Comment by xyst
2 years ago
Would be great to see an example of notification metadata that can supposedly link it to real users.
Seems like this is what is being implied:
Given:
- users with notifications enabled
- have X app installed
- targeted user(s) reside in USA
- targeted users(s) following “foo” on X app
When:
- issue FISA warrant for all smartphone users that received notifications in regards to “foo” user
Then:
- able to pull all Apple/Google accounts that match this criteria
- able to get real addresses and names
- can crosscheck names with other details to narrow down suspect
Or maybe it’s something even worse where notifications somehow leak location data
Why bother with this whole process when you can get everything + store & index it yourself?
Who knows? Maybe you want to retroactively look at shit peopke received and decide on new crimes.
They already do this, I think;
https://en.m.wikipedia.org/wiki/Utah_Data_Center
But since PRISM was exposed ~10 years ago, they have had to resort to using FISA court to scrape data
\s
Build parallel networks for sections of society to operate and associate outside of what govt has their hands in or with technological guarantees of privacy and safety. I understand this is a tricky constraint to scale but it’s not impossible, current iterative solutions are at hand, and people have coordinated before around successfully building alternative societies in terms of communications, mutual aid, and safety provided to public regardless of family; these are a threat to gov and business though as they minimize people’s reliance on those institutions which is a kind of power money alone can have less control over (so they lean on violence historically - eg battle of blair mountain). I believe technology uniquely makes it possible to scale potential solutions because of how much it’s cheapened unit cost and labor cost thru automation and commodity and open src
Apple's own developer documentation outlines how notifications can trigger when crossing a physical boundary.
Apps notifications can trigger if you enter a "protest zone" for example then gov will know everyone who was there.
California with the support of Gavin Newsom is building "no go" zones for wildfire response. Sounds OK except - a video recording of a local Mayor at a wildfire update press conference, asking with deference, when the main highway to his town will re-open, and the response from a tense and aggressive CHP leader was "maybe that road will be closed for six months, maybe next year" with no respect... instantly snapped at a Mayor, on camera. How are these zones decided upon? "immediate area" is not what was being done in that event.
Do you have a link to this ?
I would like to see this interaction…
2 replies →
Hey, that's easier than having to go there and setup a stingray!
That location determination is done on-device.
But the notification receipt is sent home.
Need a set of preparation rules for attending protests these days.
No mobile, no identification, obscure any way to uniquely be identified.
If they use IP to deliver notifications, then the gov can demand they hand over the IP address a notification was delivered to. From there, location isn’t hard.
IP geolocation isn’t exactly the most precise though. 600M+ IPs have a default location to some farm in Kansas [1]
[1] https://www.washingtonpost.com/news/morning-mix/wp/2016/08/1...
I should have been more specific. Although they could use IP geolocation, they can also get data from the cell carrier that delivered the notification to that IP address.
So a gov finds that IP address 7.8.9.0 received one of these notifications at 12:34. They then see that 7.8.9.0 is one of ATT’s addresses. They go to ATT and learn that address was used by their customer onionisafruit at 12:34 and the device was 5ms away from tower A.
3 replies →
Just to make it crystal clear, we recently learned that the FBI served Twitter a search warrant for Trumps account which gave then access to all of his twitter followers. https://www.bbc.com/news/world-us-canada-66365643.amp
Isn’t an account’s follower list basically public, though?
So, don’t have Twitter account and/or app installed and you should be good?
Protip: the harder a company pushes you to download their app, the more they have to gain from it. 99.999% of the time it's because they want access to as much of your data as they can sneak out of your device, usually for selling it.
One notable corollary is, the shittier the mobile browser webapp implementation is, the more they want to push people onto their app. See: Facebook, Twitter, Reddit, etc.
Exactly this. Never install a company's app unless you absolutely need to. Use websites instead whenever possible. If you do need to install an app, uninstall it as soon as possible even if you know you'll need it again at some point.
> the shittier the mobile browser webapp implementation is, the more they want to push people onto their app. See: Facebook, Twitter, Reddit
Yelp is the gold standard in this regard, blithely pretending that they can't show you any photos (or is it more than a few photos? I avoid yelp on mobile so much I can't recall). It's probably the right move for them, because the photos are 99% of the reason I ever want to use Yelp. Reviews can be outright lies or simply written by people ~~with no taste~~ whose tastes are not simpatico with mine, but photos don't lie*.
* well, nowadays I guess they can
I think your comment comes after reading this line:
> - targeted users(s) following “foo” on X app
It seems "X app" means just any placeholder app (not the new Twitter rebrand), although I might be wrong.
Correct. That’s why I will continue calling it Twitter, to avoid confusions like this.
no it's more like: don’t have a smartphone and you are good (perhaps).
No, having a dumb phone is not enough. A malicious actor can pretend they need to deliver an SMS to you, which may result in a network disclosing your location (anywhere in the world). Mobile networks probably don't honour aggressive probing for just about any peer but it's not like nobody can do this at scale. None of this is new.
2 replies →
no, need to get rid of your smartphone completely.
Believe me, I wish I could.
Also, no Signal.
This isn't necessarily true. When you install the Signal app on an Android phone that doesn't have Google Play Services installed, it receives push notifications using its own notification daemon instead of using Google's. This, of course, has significant battery life costs.
5 replies →