Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Apple

Apple Now Requires a Judge's Consent To Hand Over Push Notification Data (reuters.com) 19

Apple has said it now requires a judge's order to hand over information about its customers' push notification to law enforcement, putting the iPhone maker's policy in line with rival Google and raising the hurdle officials must clear to get app data about users. From a report: The new policy was not formally announced but appeared sometime over the past few days on Apple's publicly available law enforcement guidelines. It follows the revelation from Oregon Senator Ron Wyden that officials were requesting such data from Apple as well as from Google, the unit of Alphabet that makes the operating system for Android phones.

Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible "dings" or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple's servers. In a letter first disclosed by Reuters last week, Wyden said the practice gave the two companies unique insight into traffic flowing from those apps to users, putting them "in a unique position to facilitate government surveillance of how users are using particular apps."

This discussion has been archived. No new comments can be posted.

Apple Now Requires a Judge's Consent To Hand Over Push Notification Data

Comments Filter:
  • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Wednesday December 13, 2023 @01:13PM (#64079419)

    Notifications get funneled through a variety of third-party SDKs when people build apps.

    The most popular method is using Firebase, which is owned and controlled by Google (ironically, even most iOS apps use Firebase).

    But Firebase is not the only vendor in this space. There is OneSignal, PushCrew, etc.

    What are these companies doing to comply with these kinds of orders?

    • What are these companies doing to comply with these kinds of orders?

      Likely nothing. The orders aren't for them. It so far only applies to requests from law enforcement to Apple.

      • What are these companies doing to comply with these kinds of orders?

        Likely nothing. The orders aren't for them. It so far only applies to requests from law enforcement to Apple.

        Sounds like Apple should form an alliance...

    • What do these companies do? Nothing. They pass the notification on to Apple or Google. As an app developer you either have your own server, your app sends things to you, and you pass them to Apple, or your app sends the notifications to some third party server which passes them on.
  • by grasshoppa ( 657393 ) on Wednesday December 13, 2023 @01:48PM (#64079517) Homepage

    This seems like a slam dunk for your customers; why didn't they have this policy before?

    • Re: (Score:2, Interesting)

      by dgatwood ( 11270 )

      This seems like a slam dunk for your customers; why didn't they have this policy before?

      My guess? Because they hadn't been caught yet. Which makes me wonder how many other privacy leaks they're guilty of.

    • by teg ( 97890 ) on Wednesday December 13, 2023 @02:36PM (#64079667)

      This seems like a slam dunk for your customers; why didn't they have this policy before?

      Because the government didn't allow them to tell that the method existed [techcrunch.com]. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

      • Geeze we need "reporting" on every possible kind of malfeasance.

        Then Apple can point to the correct ones and disclose.

      • This seems like a slam dunk for your customers; why didn't they have this policy before?

        Because the government didn't allow them to tell that the method existed [techcrunch.com].

        That's a non-answer. It might explain why Apple didn't publish the policy stating they required a judicial order, but it doesn't explain why they didn't have the policy, like Google did.

        But to me the really interesting part of this statement is that they claim they were prohibited. That raises a *lot* of questions. Assuming the statement is true, there aren't a lot of mechanisms for the government to tell a company that they're not allowed to disclose something like this. The only one I can think of, actu

  • I'm currently doing development on Android and iOS. On Android we use Firebase. On Apple we use APNS directly.

    As recommended by both Apple and Google our notification payloads are minimal: "You've got mail!". The app then phones home to retrieve its messages. I'm curious what you could learn from the notifications. We know the messages themselves are sensitive and take care to protect them. We know about CALEA [wikipedia.org] and related laws, but this is way about my paygrade.

    ...laura

    • What can someone learn? That I am using your app, and the time I received notifications from your app, which is likely very shortly after someone sent mail for me to your server. And possibly the number of mails I received through your app.

      Quite possibly Apple would collect notifications when my phone is turned off and send them all together. Some messages can be merged. So after 200 mails I would receive ONE âoeyou got mailâ message when my phone is turned on.
    • Here's the text in the new Legal Process Guidelines. It doesn't say that a court order or warrant is required, just that it's a suitable method. So "Apple Now Requires a Judge's Consent To Hand Over Push Notification Data" is not actually what Apple is committing to.

      AA. Apple Push Notification Service (APNs)
      When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may

      • Here's the text in the new Legal Process Guidelines. It doesn't say that a court order or warrant is required, just that it's a suitable method. So "Apple Now Requires a Judge's Consent To Hand Over Push Notification Data" is not actually what Apple is committing to.

        AA. Apple Push Notification Service (APNs)

        When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some
        apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

        The Apple ID associated with a registered APNs token and associated records may be obtained with
        an order under 18 U.S.C. 2703(d) or a search warrant.

        Excuse me.

        Where are the words "Suitable Method" in your Quoted Text?

        • Where are the words "Suitable Method" in your Quoted Text?

          I have no relation to the previous poster, but the direct answer is that those words don't appear.

          I believe that the point that poster was making was that by saying "(information) may be obtained with (documents)" is that this particular wording does not address the issue of whether there are other ways to obtain the information. Some sort of exclusionary wording such as "(information) may only be obtained with (documents)" would mean that no other methods of obtaining the information were available.

          • Thank you. Since the info has always been obtained from Apple by court order or warrant, Apple's statement actually just says that they will follow the law.

            • Thank you. Since the info has always been obtained from Apple by court order or warrant, Apple's statement actually just says that they will follow the law.

              Exactly. What else does everyone expect?

          • Where are the words "Suitable Method" in your Quoted Text?

            I have no relation to the previous poster, but the direct answer is that those words don't appear.

            I believe that the point that poster was making was that by saying "(information) may be obtained with (documents)" is that this particular wording does not address the issue of whether there are other ways to obtain the information. Some sort of exclusionary wording such as "(information) may only be obtained with (documents)" would mean that no other methods of obtaining the information were available.

            So, as I implied, he was lying.

  • by schwit1 ( 797399 ) on Wednesday December 13, 2023 @02:18PM (#64079631)

    https://www.eff.org/deeplinks/... [eff.org]

    Not while the Intel community [thefederalist.com] turns the 4th amendment into swiss cheese.

You are always doing something marginal when the boss drops by your desk.

Working...