The technique, which takes advantage of the common alerts many people receive when friends contact them via email or text, was used to gather information about U.S. Capitol rioters on Jan. 6, 2021, and other criminal suspects, a Washington Post review of court records shows.
Apps use push notifications to buzz users’ phones or tablets with updates on new messages or alerts. When a user enables push notifications, Apple and Google create a small bit of data, known as a token, that links their device to the account information they’ve given the companies, such as name and email address.
In his letter, Wyden said the federal government had started demanding records on those tokens from Apple and Google because those companies operate as a “digital post office” for relaying the notifications.
The tokens could reveal details about who a person is communicating with over a messaging or gaming app, what times they talk and, in some cases, the text of any message displayed in the notification.
Depending on how users have set up their push notifications, the token data could also potentially expose limited information about anyone who had exchanged emails, texts or social media messages with someone that federal investigators have pursued.
Apple said in a statement that “the federal government had prohibited us from sharing any information” about the requests and now that the method had become public, it was updating its upcoming transparency reports to “detail these kinds of requests.”
Apple’s Law Enforcement Guidelines, the company’s rules for how police and government investigators should seek user information, now note that a person’s Apple ID, associated with a push-notification token, can be “obtained with a subpoena or greater legal process.”
Neither Wyden nor Apple detailed how many notifications had been reviewed, who had been targeted, what crimes were being investigated or which governments had made the requests.
Google said in a statement that it publishes transparency reports sharing the number and types of government requests for user data it receives and that it shares Wyden’s “commitment to keeping users informed about these requests.”
The Justice Department declined to comment. The letter was first reported by Reuters.
The Post found more than two dozen search warrant applications and other documents in court records related to federal requests for push notification data. Though many were redacted, nine of the documents pertained to the federal hunt for Jan. 6 rioters. Two documents sought data on suspects accused of money laundering and distributing child sexual abuse material.
The warrants sought push-notification data pertaining to apps from a number of companies, including Amazon, Apple, Google and Microsoft.
In one search warrant application seeking data related to a Facebook account used by Josiah Colt, an Idaho man who breached the Senate floor, an FBI special agent said the push notification tokens could lead to “useful information” that could help identify a user’s account.
Colt was sentenced to 15 months in prison earlier this year. Colt posted a video that day announcing that he’d entered the Capitol, and it’s unclear what role, if any, the push notification data request played in his case.
In his letter, Wyden said his office had received a tip last year that government investigators in foreign countries had begun demanding the data from the companies. A Wyden spokesman declined to specify which governments.
The companies, Wyden wrote, told members of his staff that any “information about this practice” was “restricted from public release by the government.” Wyden pushed the Justice Department to repeal any policies forbidding the companies from discussing the “surveillance practice.”
“Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data,” he wrote.
Government investigators routinely press the tech companies for information on their users by filing subpoenas, search warrants or other court orders, compelling them to provide the information.
Some of the warrants are served with gag orders prohibiting the companies from telling the users their data was handed over.
Google said in its most recent transparency report that it received 192,000 requests for data related to more than 400,000 accounts around the world in the second half of last year, including roughly 70,000 requests in the United States.
That data did not break out push metadata requests. But it did note that the United States cited the Foreign Intelligence Surveillance Act in seeking up to 500 requests of “non-content information,” a category that includes push notification data, covering up to 36,000 accounts in the six months that ended in June 2022.
Aaron Schaffer contributed to this report.
