"Because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information"
What I don't understand is this: If the government wants to search your house, they show up at the door and show you a warrant. You can inspect the warrant - it's not secret. Granted, they're going to search your house anyway, but at least you know about it.
Except in truly extraordinary circumstances, you should be informed if your government has requested access to any of your private information.
This apparently goes even farther: not only have companies not been allowed to inform their customers, they haven't even been allowed to generally say that such information has ever been requested about anyone. That is seriously into dystopian territory.
The interesting thing is, the gov't cannot open your letters if it's first class mail, and may only open your letters under some well defined circumstances (https://www.rstreet.org/commentary/yes-the-government-can-op...) - it's all related to the letter being foreign, and i don't see any clause for domestic mail between US citizens being searchable warrantlessly.
SO why should electronic mail not have the same rules applied?
I believe that the government can look at the outside of the envelope or the contents of a postcard without a warrant. This was extended for phone surveillance to the phone numbers of incoming and outgoing calls, and presumably they have argued that the contents of push notifications are in this category.
>the gov't cannot open your letters if it's first class mail
Even if the government has a warrant? The article you linked to seems to say the government can do it with a warrant:
>By law, first-class mail is sealed against inspection, meaning that government officials may not open it without first getting a warrant from a judge.
Because it is more convenient for paw enforcement and the pro-surveillance forces that came into power all over the world since the war on terror and the Patriot Act?
This data is not legally yours, since its not on equipment you own or rent.
If the same exact service was on property you owned or rented, they would need a warrant.
Speculating here, but if you paid for a service, and the terms of service were such that you had rental rights to the equipment and ownership of the data, then the US govt would need a warrant. But then the company would not be able to sell the data since it would actually be yours.
The idea that people seem to struggle with is that this is not a new development - it has always been the case. It puts people through its education, teaches that bad is good, that the state is the best we've got, etc, and kind hearted people believe it! It's not a case of voting a better psychopathic ruler in, to help turn the ship around. It has only ever been/can only ever be a mafia extortion racket.
While the problem is not understood, there is no chance of finding a proper solution.
As Nietzsche said:
A state, is called the coldest of all cold monsters. Coldly lieth it also; and this lie creepeth from its mouth: "I, the state, am the people."
It is a lie! Creators were they who created peoples, and hung a faith and a love over them: thus they served life.
Destroyers, are they who lay snares for many, and call it the state: they hang a sword and a hundred cravings over them.
Where there is still a people, there the state is not understood, but hated as the evil eye, and as sin against laws and customs.
Amen. That kind of secret data collection should be reserved for profiteering capitalist oligarchs. Government is bad because it's government, but if you can generate personal wealth by exploiting others it's admirable.
Push notifications are such a great way to spy on people, because so many apps send highly private information as push notification. Even if you install them on-premise, because the only well-supported battery-friendly way to send notifications is through Google's and Apple's servers.
The most serious of secure messengers moved to push notifications that just cause the app to wake up and fetch the real message from the server to show as notification, but there are still plenty of apps that just send the full message as push notification.
As far as I know, WhatsApp on iOS uses a special entitlement (com.apple.developer.usernotifications.filtering) for securely handling notifications.
They receive silent push notifications, which wake up the app (a reason for the entitlement being restricted). Once awake, the app takes over, managing the notification itself.
This approach circumvents sending notification content in cleartext through Apple's servers, thereby preserving their end-to-end encryption.
You mean on-premises? If so, please show me where I can download and run my own APNS servers on my own hardware, because such a thing does not exist. You can run your own workers, which send through APNS/apple's servers, but there is no such way you can own the entire chain to get a push from your backends to a apple device, not if you're using native push notifications.
AFAIK, google isn't any better, with GCM, and even firebase use that from what I know.
I personally like the approach Threema has. They provide their own push serice called Threema Push[1] which is opt-in for google play store version. The push notifications for Threema do not contain any sensitve information either way.[2] They also have a libre version on F-Droid.
Of course they do, if there's a way to get data without it being obviously illegal, it probably going to get collected. And I wouldn't be surprised if plenty of constructions like it either have a gag order or national security letter.
On the other hand, there is no universal one size fits all rule that makes society better. Especially because there are plenty of very different people, both good and bad, and no rule, however well-intentioned will work out great overall. Let's hope someone at some point does come up with a better solution.
In observation on why push messages: the same reason any other real-time communication is interesting, like calls, SMS, MMS, because that's enough bits being transceived, or enough of a cell location to find out where a device is, while not being long enough that you get some 'on the move' smear.
One way to handle this is to send a notification with data that is meaningless, like a notification id or something, to trigger the app, which then (thanks to background app refresh, etc), pings your backend server with the id and retrieves the actual notification details. The only way to be 100% sure things are not being snooped while passing through push servers (or any third party you put your trust into), is to make the data they handle meaningless without also having access to your systems after they handle your push. Government can spy on your notification UUIDS that you send all day long, it won't do them much good though.
These concerns are not unique to government. Don't trust any third party with your data. Security 101
What are the reasons that makes this possible? The articles I have seen are not explaining what makes this different? What needs to be invented to get end to end security for push? I might be missing the obvious, apologies upfront.
Not least for the sake of power management, the central push provider needs to authenticate (and e.g. rate limit) notifications to a particular device. The identities of apps communicating with a particular device therefore seem to need to be known
This still seems like something that could be fixed with smarter design without losing functionality.. e.g. decoupling device registrations from push channels, and treating the push channel ID a particular device is using as toxic for sharing and intermingling as other kinds of personal identifiers like phone numbers, including with the OS provider itself, or creating a unique push channel ID for every app registration, etc.
P2P mobile applications cannot wake themselves up to sync with peers (short of relying on exploits).
The same is true of browser service workers.
The architectures I’ve explored for mobile and web based P2P apps, they’ve all needed a central trusted push notification server fallback to wake up the process so it can check for messages.
Even then the APIs will fight you.
Unless the fallback server syncs for you, it can only wake you up on an interval. It can’t know if there is a notification worthy event for you to sync.
If you wake up the process and there are no messages from its peers that generate a notification, you “consume” some of your background notification budget.
Consume too much and the system stops waking your app on push events, so you stop syncing in the background.
There are apps, like WhatsApp on iOS, that receive silent notifications and are started upon receiving them, allowing them to process these notifications locally (as explained in my other comment in this thread).
This method enables them to bypass the need for sending clear text content through Apple's servers, upholding their end-to-end encryption.
However, this practice can slightly impact battery consumption, which is probably why this specific entitlement is not freely available to all apps. It's a balance between enhanced security and a marginal increase in battery usage.
I see power management mentioned often, but I'm not convinced. How does centralizing the push service reduce power? Why can't a developer just implement the service in the same way? (if Apple/Google let them)
I self-host Gotify, which just uses a websocket for the push part, and battery consumption is only 2%/day even with the app white listed from "optimization"
A lot of discussion yesterday:
https://news.ycombinator.com/item?id=38543155
"Because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information"
What I don't understand is this: If the government wants to search your house, they show up at the door and show you a warrant. You can inspect the warrant - it's not secret. Granted, they're going to search your house anyway, but at least you know about it.
Except in truly extraordinary circumstances, you should be informed if your government has requested access to any of your private information.
This apparently goes even farther: not only have companies not been allowed to inform their customers, they haven't even been allowed to generally say that such information has ever been requested about anyone. That is seriously into dystopian territory.
The interesting thing is, the gov't cannot open your letters if it's first class mail, and may only open your letters under some well defined circumstances (https://www.rstreet.org/commentary/yes-the-government-can-op...) - it's all related to the letter being foreign, and i don't see any clause for domestic mail between US citizens being searchable warrantlessly.
SO why should electronic mail not have the same rules applied?
I believe that the government can look at the outside of the envelope or the contents of a postcard without a warrant. This was extended for phone surveillance to the phone numbers of incoming and outgoing calls, and presumably they have argued that the contents of push notifications are in this category.
>the gov't cannot open your letters if it's first class mail
Even if the government has a warrant? The article you linked to seems to say the government can do it with a warrant:
>By law, first-class mail is sealed against inspection, meaning that government officials may not open it without first getting a warrant from a judge.
2 replies →
Because it is more convenient for paw enforcement and the pro-surveillance forces that came into power all over the world since the war on terror and the Patriot Act?
You can thank the "patriot" act for that one. Bush Jr's lasting legacy.
Agree, but this is not new.
This data is not legally yours, since its not on equipment you own or rent.
If the same exact service was on property you owned or rented, they would need a warrant.
Speculating here, but if you paid for a service, and the terms of service were such that you had rental rights to the equipment and ownership of the data, then the US govt would need a warrant. But then the company would not be able to sell the data since it would actually be yours.
I'd pay for a service that was like that.
> I'd pay for a service that was like that.
Email was like that, until Gmail ruined it and you can no longer run your own mail server without being blacklisted everywhere.
The Fediverse is kind of like this, except it's not really designed for private data; its primary use-case is publishing.
The idea that people seem to struggle with is that this is not a new development - it has always been the case. It puts people through its education, teaches that bad is good, that the state is the best we've got, etc, and kind hearted people believe it! It's not a case of voting a better psychopathic ruler in, to help turn the ship around. It has only ever been/can only ever be a mafia extortion racket.
While the problem is not understood, there is no chance of finding a proper solution.
As Nietzsche said:
Amen. That kind of secret data collection should be reserved for profiteering capitalist oligarchs. Government is bad because it's government, but if you can generate personal wealth by exploiting others it's admirable.
I’m not entirely sure what you’re alluding to - but yes, neither do corporations should be allowed unrestricted access to your personal data.
1 reply →
Push notifications are such a great way to spy on people, because so many apps send highly private information as push notification. Even if you install them on-premise, because the only well-supported battery-friendly way to send notifications is through Google's and Apple's servers.
The most serious of secure messengers moved to push notifications that just cause the app to wake up and fetch the real message from the server to show as notification, but there are still plenty of apps that just send the full message as push notification.
As far as I know, WhatsApp on iOS uses a special entitlement (com.apple.developer.usernotifications.filtering) for securely handling notifications.
They receive silent push notifications, which wake up the app (a reason for the entitlement being restricted). Once awake, the app takes over, managing the notification itself.
This approach circumvents sending notification content in cleartext through Apple's servers, thereby preserving their end-to-end encryption.
> Even if you install them on-premise,
You mean on-premises? If so, please show me where I can download and run my own APNS servers on my own hardware, because such a thing does not exist. You can run your own workers, which send through APNS/apple's servers, but there is no such way you can own the entire chain to get a push from your backends to a apple device, not if you're using native push notifications.
AFAIK, google isn't any better, with GCM, and even firebase use that from what I know.
What are the most serious secure messengers?
I personally like the approach Threema has. They provide their own push serice called Threema Push[1] which is opt-in for google play store version. The push notifications for Threema do not contain any sensitve information either way.[2] They also have a libre version on F-Droid.
[1]https://threema.ch/en/faq/threema_push
[2]https://threema.ch/en/faq/privacy_push
10 replies →
Signal
Of course they do, if there's a way to get data without it being obviously illegal, it probably going to get collected. And I wouldn't be surprised if plenty of constructions like it either have a gag order or national security letter.
On the other hand, there is no universal one size fits all rule that makes society better. Especially because there are plenty of very different people, both good and bad, and no rule, however well-intentioned will work out great overall. Let's hope someone at some point does come up with a better solution.
In observation on why push messages: the same reason any other real-time communication is interesting, like calls, SMS, MMS, because that's enough bits being transceived, or enough of a cell location to find out where a device is, while not being long enough that you get some 'on the move' smear.
One way to handle this is to send a notification with data that is meaningless, like a notification id or something, to trigger the app, which then (thanks to background app refresh, etc), pings your backend server with the id and retrieves the actual notification details. The only way to be 100% sure things are not being snooped while passing through push servers (or any third party you put your trust into), is to make the data they handle meaningless without also having access to your systems after they handle your push. Government can spy on your notification UUIDS that you send all day long, it won't do them much good though.
These concerns are not unique to government. Don't trust any third party with your data. Security 101
They confirm what everyone already knew, people were called "conspiracy theorists"
https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
What are the reasons that makes this possible? The articles I have seen are not explaining what makes this different? What needs to be invented to get end to end security for push? I might be missing the obvious, apologies upfront.
Not least for the sake of power management, the central push provider needs to authenticate (and e.g. rate limit) notifications to a particular device. The identities of apps communicating with a particular device therefore seem to need to be known
This still seems like something that could be fixed with smarter design without losing functionality.. e.g. decoupling device registrations from push channels, and treating the push channel ID a particular device is using as toxic for sharing and intermingling as other kinds of personal identifiers like phone numbers, including with the OS provider itself, or creating a unique push channel ID for every app registration, etc.
This is actually a bummer.
P2P mobile applications cannot wake themselves up to sync with peers (short of relying on exploits).
The same is true of browser service workers.
The architectures I’ve explored for mobile and web based P2P apps, they’ve all needed a central trusted push notification server fallback to wake up the process so it can check for messages.
Even then the APIs will fight you.
Unless the fallback server syncs for you, it can only wake you up on an interval. It can’t know if there is a notification worthy event for you to sync.
If you wake up the process and there are no messages from its peers that generate a notification, you “consume” some of your background notification budget.
Consume too much and the system stops waking your app on push events, so you stop syncing in the background.
There are apps, like WhatsApp on iOS, that receive silent notifications and are started upon receiving them, allowing them to process these notifications locally (as explained in my other comment in this thread).
This method enables them to bypass the need for sending clear text content through Apple's servers, upholding their end-to-end encryption.
However, this practice can slightly impact battery consumption, which is probably why this specific entitlement is not freely available to all apps. It's a balance between enhanced security and a marginal increase in battery usage.
I see power management mentioned often, but I'm not convinced. How does centralizing the push service reduce power? Why can't a developer just implement the service in the same way? (if Apple/Google let them)
I self-host Gotify, which just uses a websocket for the push part, and battery consumption is only 2%/day even with the app white listed from "optimization"
It already exists for push, but most apps don't implement it and on Apple devices you need a special permission from Apple to be able to do it
[dead]
[dead]