U.S. Sen. Ron Wyden (D-OR)Kevin Dietsch/Getty ImagesWashingtonCNN —
Foreign governments have reportedly attempted to spy on iPhone and Android users through the mobile app notifications they receive on their smartphones — and the US government has forced Apple and Google to keep quiet about it, according to a top US senator.
Through legal demands sent to the tech giants, governments have allegedly tried to force Apple and Google to turn over sensitive information that could include the contents of a notification — such as previews of a text message displayed on a lock screen, or an update about app activity, Oregon Democratic Sen. Ron Wyden said in a new report.
Wyden’s report reflects the latest example of long-running tensions between tech companies and governments over law enforcement demands, which have stretched on for more than a decade. Governments around the world have particularly battled with tech companies over encryption, which provides critical protections to users and businesses while in some cases preventing law enforcement from pursuing investigations into messages sent over the internet.
But mobile notifications, which sometimes display messages on lock screens even when the communications themselves may be encrypted, can present a workaround by giving governments access to more information about a device and its user’s activities.
The demands for mobile notification data, if fulfilled, could potentially jeopardize the safety of political dissidents, human rights workers, journalists and minorities worldwide, in the same way that legal demands for other types of mobile device information can. It is unclear how many times Apple and Google may have complied with these requests, when they first began receiving them, or from whom.
The revelation follows a year-long investigation by Wyden’s office and highlights the creative and expansive tactics governments use to monitor their people; the power of large tech platforms and the range of useful information they hold on their users; and the US government’s own role in limiting transparency surrounding the practice.
The inquiry showed that governments have access to a wide range of revealing insights through mobile notifications, which are also known as “push” notifications.
“Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden wrote in a letter Wednesday to the Justice Department outlining his findings. “The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered.”
Wyden added that in some circumstances, the companies “might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”
During the investigation, Wyden’s team learned from Apple and Google that the US government had prohibited the companies from disclosing information about government attempts to collect mobile notification data. Wyden’s investigation began after his office received a tip about the practice last spring, he wrote.
“Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data,” Wyden wrote. “I would ask that the DOJ repeal or modify any policies that impede this transparency.”
The Justice Department declined to comment on Wyden’s letter and did not respond to questions about whether the US government has ever filed its own legal demands to the tech giants for mobile notification data.
After Wyden’s findings became public on Wednesday, Apple said it was now free to say more about the practice.
“Apple is committed to transparency, and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” the company said in a statement. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
Apple’s publicly posted law enforcement guidelines covering the United States now includes language addressing the company’s Push Notification Service, the in-house system that delivers mobile notifications to Apple devices. According to the guidelines, Apple will supply agencies with a user’s Apple ID that’s tied to notifications if it receives at least a subpoena.
Google said in a statement that it was the first company “to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden. We share the Senator’s commitment to keeping users informed about these requests.”
Google said its transparency reports have historically included requests for mobile notification records as part of aggregate figures it displays. It added that in the United States, the company requires a court order to comply with demands for mobile notification records and that a subpoena is insufficient.
The tech industry has increasingly pushed back on the US government’s use of gag orders to prevent the disclosure of law enforcement data requests.
In 2021, https://sisipkan.com/ Microsoft sharply criticized what it described as the overuse and abuse of nondisclosure orders that prevent tech companies from notifying users when the US government comes knocking for their account information. During a congressional hearing that year, Microsoft said it receives as many as 10 secrecy orders per day and 3,500 per year, a figure that accounts for up to a third of all law enforcement requests the company receives, according to an internal review stretching back to 2016.
That hearing had come in response to separate revelations that a Trump-era Justice Department subpoena had targeted congressional staffers.
CNN’s Sean Lyngaas contributed to this report.