember is what the acronym USA PATRIOT stands for.
Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
It really is one of the best double-speak bill titles ever.
1 reply →
Is it really that hard for the government to get a warrant for a suspected terrorist?
Is there any data on how often they're surveilling people without warrants vs with warrants?
This seems like important info to know.
2 replies →
Seems like a pretty open and shut case of unconstitutional restriction of speech in the US. Especially when you consider the wording of the Apple communication saying that they can talk about it openly now that it's public knowledge.
> Seems like a pretty open and shut case of unconstitutional restriction of speech
I wish it didn't cost a lot of money and years of your life to beat these over-reaches.
How exactly do you bring suit on this matter?
Hey we would like to bring suit because the government says we can't talk about them doing X. Oh no, that would be talking about doing X!!
https://en.m.wikipedia.org/wiki/Third-party_doctrine
1 reply →
Free speech: are you saying it is guaranteed for companies?
Given the US has a 4th Amendment-free zone within 100 miles of all national borders in the name of national security, I expect the same justification and level of oversight here.
https://www.aclu.org/documents/constitution-100-mile-border-...
20 replies →
> What is the point of transparency reports if they don't include major vectors of government surveillance?
How many times did those of us who knew all of this to be a farce warned about this?
This is why I never believe Apple's "We're super serious about your privacy!"
That is until a government asks them to do things behind the scenes.
If I’m not mistaken they’re called NSLs and the legality of them when challenged are reviewed by a secret court with secret laws that have secret interpretations of words. The whole thing as far as I can tell is an out of control nightmare and our corrupt congress doesn’t give a shit.
Actually quite a few members of congress do give a shit. Unfortunately they're the same members of congress maligned as MAGA extremists or whatever (in some cases that might be accurate, but it doesn't mean they're wrong about every political position they hold).
If you actually take a second to listen to Matt Gaetz, for example, you might be surprised to learn his (rather principled) positions are much closer to those of AOC than to President Orange, at least in some dimensions. He wants to require single-issue bills, and to completely eliminate FISA-702. Ironically, it seems like FISA will be reauthorized as part of an omnibus spending bill...
1 reply →
This is why warrant canaries can be useful in privacy policies, at least for smaller/startup companies. The apple/google/microsoft/amazon/metas of the world would have had to remove the canary long ago, though.
No competent startup or small business would take on such a legal risk. And anyway, a sure conclusion can already be reached on the basis of reasoning about the complete and total lack of warrant canaries anywhere.
1 reply →
and they're trivial to DDoS
>What is the point of transparency reports if they don't include major vectors of government surveillance?
The feels.
It's more than that, IMHO.
I think companies publishing whatever they can is a good thing. We would be worse off if they took the attitude of if we can't publish everything we might as well publish nothing.
2 replies →
perhaps that democracy is not effective when the state organs are unelected bureacrats with guns
Nine times out of ten, the person saying this will turn around and complain about all the "political hacks" running things, referring to political appointees with no experience or background in the area of government they are tasked to run.
The term "unelected bureaucrats" applies to people like...I dunno, the director of the NIH and field office managers. Heck, even a police captain is an "unelected bureaucrat". Sheesh.
5 replies →
history has shown that clumsy bureaucrats with slow erosion of rights is still superior to belligerents with guns in a mob
Would you prefer elected bureacrats with guns? That scares me more.
Perhaps we just go with rock solid transparency laws...
8 replies →
I'm not sure why you're being downvoted. That's been a common charge against our vast unelected bureaucracy, most of whom hold qualified immunity. We're trillions of dollars in debt, maybe it's time to peel some of it back a little.
13 replies →
Push notifications are sent from an app server to an individual device, correct? And the device enrolls with the server for receiving push notifications.
Why isn't there key exchange happening at the time of enrollment? Why is it something apps have to manually do? We moved the web to https everywhere for a reason, why are apps behind the web in privacy?
Potentially stupid question - how is iMessage encrypted end to end if the notifications aren't?
Apps can still do what they want in the content of the notification. This includes encrypting the content however they'd like. By default, though, apps don't encrypt the content. And the metadata (what appleID is receiving notifications from what app) is still known to Apple.
"The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"
- why not identify them?
Because the requests likely contain legal cladding to forbid disclosing the request, as is the case in Australia. A lot of people would be vindicated if it turned out one of the “democracies” making these requests was Australia.
Australia was my first guess when I read that sentence. But I expect it's not the only one.
12 replies →
We already know, it's the Five Eyes
Most likely group, since they info share and this is the standard end-around on laws prohibiting "domestic" surveillance; government has some other country run the surveillance on their nationals.
Anglosphere.
I know Pinephone isn't ready for daily use from all the threads here, but I just ordered one to get some stick time with it. Getting real tired of having to fight my phone to keep my data mine.
I just want the equivalent of debian, but on mobile. I understand I'll have to give up a bunch of apps, but honestly I think its worth it. As soon as its possible I'd like off this ride.
I'm sure you did your research. I'm writing for other readers who are interested.
There are a few alternatives, more can be found but this is a selection of the most prominent offerings.
/e/OS: https://e.foundation/e-os/
GrapheneOS: https://grapheneos.org/
LineageOS: https://lineageos.org/
CalyxOS: https://calyxos.org/
PostmarketOS (based on Alpine Linux rather than Android, and what's used in Pinephones): https://postmarketos.org/ (for some reason the site is currently down)
Some of these are not like others: https://eylenburg.github.io/android_comparison.htm
Does Waydroid work well on mobile Linux GUIs like Phosh and Plasma Mobile? If it does it could be real handy to sandbox some Android apps you need for work or whatever while still using a proper Linux base
Generally, it depends on the app. Mostly works fine for me. More info: https://source.puri.sm/Librem5/community-wiki/-/wikis/Softwa...
Alternatively, consider Librem 5, which is more stable, since its software is developed by a dedicated team.
I thought about Librem 5 but the price is too high for me to casually buy. I'd def like to try it out though, so maybe I'll splurge.
Librem needs to do something PR-wise to fix the reputation they developed regarding massive product/delivery delays.
They exist in the frustrating spot of “I want to like them, but I can’t trust the purchase based off of everyone I know who tried getting burned, so now I’ll just look at a Pinephone because it’s easier”.
3 replies →
One question I have as someone who tries to maintain (some) data sovereignty: is there any way as an end-user to circumvent/mitigate this kind of surveillance — aside from abandoning iOS and Android completely?
Google-free Android will allow you (force you) to use alternative push servers. That could be your own server (using something like Unified Push) or querying your apps' servers directly. This comes at the cost of battery life, sometimes significantly so, but it does decentralise the notification system.
Of course, your data will still be in the hands of app vendors unless you choose your apps wisely.
You should also block analytics on the network level (using firewall apps or alternative means) because these days developers like to send analytics events for every button pressed, all associated with your phone's unique identifier. If the government can use push notifications for tracking, imagine the tracking they can do through Firebase Analytics or one of its many data hoarding alternatives.
Parent is asking about government surveillance.
You're suggesting a deviation from the norm (99.99% of users) by installing a custom operating system (which they will now also be on the hook to secure and update regularly) by developers with nothing to lose.
This will greatly increase scrutiny on you, or colloquially speaking definitely put you on a watch list, the opposite of what is allegedly desired. Rather, accept the plain fact electronic communications are subject to government surveillance and adjust your threat model accordingly. Don't try to fight the bear with a flyswatter.
9 replies →
Read at least the summary of James Scott's Seeing Like a State (https://en.wikipedia.org/wiki/Seeing_Like_a_State) and let the concept of legibility percolate for a bit.
Governments view legibility of their constituencies as a feature, not a bug. They want to be able to query the population like a database in order to manage it better. This is exactly like a product manager at a tech company who wants to know whether a certain feature is being used, and asks for more instrumentation in the next release of the product if needed. Over time the product (the population) becomes better and better instrumented.
Of course, the other side of the coin of better legibility is worse privacy. Their feature is your bug.
Are there ways to circumvent or mitigate what's happening? For you, personally, sure. You can turn on all the buried options, add VPNs, proxies, additional profiles/accounts, etc. And for a while it will work.
But you're defeating legibility by doing that, so you're fighting against a very strong opposing force. Over time, the bugs that reduce legibility coverage will be fixed. The options will go away, VPNs will be banned or at least instrumented well enough to nullify their utility, COPPA and porn age-verification laws will extend to make multiple or anonymous identities impractical, and so on. And the few of us who do manage to go online fully anonymously might as well be wearing a "CRIMINAL" hat, because the public will have been trained that only bad actors want privacy, but not to worry if they themselves have nothing to hide.
You can see this already happening with financial transactions. Try to conduct a significant low-legibility transaction (in other words, buy something big with cash). Your bank will ask why you want to withdraw $20,000. Cops might seize the cash, legally and without probable cause, while you're driving to the seller. And when the seller deposits the cash, the bank might file a SAR. This is all working as designed. You're being punished for adding friction to legibility.
Even on HN, where you think people would be ahead of the curve, the PR campaign against financial privacy and censorship resistance is winning. Mention The Digital Currency That Shall Not Be Named, and suddenly the Four Horsemen of the Infocalypse are in control. Why HNers are pro-VPN but anti-Bitcoin, when both stand for privacy and censorship resistance at the price of reduced legibility, is beyond me.
The battle to fight is not just protecting your own privacy. It's protecting your right to protect your privacy without being ipso facto declared a criminal for doing so. Turn on all the options, hold Bitcoin, use VPNs, pay with cash, delete cookies, etc. But above all, be an ordinary, conscientious, law-abiding citizen. Render unto Caesar what is Caesar's. Be average. Be unremarkable. Privacy should be the default. Not unsavory, not for those with something to hide. Just the default.
Oh boy. I was shaking my head in agreement while reading your comment, until that part:
> Why HNers are pro-VPN but anti-Bitcoin, when both stand for privacy and censorship resistance at the price of reduced legibility, is beyond me.
neither vpn nor btc are "for privacy and censorship resistance". Maybe in some dystopian neoliberal every-man-is-an-island way. I think you were thinking about "overlay networks (tor et al) and communal economies" maybe? Those would fit with the rest of the claims.
2 replies →
On iOS, all notifications must go via the centralized APNS, but on non-Google Android (eg Graphene) it is possible to run the device with the Google FCM stuff blocked off. Some apps will break, but stuff that runs in the background for polling or does non-Google notifications will continue to work.
The Reuters article says that the government is getting this data from Apple and Google, which means it doesn't matter if your phone displays or even receives the notifications, no?
> aside from abandoning iOS and Android completely?
These platforms are so opaque and completely controlled by US corporations (so we know they are beholden to NSLs etc). If you care about your data and privacy, the best suggestion is to avoid phone platforms completely for anything important.
Disable notifications on all applications you do not want to be tracked via metadata.
Absolutely and confidently incorrect. Local notification settings have no bearing on this metadata, which is generated, collected and stored with your consent by using Apple/Google app stores.
1 reply →
It's a huge problem for both privacy and the open source ecosystem that Apple and Google mandate use of their own notification system for apps to be included in their stores.
UnifiedPush[0] seems like a great project in this area, and I wish it was implemented in more apps.
[0] https://unifiedpush.org/
I use Telegram FOSS. They refuse to use firebase for notifications, so I forever have a message in my drawer that leads to this link:
https://github.com/Telegram-FOSS-Team/Telegram-FOSS/blob/mas...
I doubt it solves much but I like to think of it as a little poke in the eye.
There were huge downsides for battery life before, and privacy is somewhat orthogonal since you’d be at risk from more companies and they’d all be subject to the same legal demands, so I think the answer has to be regulatory. In the EU, that seems possible but I’m not sure the U.S. government is currently functional enough to do anything about this.
Allowing third-party notification systems (such as UnifiedPush) would have practically no negative effect on battery life
Not to mention that people might prefer to use some more battery in exchange for more privacy
3 replies →
And now we understand why they do that.
It is driven entirely by battery life. Android used to allow 3rd party apps to receive push notifications, and it caused battery life to be terrible compared to Apple. Forcing a single path was done for that reason.
Btw, here's the telegram team complaining about the change: https://github.com/Telegram-FOSS-Team/Telegram-FOSS/blob/mas...
Facebook abused this a bunch. https://www.theguardian.com/technology/2016/feb/01/uninstall...
4 replies →
I suspect it wasn't initially designed to help enable government surveillance, but that data must have a significant dollar value to those companies.
Pardon my ignorance but would block all push notifications stop this specific act of surveillance? I usually don't need any notifications' content on the screen apart from "you have a new message on <app>, go check it". Or is that what's being discussed here?
The article says that Google and Apple know about the push notifications being shown on the phone and governments can make these companies turn over customer data.
I'm not sure if it only covers (for example) the unified notification service on Android or whether Apple and Google know of notifications that don't make use of that API. It's not clear from the article.
I don't know about Apple but on Android it's almost a capital sin to strive to use other services, and they work a lot worse than GCM (because of all the artificial limitations that Google imposed over the years).
It does seem to be notifications on the phone, but (a) that's incredibly surprising and disturbing and (b) it's really unclear why or how that would work when a phone is disconnected from the network. In any event, Google inserting themselves into notifications would be tantamount to reading all my email, texts and everything else, so ... why wouldn't this be restricted to opt-in? Many questions.
A push notification is generally what creates the "you have a new message on <app>" red bubble.
Why didn't Apple pull the plug on these services as soon as the government started spying with them? Why didn't they rearchitect them to use E2E encrypt? Do they actually have principles about privacy or is it just a thing they want us to believe?
Apple uses “privacy” as a marketing term. They market themselves as protecting your “privacy” from advertisers unlike Google.
Apple open complies with all data requests from government agencies and law enforcement. It is not a hard process for law enforcement to get someone’s iCloud data with a warrant.
https://www.apple.com/privacy/government-information-request...
A paranoid part of me has wondered if some of the text/phone spam we all receive is actually used to stimulate cellphones for tracking purposes.
If you have deeper access to the OS, then fingerprint unlock or FaceID also seem important for positive identification prior to, for example, a Predator strike.
"We Kill People Based on Metadata"
- Michael Hayden
I don't think so. I'm German and receive the spam, even though I can be tracked using SMS messages that aren't shown on the display at all.
https://en.wikipedia.org/wiki/SMS#Silent_SMS
Plus, you can always ask the carriers to which tower(s) a phone is connected and simply triangulate from there, without sending any (user) data to the phone.
It's important to know that the entire worldwide mobile phone network needs to have a reasonable estimation of the location of each device in order to work.
"Phone call for XYZ", "SMS for XYZ", "Establish TCP connection to XYZ". Every single device that hears this has to decode the message to the point that it can say "Nope, this isn't for me. Ignore". You've got billions of devices online at once, doing things that require messages to be sent to them. The network has to find a way to broadcast these messages to the tiniest geographic area that it possibly can, or else the whole thing breaks down. So yes, there are plenty of completely normal, standard ways that the network can make your phone say "I'm over here" without anything showing up on your screen.
(I worked at Motorola in infrastructure tech for many years)
It's fascinating that about half hese comments appear to be from younger people unfamiliar with "USA PATRIOT" Act gag orders, FISA, Five Eyes, Least Untruthful Response and related controversies that were big in the news 10-20 years ago.
Amusingly and sadly, the law was called PATRIOT as a normal "give a bad law a Good name", but over time "patriot" has become synonym for "traitor" in common use.
There’s probably some you’ve missed but yeah, I like the “they can’t do this because of * “ comments.
Reminds me of the Eufy issue where they said everything was encrypted except for push notification images.
Hard to pick the most appropriate Orwellian quote. "All tyrannies rule through fraud and force, but once the fraud is exposed they must rely exclusively on force." ~ George Orwell
Why would it be unusual for a generation that’s been under surveillance since they were in the incubator to not hold quaint and obsolete views of privacy?
If we held a poll, what percentage of privacy-loving HN parents don’t have tracking on their kids phone? 5%? 10%?
Unifiedpush to save the day! And an XMPP server with Conversations can be the basis for it: Https://unifiedpush.org/users/distributors/conversations/
You do _not_ need push notifications in the first place. Most definitely not for messaging programs anyway. The "saves battery" arguments are always very fluffy and devices/clients who don't do push notifications (or at least don't force you to) sometimes even have better battery life than devices/clients which do.
Stop promoting and trusting Conversations. Is it bad software which never did OTR verification properly before yanking it unexpectedly and without explanation. To my knowledge it has never been independently audited let alone taken seriously enough by any infosec professionals to warrant such study.
AIU deanonymization happens due to pseudonymity. There are 3 pseudonyms: chat id, push id, phone number. Since all three are constant and linked, they can deanonymize the user. You need some sort of anonymous or confidential protocol to work around it.
Now we know why Apple and Google are a duopoly….
You get the illusion of choice but you get the same government spying on you in either case.
It is ultimately ignorant to think one is not spied upon in daily comings and goings, when the entire human economy is based on data and the study of it (especially at scale), whether by government, private enterprise or sole evil individual.
With Apple/Google you get the comfortable padded jail cell with 24/7 guards to protect - and monitor you; the digital equivalent of having a police officer live with you. You can't go outside of the walled garden and you're told this is for good reason.
Without them, you're totally on your own; you better be prepared and know how to defend yourself. No one will care about your security and privacy. But don't for a second think you're not still under the all-seeing eye of panopticon surveillance, and possibly additional scrutiny therein.
Another case of https://en.m.wikipedia.org/wiki/Third-party_doctrine in motion
Are the contents of push notifications not encrypted? Or are we talking about payloads rather than transport?
They mention metadata in the article. Imagine sending a message to a Signal account at time X, then asking Apple a list of all users that received a Signal notification at that specific time.
This ^. approach and modified forms of it can bu used to track lots of things, and have be done so for decades by some goverment agencies. You can use a method like this even if people are using encryption and lot of anonymous tunnels. You simply shape the traffic and watch where the shape of that traffic stops. Can track people realtime across almost any link, including things like Tor, etc.
1 reply →
Unless I’m mistaken - and I might be or it may have changed - Signal notifications on iOS just tell the app “hey, something happened, call the service and check for updates”.
I.e, the push notification itself contains little to nothing in terms of data/metadata.
You can also of course decrypt a notification by shipping an extension to do so, and maybe Signal does - it’s been awhile since I poked around it. I’d just be surprised if the Signal team didn’t analyze the issue to death and find the gaps.
3 replies →
That doesn't make sense. I would expect Signal notifications to happen completely out-of-band with "normal" push notifications (e.g. NYT news alert). Otherwise that completely defeats the purpose of the service. Basically you're saying Apple/Google are MITM'ing Signal.
9 replies →
Others have mentioned the timing attacks but also payloads are not encrypted unless the app developers remember to build that. This linked essay discusses both threats:
https://blog.davidlibeau.fr/push-notifications-are-a-privacy...
Thank you I was wondering about that. A couple of days ago I heard somebody mention that push notifications go through the backend and that it was a huge privacy issue, and I just couldn't believe that messaging apps that are "encrypted" would go through all that work just to then send the unencrypted message to Google's servers
I'm surprised hyper-private services like Signal haven't foreseen this as a potential vector and given you options to eg. exclude different details from push notifications (or warned you to disable them altogether if you're worried about it)
Fortunately, they did foresee this! The push notification only contains enough information to tell the phone that it should fetch the actual notification content from Signal's servers.
Here's a Signal dev talking about it on the Signal-Android GitHub: https://github.com/signalapp/Signal-Android/issues/12961#iss...
And similarly for Signal-iOS: https://github.com/signalapp/Signal-iOS/issues/962#issuecomm...
My Signal notifications on iOS just say 'Message received!', not sure what else is in the payload but nothing else is displayed... It seems unfathomable that they would push any unencrypted message content or information relating to who is messaging you through notifications that travel over third party servers, so I very much doubt there's much of interest in the payload...
Unless my memory is seriously off, Signal push notifications just tell your device to call and fetch. It’s not like they’re unaware and just sending you stuff in plain text.
Can you elaborate on this? I'm still not sure if Signal notifications are any less vulnerable than others.
1 reply →
This is yet another example of: If the data can be collected it will be used by governments
You can slow this down by making data explicitly built to be impossible to read in transit (eg e2e) and then deleting or never saving it, but the fact that data flows through multiple stops means each transition is an opportunity for third party observation
This is deterministic and is built into the structure of data production transport and consumption. This is part of the infrastructure and cannot be extricated
E2E does not solve the problem outlined here: surveillance of metadata at a global panopticon scale.
See [1] for an overview of "state of the art" metadata-protecting communications protocols. There has been much research into this problem over decades and the effectiveness of such protocols very much depends on real world use cases and practicalities. For example, protocols may require 100 seconds to send a message to ensure adequate mixing, and then may be limited to always-transmitting-24/7 endpoints consuming much power, and then also requiring participants in the network to trust each other not to mount a denial of service attack.
[1] SoK: Metadata-Protecting Communication Systems, Sajin Sasy and Ian Goldberg, Cryptology ePrint Archive, Paper 2023/313, https://eprint.iacr.org/2023/313.pdf
Do push notifications still get sent and just ignored if they are disabled on the device?
This depends on how the app implements notifications, and which mechanism is used to disable them. I know FCM/Android, not APNS/iOS, so here's a breakdown:
1. The app registers a push token with their backend. This can happen without granting notification permissions, and without notifying the user. So the backend is free to start sending push messages immediately after registration, which is typically done on the first app launch.
2. The controls available in Android's per-app notification settings have nothing to do with push messaging. These allow the user to limit or change how the app displays notifications, regardless of the reason the app is displaying them. Some apps have additional options to disable push messages, but that preference must be communicated to the app's backend to prevent the backend from sending pushes in the first place. Some apps may consider Android's notification settings to determine this preference, but it's extra work to do so.
The concepts of "push messaging" and "notifications" are often used interchangeably, but at least on Android these are separate systems that are tied together with client code. The push messages may also contain notification data, and the official FCM client will display these automatically, so this confusion is understandable.
I’m no expert but in my experience developing mobile applications & push notifications, I’ve only registered a device for notifications (and subsequently sent notifications) if the user opted in. Based on my own experience, I would say if you didn’t enable notifications for a particular service or app, they don’t get sent.
The app developer will still send them to Apple / Google though so the data will still be available to snoop on.
1 reply →
It'd be cool if Signal and other privacy-focused apps added an option to delay push notifications. That would obfuscate the connection between two accounts.
Its a band-aid, but its something.
once upon a time, I had an app that limited network connection for the whole phone to 30 minute refreshes. It was a pretty cool trick.
Just an evil life pro-tip... if you're doing criminal things, leave your phone at home. Or better yet, grab a "buddy's" phone.
You'll never be a criminal with that level of opsec.
You have to randomly leave your phone at home for criminal and non-criminal things. That way, there's a plausible alibi that your phone was at home or on you at the time of the crime.
Here is a better pro-tip- don't do criminal things.
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." -- Cardinal Richelieu [1]
[1] https://history.stackexchange.com/questions/23785/what-did-r...
I bet you've committed at least a ticketable offense in the past 48 hours, unless you are a true hermit.
Our laws were not designed for a society with perfect surveillance.
6 replies →
where's the fun in that??? Live a little, be a little bit evil. Like 5% evil
2 replies →
leave your phone at your buddy's house
It's time for a privacy bill of rights. You have to attach inalienable rights to people and then enforce them at the civil rights level.
These things are troubling now. In the post AGI world these are much more difficult problems because the data becomes training for purposes far beyond anything that could be foreseen in the data collection questions.
With respect to the US, I would be more worried about Apple and Google spying on users through push notifications. Americans have legal protections against government spying but they have basically zero protections against spying by so-called "tech" companies. Neither Apple nor Google can demand information about citizens from the government, but the government can demand this from Apple or Google, which they do, successfully, with increasing frequency. People share details of their lives with Apple and Google they would probably never share with the government but the government has little trouble getting it from these so-called "tech" companies, without any notice to the user, so sharing these details with Apple and Google is arguably even worse. The ability for people to fight against this sharing of information is nonexistent; it's up to the companies to resist. Given the number of users whose data they hold, that simply is not feasible. These companies do not care about peoples' privacy. They seek to profit from learning every detail of peoples' lives. Commercial surveillance.
When the government asks citizens for information it's usually for a specific purpose and can only be used for that purpose. When so-called "tech" companies collect information, it is for any purpose. They might assure users that "the information is only used to improve the software or service". What limits does this create, if any. How dow we verify that the company is not using our information in ways that compromise our interests if we are not allowed to learn how the company is using the information. Imagine if the government assured people that the information it collects "will only be used to improve the government".
Not every computer is a national security threat or even a common criminal, i.e., a person that the government has some need to spy on. That's not who I am referring to in this comment. These so-called "tech" companies spy on everyone. And they don't just want to know about one thing, for one purpose, they want to know everything for any purpose.
Are the legal protections against government spying actually worth anything though?
Eg. Parallel construction, FISA, etc etc.
But also, you're whispering right in that if Google and Apple are able to do this, then is that "laundered" spying, I'm that various law enforcement and government agencies can buy this information?
FYI what you're describing is https://en.wikipedia.org/wiki/Third-party_doctrine
UnifiedPush[0] seems like a great alternative to notifications passing through Apple/Google's hands, and I wish it was implemented in more apps.
[0] https://unifiedpush.org/
I must be fundamentally missing something here. I thought all this data scooping was to find the bad guys. Are the bad guys really so stupid as to use Apple or Android (or any closed system) to communicate? Cryptonomicon was written 25 year ago.
> In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.
> "In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."
If Apple knew about this why wouldn't they limit their exposure to this user data?
My startup (LaunchKey, now part of TransUnion) encrypted the data in our push authentication requests as late as a decade ago. This was painful until they expanded the size of the message allowing for more encrypted data. It is possible to do so (I would use pub/priv ec keys now) but remember you are limited in the amount of data you can include so you might need a “pull” to deliver all of the content necessary.
Apps like https://www.joustip.com/ offer e2e encrypted push notifications.
how do they guarantee that everything is protected and they don’t share data with someone?
How would you want that qualified exactly?
2 replies →
That's why we at Tuta do not send any information with the push on Apple and have built our own push notification for Android (we'd never use Google Push): https://tuta.com/blog/posts/open-source-email-fdroid
Completely unrelated, but sort of related. With all this surveillance and spying going on, what's a normal citizen to do?
For example; Cloud storage? Streaming music? Online note-taking?
Should the more technically-inclined, but average, person start looking at taking more and more of these things off-line given the state of mass surveillance going on and the crazy push towards all things AI?
Is this a timing side channel attack, where say I am a member of a Signal group, or have a Proton email client or Matrix/Element or something, are they sending patterns of beacon messages that may look normal, and then watching the traffic across mobile networks (or directly on platforms) that matches, and then narrowing endpoints that show it?
I guess you have to assume that any message in transit over a public network is public. Of course, you can use something like PGP to encrypt messages before sending them, provided that the recipient has your key. I know of a few people who do that.
Outside of that kind of thing, we're probably yelling everything out loud to anyone who wants to listen.
What sort of metadata or information can be gathered from a push notification from an app like iMessage? I know a timestamp is there and most likely the sender's phone number.
But is there some sort of sensitive info that these governments are trying to glean? Or is it more so they can build info maps and communication maps on targets?
Compromise a single phone in a target group, send a message to an anonymous chat, and you now know every other member of the group.
Apple needs to know your Apple ID to send you an APNS payload. Now your anonymous chat profile is tied to your real Apple ID. Busted.
This is not necessarily true. You’re assuming that all the info is in push notifications themselves.
E.g: if I get a push notification that is simply “you have a new event, poll the server”, and then I poll the server for (encrypted) batch updates, where exactly do you see the leak that ties an anonymous profile to an Apple ID? Given a large enough service, that same generic batch update endpoint would be getting hammered and I have to think it would effectively be camouflaged to a degree.
Granted, not every app is going to use this design - but if or when done properly I don’t see that much of an issue here.
(I am open to being wrong, mind you)
1 reply →
If you were able to do this, and you also had control of the person's ISP/cell network (not unusual for the threat model here), then one thing you could do is interfere with their communications, "shadowbanning" them from their friends/contacts. Say you used a particular app, like LINE, to speak to one particular friend who your "benefactors" didn't want you speaking with, they could drop connections between your device and that app's servers whenever they intercept a push notification from Google or Apple targeted to that app on your device. Effectively preventing the two parties ever communicating.
Depending on specifics, it seems it would be possible to do this cleverly, so the app still thinks it's connected, but just never receives these messages.
I'm not an expert on this, it just seems a plausible possibility. Best effort response to your question! :)
This would only work if the protocol doesn’t have the concept of retries, which it does. They’d have to block all communications which would be highly noticeable - especially since you’d get a flurry of messages any time you opened the app or migrated onto a Wi-Fi network.
1 reply →
Chat message content?
I know iMessage is E2E encrypted, and I wonder if that extends to the content shown within a push notification. Maybe the push notification servers receive the content encrypted, pushes it to the device, and then decrypted on-device?
> "The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States"
Oh look! The US end-running constitutional protections again via 5+Eye proxy governments. Who could ever have guessed.
> …a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.
In the past, Google, Apple, Amazon, Facebook, and a slew of other companies would have been broken up using anti-trust laws. These aren't just monopolies at this point, they are clusters of monopolies. This is leading us down a dark path.
It should only[0] be meta data, though. The push notification should signal the app that there is data to fetch, then the app goes and fetches it. The push notification itself should carry none of the data.
[0] still bad though and they should stop.
I so hate when people put words "only" and "metadata" in the same sentence...
It's important but what do we do about it?
You're using the internet afterall which isn't your network- it's someone else's! When you send a packet there is a header w/ information required for routing. Some call this the "outside of the envelope" if using the mail analogy. We can pass the buck by using a VPN but this also adds a VPN org that we need to trust. On the other hand, it's not your network! Why do you think you have a right to absolute secrecy and anonymity on someone else's network?
6 replies →
Push notifications don't signal an active line of communication like that though nor do they connect who's talking, only the means. In all your examples the equivalent would be "They know someone called you."
"They know you got a push from McDonalds at 11am"
"They know you got a Slack message at 2pm"
All metadata is not created equal.
Dude, did you read my point? I said it was still bad.
10 replies →
[flagged]
If you wish privacy then just get a linux phone. May not have the coolest features but if you need more than a classic phone, linux phones will do fine. Less apps means fewer distractions - a win win situation.
Related: https://news.ycombinator.com/item?id=38543587
Apple Confirms Governments Using Push Notifications to Surveil Users (macrumors.com)
Must be interesting to work on the teams responsible for compliance at Apple/Google. Would talking to someone about these kinds of orders qualify as treason under US law?
Great news considering we're now getting an extreme-right fascist government in Holland. Why not give them all our data on a platter, they can be trusted.
How does this apply to whatsapp's e2ee promise? Do they use this system? Do google and apple have plain text messages that were supposedly private?
Does this mean governments can intercept and possibly interact with the “This was me” 2FA notifications that a few apps are using now?
Dupe https://news.ycombinator.com/item?id=38543587
Push notifications allow more people to spy on you.
At the core most technologies have been deeply rooted by intelligence agencies.
I'm probably naive, but what insights could a government gleam from Push Notifications?
And why aren't push notifications E2EE?
> I'm probably naive, but what insights could a government gleam from Push Notifications?
Looking at my own phone right now, it just got a push notification that my wife has arrived at home. That could be useful if you wanted to track my wife.
> And why aren't push notifications E2EE?
That's a great question. And I hope the answer is "we're on it, they will be E2EE in the next release."
If the notifications were to be truly E2EE, it would have to work something like this:
1. Generate a local key pair per app (never uploaded to Apple). 2. Each app can request their public key from iOS (or provided with (void) application:(UIApplication )application didRegisterForRemoteNotificationsWithDeviceToken:(NSData )deviceToken andPublickKey: (NSData *)publicKey;). 3. App uploads token + public key to their own server. 4. Server encrypts notification payload with the public key before sending to APNS. 5. Apple forwards encrypted payload to device. 6. Device uses the bundle name to look up the local private key and uses it to decrypt the payload.
Does the push notification indicate where (location) home is?
1 reply →
https://news.ycombinator.com/item?id=38544063
Is anyone surprised? Why would there be pen registers, and tap and trace for phone calls and email, but not for other traffic? The ability of governments to do secret surveillance of such metadata is well established in law and jurisprudence, variously in various countries.
It is a Weird Nerd Thing to believe that old laws can't apply to new computer thing.
I disabled notifications on my phone long ago. I wonder if they still occur.
How does signal address this? I always wondered
>> Reuters' source would not identify which governments were making the data requests but described them as "democracies allied to the United States."
It feels so liberating to be spied upon by "democracies allied to the United States." vs. others.
LOL.
Now you know how the rest of us [abroad in the world] feel regarding the US.
Wyden voted for the Patriot Act. If he is concerned why hasn't he introduced legislation to repeal it? This government is out of control.
I feel extremely uncomfortable using any of my devices.
Only now?
Closed source proprietary for-profit platforms previously implicated in global surviellance scandals continue spying on users. News at 11.
If you think world governments can’t back door into any aspect of your life, you’ve been deluding yourself.
It's crazy to me that so much effort is being expended pretending that companies and the government are doing anything in the name of privacy, when we have all the proof by Assange and Snowden that they're doing realtime surveillance of ALL communications, 24x7 -- no matter what any laws say -- and we don't even talk about it any more. What's the point of any of this? All we can do is assume that our every position, purchase, and electronic communication is being tracked and saved, and act accordingly. The Constitution no longer matters, and there's no one coming to save us.
I think where we go wrong is to allow the conversation to revolve around what evil corporations are doing with our information, rather than what the evil government is doing with it. I believe the risk to our freedom is much greater from the latter. Of course governments can extract the information from corporations that have it, but let's keep the spotlight on the government itself, and use THAT as a reason to give corps less information about us.
Corporations showing me better-targeted ads is the least of my troubles.
> Of course governments can extract the information from corporations that have it, but let's keep the spotlight on the government itself, and use THAT as a reason to give corps less information about us.
Yep. Treating the two as distinct makes no sense. Corporate dragnet surveillance collecting forever-datasets isn't meaningfully different from the government doing the same thing, directly. People who fear government power ought to support outlawing corporate collection of the same types of things they don't want government collecting.
Granted that's relying on the government to prevent corporations from doing things in order to limit... the government (and, incidentally and IMO beneficially, also the corporations themselves). However, that's the only effective mechanism we've got—and the basis of all the other mechanisms we have available, ultimately, short of violence and strikes and such—and I think it's implausible that, even assuming a great deal of bad-faith behavior, such a move wouldn't significantly curb this activity.
> I believe the risk to our freedom is much greater from the latter.
I’ll take power being consolidated in a democratically elected government over a privately controlled corporation any day of the week.
Let’s put the spotlight on the stuff that isn’t democratically controlled, and subject to much more limited oversight.
4 replies →
> I think where we go wrong is to allow the conversation to revolve around what evil corporations are doing with our information, rather than what the evil government is doing with it.
I think it would be wrong to ignore either. Especially since most of the data the government gets is from corporations.
> Corporations showing me better-targeted ads is the least of my troubles.
You're right about that. That data sure isn't only used for ads. Companies use it to decide what services you're allowed to get and under what terms. The policies a company tells you they have are different from the polices they tell others they have. Companies use it to set prices so that what you pay can be different from what your neighbor does for the same goods/services. Companies even use that data to determine how long to keep you on hold when you call them.
Employers use it to make hiring decisions. Landlords use it to decide who to rent to. It's sold to universities who use it to decide which students to accept or reject. It's sold to scammers who use it to select their victims. Extremists use it to target and harass their enemies. Lawyers use it in courtrooms as evidence in criminal cases and custody battles. Insurance companies use it to raise rates and deny claims.
The data companies are collecting about will cost you again and again in more and more aspects of your life. Ads are absolutely the least of your troubles.
“Better-targeted advertisements” is not the most nefarious way this information is used. That’s just one of the selling points to entice advertisers. It’s also been used extensively to determine content that you will find the most engaging, regardless of whether it’s to your benefit or not, so that ad-driven marketplaces may harvest and sell your attention.
If you have any contemporary examples of the way the government has used the same information, in a way that’s been more widely destructive, I would be curious to know more.
Wouldn't the exact opposite focus have a better effect? Going after the "evil corporations" would mean nobody was collecting the data in the first place, which would also take away the "evil government" as they have nobody to buy that data from.
Right now they just write fat checks to Google, Apple, Amazon and the telcos and badda bing, badda boom it's done.
2 replies →
Corporations use the government to get around regulation. Goverment uses corporations to get around the constitution. It takes two to tango.
Now do,
"declining to hire, insure, or loan to you" and "declining to admit your kids into school|sports program|internship"
This is such a strange position for me.
Do we not agree that corporate America and other special interest groups essentially control Washington via lobbying and corruption?
Do we not agree that a US citizen has (nominally) more leverage over their government than over an unaccountable private collective?
I mean, we are half a century deep into this Reaganite "your government is your enemy" experiment.
4 replies →
Assembly 2023 had a fantastic presentation[1] from @BackTheBunny (from X) about precisely this. When the US really wants to do something, the constitution is a parchment guarantee and the media runs cover for them. Many US gov agencies are basically supranational and extrajudicial.
I don't agree with everything he said but the information was well presented and enjoyable.
[1] - https://www.youtube.com/watch?v=rUTcIXuw2f0
What Crypto and DeFi has to do with State Surveillance? Or anything about the comment above? I don’t understand
I don't think many people actually care much about privacy. There are a few, and they're loud. But look at what matters in politics -- both major political tribes in the US are only interested in privacy and protection from the government as it relates to their own interest, but they are perfectly happy to use that power against their perceived opponents.
Thirty years ago, one perceived element of moral superiority in the West was revelations of the extensive internal surveillance in places like East Germany and own-spying. There used to be news items and documentaries mocking this behavior and intimating how backward and uncouth those governments were to stoop to furiously wiretapping irrelevant private conversations.
So, whether the world has changed enough to justify it, people still do care and when adequately informed about some magistrate furiously eavesdropping on private matters, people universally recognize this is antisocial bizarre conduct.
4 replies →
> I don't think many people actually care much about privacy.
People absolutely care about their privacy. If you don't believe me try going outside and following someone in public with a video camera. They'll scream at you about how horrible and illegal what you're doing is. They'll probably call the police on you. Upset as they are, they ignore the fact that they've been being filmed from the moment they stepped outside and have in fact been being extensively tracked and recorded even while they were still inside their homes.
People don't understand the extent that their privacy is being violated. It's mostly out of sight/out of mind. They also don't understand the impact the data they give up has on their daily lives. They aren't allowed to know when or how much that data costs them. The moment they are confronted with the reality of the situation, they suddenly care very much about their privacy. Mostly they feel powerless against the invasion of their privacy.
While I believe that you can't solve (at least permanently) political problems with technology, and we need political action, you can prevent a good bit of surveillance with technology if you invest in setting it up.
E2EE for chats (Matrix, Signal, or XMPP) is pretty solid I think. More shaky, Tor/reputable VPNs or some combo for browsing. FOSS ROMs for phones (Graphene), or Librum/PinePhone if you can deal with not always having a working phone.
It's not a great situation, but it's not hopeless!
Unfortunately, the constitution isnt very clear on privacy. It should be. There should be a new amendment which makes it crystal clear that the Patriot Act, for example, is completely unconstitutional.
But what the 14th amendment says is that people and their property are protected against searches by the government wherever there is a “reasonable expectation of privacy.” That and some combination of other details imply a right to privacy, but its mot very explicit and clearly limited. In light of this, the Supreme Court has actually ruled quite favorably In practice, the Supreme Court has actually ruled pretty favorably towards a right to privacy, considering whats actually in the constitution.
> IX. The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
> X. The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
Operating a surveillance apparatus isn't an enumerated power of the federal government. The courts screwed up by reading its enumerated powers so unreasonably broadly that this even came up.
The only real way to fix this in the US is via election reform.
The GOP is trying to create an apartheid state where minority rural areas dictate the laws for the majorities that live in urban areas while they extract resources from those areas.
They know this is incredibly unpopular, so they don't even pretend they're trying to get the majority of the vote in most places. Instead, they've been trying to set vote thresholds to > 60% for ballot measures and stripping authority from all elected offices that aren't subject to gerrymandering.
It's also crazy to me that people are frequently arguing over what is the best security app to use for communication arguing over privacy maximalist viewpoints but not considering the old and have forgotten the major flaw we learned about from PGP: can't decrypt, please resend unencrypted. It doesn't matter how good your encryption is if no one will use it. Pareto is a bitch. (This is a crack at the Signal vs Threema or whatever app is hot this month and we discuss next month. But when usernames?)
Water is wet.
Yet another reason to be a happy GAPPSless LineageOS user
What's GAPless? I've been thinking about trying out LineageOS on a refurbished phone, so I'd love to know what I can do to make it even better.
I think it means without "Google Apps" installed (gmail, play, maps, etc, etc).
You're kidding yourself if you think three letter agencies don't have LOS users on a list and have capabilities to spy on them on demand with tailored access.
Maybe, but for sure avoiding stock Android and Google apps increases privacy a lot.
3 replies →
Hey other states, can you elect a few more Ron Wydens? He's been doing a ton of the heavy lifting lately. Every time we hear about the intelligence community egregiously violating civil liberties, it's always Wyden.
I'm an Oregonian and my biggest complaint about Ron Wyden is that he's usually ahead of me on technical issues. There are worse problems to have...
I believe he sits on intelligence committees and has a security clearance so he gets briefed on all kinds of outrageous things he can’t publicly talk about. But he does his best with what he can.
Probably thanks to https://en.wikipedia.org/wiki/Christopher_Soghoian.
Yeah he's awesome. /s
In May 2017, Wyden co-sponsored the Israel Anti-Boycott Act, Senate Bill 720, which made it a federal crime, punishable by a maximum sentence of 20 years imprisonment,[88] for Americans to encourage or participate in boycotts against Israel and Israeli settlements in the occupied Palestinian territories if protesting actions by the Israeli government. The bill would make it legal for U.S. states to refuse to do business with contractors that engage in boycotts against Israel.[89] https://en.wikipedia.org/wiki/Ron_Wyden#Israel
That sounds like an attempt to ban political expression that is certainly protected by the First Amendment.
8 replies →
Well it's pretty unlikely such a law would stand up in any court even small claim's court
2 replies →
Pobody's Nerfect
1 reply →
I can’t tell if you’re being sarcastic. How is that acceptable and democratic?
8 replies →
If you require all your allies to be perfect people...
... you won't be left with many allies.
6 replies →
[dead]
Given a lot of journalists and activists use encrypted communications to be able to do their job without being unduly or unjustly persecuted (yes, the bad guys use them too!), and 12 US State Attorney Generals just signed a letter and delivered it to the major news agencies (NYT, CNN, Reuters, AP, etc.) that warns of any "support to terrorist organizations" and specifically points out Hamas, but is not very clear on what "support" or "business relationship" means (sending a camera to do a report where the press is not allowed due to Israel's complete control of the media - echoes of US journalist access during the Iraq War), and puts them on notice. Nothing is safe from Big Brother, anywhere, any country.
To add a bit more context here, the "12 US State Attorney Generals" here are 14 Republican US State Attorneys general.
their letter: https://content.govdelivery.com/attachments/IACIO/2023/12/04...
[flagged]
At this point any “both sides are the same” argument should be seen as either incredibly misguided or intentionally malicious.
Look for representatives who represent more or at least some of our actual interests.
An ideologically united group which has been working to actively disrupt the election process and turn women into breeding property, combined with unlimited surveillance? Might not be the “same”.
I noted that Apple says the governments in question are allies of the United States. I wonder if this is a case of American intelligence outsourcing the surveillance of American citizens to foreign intelligence. If that is indeed the case, I’d expect a quid pro quo.
> I wonder if this is a case of American intelligence outsourcing the surveillance of American citizens to foreign intelligence. If that is indeed the case, I’d expect a quid pro quo.
Yet it is the US government who revealed it: "In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet's (GOOGL.O) Google and Apple (AAPL.O). Although details were sparse, the letter lays out yet another path by which governments can track smartphones." - https://www.reuters.com/technology/cybersecurity/governments...
> Yet it is the US government who revealed it
Less "the government" and more "a member of government", the same member who has revealed and demanded accountability when discovering domestic government overreach.
We should choose our congress critters carefully.
9 replies →
Wyden is far removed from the part of the government which engages in surveillance. He's the same person who was questioning James Clapper in Congress about mass surveillance before the Snowden leaks [1].
[1] https://youtube.com/watch?v=QwiUVUJmGjs
That's how they circumvent the ban on domestic spying. The US spies on Australians* and the Australians spy on US citizens, then they exchange the data. Easy.
*And/or other Five Eyes members.
Five Eyes.
https://en.wikipedia.org/wiki/Five_Eyes
"democracies allied to the United States." - includes India too.
Maybe so, but it seems clear that the surveillance goes both ways: https://www.usnews.com/news/world/articles/2023-09-23/us-dip...
1 reply →
Yep sounds like five eyes.
Why do they need to confirm an already known fact: FAANG platforms are built to spy on users? We've known about this fact for at least a decade since the Snowden revelations.
Nothing has materially changed since then, technically, politically, legally, or even culturally. Yet people still believe for-profit corporations have their best interests in mind, thanks to clever marketing and groupthink, clutching to "encrypted apps" and empty "we value your privacy" double-speak: neither will defend you.
There is no privacy on proprietary closed source platforms - it is simply infeasible; it is trying to squeeze blood from a stone. I know this truth will likely trigger and upset people with their $1,000+ iPhones, MacBooks and other iToys, and this sunk cost fallacy is really pathetic to witness in grown adults.
Both Apple and Google have root access in the devices. They do not necessarily need to do this.
From the companies not needing this, it does not follow that various governments don't need this.
My first thought is that this is looking like an especially fun (for the rest of us) popcorn session where someone in one government is shocked to discover that other governments pull the same stunts that they think should be reserved for "our people"… but then I looked up Senator Ron Wyden's Wikipedia page and he seems to be genuinely opposed to such shenanigans from everyone including the US.
So, good for him.
[flagged]
[flagged]
In what way would ignoring a viable SIGINT source be incompetent?
Just thinking about only my push notifications yesterday and they revealed that I am clearly a developer or technologist (push notifications from Git/AWS/etc), who got a haircut (time and location were revealed in the message, but I'm sure government-level agencies could have tracked which SportClips location the appointment belonged to), that I am interested in generative AI, and working out.
Another day might have yielded far more interesting facts, but those bits added to a record of my interests and habits can become quite powerful over time.
> Just thinking about only my push notifications yesterday
See, the gist in the letter is this sentence:
"As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information."
Do you really think that a foreign government is interested in push notifications when issuing a demand to disclose data from a phone?
2 replies →
I see that there is a lot of signal coming over my push notifications ... how would using this signal make spies incompetent?
> I see that there is a lot of signal
What signals are you talking about? Someone tends to respond to Tinder's notifications at 6 PM on weekends, and such useless data?
9 replies →