Article 6H2CH Letter From Sen. Wyden To The DOJ Says Governments Are Gathering Push Notification Data From Google, Apple

Letter From Sen. Wyden To The DOJ Says Governments Are Gathering Push Notification Data From Google, Apple

by
Tim Cushing
from Techdirt on (#6H2CH)
Story Image

If nothing else, Senator Ron Wyden is keeping us on top of the surveillance curve. The privacy-focused senator has asked more uncomfortable questions of more federal agencies than anyone since the Church Committee.

Sometimes it's new stuff. Sometimes it's stuff that's been around for years, but no one bothered to question it until Wyden. Sometimes it's stuff like this - stuff that seems more like opportunism than a smart new form of intelligence gathering.

If you want data, you go to where the data is. National security agencies collect and store plenty of data, but other governments aren't allowed to just go rooting through other governments' virtual file cabinets.

No, the biggest collectors of data are tech companies. Anything that can be collected almost always is collected. Google stands astride multiple data streams, including (apparently) information generated by push notifications sent to Android phones. The same thing can be said about Apple, even though it has taken a few more proactive steps to limit data-gathering and doesn't have anywhere near the (data) market share Google has, what with its massive suite of ubiquitous services, all capable of gathering vast amounts of info.

So, what's the (latest) problem? Well, it looks like foreign governments have figured out Google and Apple have another trove of data they can tap, as Raphael Satter reports for Reuters:

Unidentified governments are surveilling smartphone users via their apps' push notifications, a U.S. senator warned on Wednesday.

In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet's(GOOGL.O)Google and Apple(AAPL.O). Although details were sparse, the letter lays out yet another path by which governments can track smartphones.

Add that to the list that includes metadata from nearly every internet-based communication, location data gathered by Google/Apple directly or by third-party apps, keywords used by search engine users, etc. Now, there's this: governments gathering push notification data from Apple and Google just because they can.

Wyden's letter [PDF] suggests it's only foreign governments doing this, at least for the moment. (Or at least as far as he knows...)

In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone push" notification records from Google and Apple. My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.

Check out that last sentence. Which government could forbid US companies from releasing information about these data requests? That's the key sentence. That's why Wyden is asking the DOJ one question, while informing the public there's a more direct question he could be asking instead.

This is made even more explicit in the next paragraph of Wyden's letter:

Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data. These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.

This strongly suggests it's domestic demands for push notification data that has kept this under wraps. Wyden's request that the DOJ modify any policies demanding blanket secrecy be rescinded makes it clear he knows more than he's willing to state in a public letter to the DOJ.

There is absolutely no doubt in my mind DOJ components are demanding this data and demanding these companies not talk about it. There's simply no way only foreign governments have access to this data. And they certainly don't have the legal reach to demand eternal silence. But the DOJ does. And if DOJ components are doing it, there's a good chance other federal agencies are doing the same thing.

Wyden's letter has provoked at least one useful response, as Satter reports for Reuters:

In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

In this case, the federal government prohibited us from sharing any information," the company said in a statement. Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."

Google said that it shared Wyden's commitment to keeping users informed about these requests."

If it's now public knowledge (thanks to this letter), these companies can now start telling the public about these data demands. And that may have been the point of Wyden's letter: freeing up Google and Apple to detail requests for push notification data without having to raise a ton of legal challenges before some court finally decides they actually have standing to challenge these requests.

And if that was Wyden's intent, it was handled beautifully. It starts with the misdirection of expressing concern about snooping by foreign governments before twisting it the other way to suggest (without ever directly saying so) that the DOJ is doing the same thing and swearing Apple and Google to silence. But now that it's out, these companies are no longer required to pretend it isn't happening.

External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments