Privacy Checkup: descubra cómo está protegida su privacidad en Internet

Más información

Push Notifications and Data Privacy

· Deutsche Version
Push Notifications and Data Privacy

Over the past days, push notifications and the impact they have on data privacy has become a hot topic not only in tech circles but also in mainstream media. The debate was sparked by a letter from US Senator Ron Wyden, asking the Department of Justice to allow push-service providers, in particular Apple and Google, to inform the public about government requests for so-called “push tokens.” The topic has stirred up some confusion, which is why we would like to set a few things straight.

TL;DR

  • Push notifications cannot be exploited to reveal who is communicating with whom, and if properly used (as in Threema’s case), they do not disclose any personal information to the push-service provider or include message content in any form.

  • If (and only if) government authorities are given certain user data of a push-notification service and certain user data of a messenger service, they can potentially establish a connection between someone’s messenger identity and their Apple or Google account.

  • In anticipation of this scenario, Threema developed its own push service, Threema Push, which is immune to any such inference.

  • Every Android user can switch to Threema Push, which completely eliminates the potential issue with immediate effect. Due to restrictions on Apple’s part, iOS users are stuck with Apple’s own push service and cannot opt for Threema Push, sadly.

  • In Threema’s case, this potential privacy issue cannot be exploited for mass surveillance. Unless you’re a possible subject of targeted government surveillance, you shouldn’t have to worry and probably don’t need to take any precautions.

At the most basic level, notifications on the smartphone inform users about certain occurrences, e.g., an upcoming meeting, a new text message, or the advent of a thunderstorm.

It is, of course, desirable for notifications to appear in a timely manner and not just when the respective app happens to be in the foreground. For this reason, operating systems (Android and iOS) allow apps to display notifications even if another app is open or if the smartphone is locked.

However, not every notification that appears outside of the app it belongs to is based on push technology. If, for example, a calendar app displays a notification about an upcoming meeting, it’s probably just a local notification, i.e., one that was triggered directly on the device.

Only notifications that are triggered outside of the smartphone rely on push technology. For example, a notification about the advent of a thunderstorm requires push technology since the server of the weather service needs to send, or “push,” this information to the smartphone in question.

What is a push token?

Push notifications were introduced by providers of mobile operating systems to offer apps a way to inform their users about events happening outside of the smartphone – such as the advent of a thunderstorm – when the app isn’t open. (Without push technology, apps would have to periodically connect to a server in the background in order to fetch incoming messages, which would have a negative impact on battery life.)

The so-called “push token” is a unique identifier establishing a link between remote notifications and the smartphone that’s supposed to receive them. (Strictly speaking, push tokens even point to a specific app on a smartphone; there are different push tokens for different apps on the same device.) To stick with the weather example: when the weather app’s server receives information about an approaching thunderstorm, it sends a push token (possibly along with additional information) to the push service (i.e., Apple Push Notification Service or Google’s Firebase Cloud Messaging), which, in turn, sends a push notification to the smartphone associated with the push token in question.

Push token

The smartphone receives the push notification even if it’s locked, processes it in the background (decrypting the received content or downloading data from the weather server, for example), and displays the appropriate notification on the screen.

How does an actual push token look like?

Here’s an example of a push token (which is no longer in use) of Google’s push service:

fabNdMZaiqo:APA91bEDtSMxGemZsP7zs2tcvby2ZaMIghlRelec7qUQdMzhqzf-dz_KC1AaxlEE3FUd29z1fsmEXoc33JeNBIpL4LtKGNXENpuysP3I5UXffhZGNUeLBgDBCe7-8YsRVd8mtAPe88Qt

Push tokens are opaque: we don’t know whether they carry information in and of themselves (e.g., about the device they’re associated with or about the user the device belongs to).

Myths About Push Tokens and Privacy

Current news articles and social media posts on the subject suggest that push tokens can be used for (mass) surveillance of smartphone users. However, most authors fail to explain how such surveillance would actually work, while others make misleading claims, such as the following:

  • Myth #1: Push tokens are utilized to obtain metadata about the use of apps (possibly on a scale that constitutes mass surveillance): who uses which app, when, for how long, etc.

    If the push service keeps log files, these logs provide information about the points in time a user received push notifications (or rather, about the points in time the server sent them out). However, it’s questionable whether the operating system returns information to the push service about whether and when a notification was opened by the user, or whether it was displayed at all. In any case, there would be much simpler and more effective ways for operating-system suppliers to measure how apps are being used than by exploiting push notifications for this purpose.

  • Myth #2: Push tokens can be used to monitor who is communicating with whom.

    To determine who is communicating with whom, information about both incoming and outgoing messages would be required. As stated above, however, the logs a push service may keep can only contain information about incoming messages (i.e., the points in time push notifications were sent to a user).

    To the push service, a scenario where one user sends ten messages to ten users looks the same as a scenario where ten users send one message to ten users. All the push service sees is that there are ten push notifications to deliver to ten users. Thus, there’s hardly any way to establish a correlation between senders and recipients of messages.

  • Myth #3: Due to push tokens, it is impossible to use secure messengers like Signal and Threema anonymously.

    Threema for Android provides the option to use Threema Push instead of Google’s push service, in which case no push token exists to begin with. Hence, nothing stands in the way of using Threema anonymously. In Threema Libre, which doesn’t contain any third-party services at all, Threema Push is the standard push service.

    Some people claim that Threema Push can only be used on de-googled devices, is difficult to set up, and/or comes with feature limitations. That’s not accurate: switching from Google’s push service to Threema Push only requires toggling a single switch, can be done on any Android device, and does not result in feature limitations.

    Others argue that Google’s push service is the only viable option on Android because alternative push services come at the cost of extensive power consumption and fast battery drain. In our experience, however, there’s no noticeable difference between Threema Push and Google’s push service in terms of battery life.

What information do push notifications in Threema contain?

In Threema, push notifications are only used to inform the app about the arrival of new messages on the server. They do not include message content, not even in encrypted form, or any information accessible by the provider of the push service.

After the app receives a push notification, it connects to the Threema server, downloads the incoming message from there, decrypts it locally, and, finally, displays a notification on the screen.

Push notifications are either empty (on Android) or encrypted with a key only known to the local app and the Threema server (on iOS). In the latter case, they contain the Threema ID and (if set) the nickname of the sender along with the ID of the incoming message (again, none of this data is accessible by the push-service provider, i.e., Apple).

How Push Tokens May Affect Privacy

Threema was designed to store as little user data on the server as possible, and, as mentioned above, no push token exists when using Threema Push.

Unfortunately, due to restrictions on Apple’s part, solutions like Threema Push are not available on iOS. If iOS users wish to receive notifications while Threema isn’t open, they have to accept that a push token of Apple’s push service is stored on Threema’s server as part of their Threema ID’s inventory data.

Threema users can retrieve their ID’s inventory data stored on the Threema server at any time by sending “info” to *MY3DATA.

The only way for iOS users to prevent the existence of a push token is to disable notifications (in “System Settings > Threema > Allow Notifications”). If the app is no longer allowed to display notifications, the push token will be deleted upon the next app launch.

It should go without saying that disabling notifications somewhat defeats the purpose of an instant messenger and will have a drastic impact on the overall functionality, e.g., it will no longer be possible to receive calls unless the app is in the foreground.

If we’re required upon official order to disclose the inventory data of a particular Threema ID to a government authority and if a push token is part of this inventory data, the authority could then submit another inquiry to the relevant push service and potentially find out which user account is associated with that push token. (On Android, the push token isn’t necessarily linked to a Google account since the OS can be used without being signed in.)

Consequently, the push token could be used to establish a connection between a given Threema ID and an Apple or Google account. And in case the Apple or Google account contains personally identifiable information, the identity of the Threema ID’s owner would be revealed.

How serious is the matter?

First of all, it has been known for a long time that the push token could be used to deduce which Apple or Google account belongs to the owner of a Threema ID if, and only if, both access to the Threema ID’s inventory data and access to the push service’s data is gained. This scenario was outlined in Threema Push’s introductory blog post and is what led us to develop our own push service. Besides, even before Threema Push existed, “polling” was available in Threema for Android for the same reason.

From our perspective and from a data-protection standpoint, this scenario constitutes a serious privacy issue. Particularly unfortunate is the fact that iOS users have no way to prevent this kind of identity exposure due to restrictions on Apple’s part. At the same time, it’s important to stress that, as far as Threema is concerned, the issue doesn’t hold the potential for mass surveillance, and there are legal hurdles in place. It should also be noted that not all messengers are affected in quite the same way.

Messengers that employ phone numbers as unique identifiers generally cannot be considered to offer anonymous use. Therefore, it is somewhat questionable whether a detour via the push token is worthwhile in such instances – it may be easier to establish a user’s identity directly by means of their phone number. In this sense, Threema is affected in a different way than messengers that don’t allow for anonymous use in the first place.

On the other hand, messengers based in the US are presumably affected to a greater extent since Apple and Google are also US-based and the legal hurdles for local authorities to submit requests to two domestic institutions are arguably lower than having to request international legal assistance from a foreign country (in Threema’s case, Switzerland).

Further reinforcing the previous point, gag orders are another relevant national difference. In contrast to US-based messengers, Threema can’t be prevented from truthfully informing its users about government requests: our transparency report lists the legal requirements for data disclosure, contains exhaustive information on the type of data that’s available, and includes an aggregated list of all data handed over to date.

Without trying to downplay the issue, we think that given the legal hurdles and considering the total amount of data handed over, users generally shouldn’t have to worry and don’t need to take precautions unless they are a possible subject of targeted government surveillance, in which case using Threema Push is recommended.

How the Issue Is (Not) to Be Resolved

A few articles recommend simply turning off push notifications in the device’s system settings. As stated in the infobox above, this will work as far as Threema for iOS is concerned but has severe consequences in terms of functionality. In many, if not most, other cases, however, it’s no viable solution since it will possibly only stop notifications from being displayed without actually deleting the push token.

Meanwhile, some messaging services point out that their push notifications don’t contain any sensitive information, which they take to mean that they’re somehow not affected by this issue. However, as should be apparent by now, the push token can still be used to link a user’s messenger identity to their Apple or Google account. In regard to the subject at hand, it really doesn’t matter whether the content of push notifications is encrypted (as it should be) or not.

It has also been suggested that short-lived push tokens could be a way to resolve the issue. Assuming that push-service providers don’t keep log files, this might mitigate the problem to some extent, but it would also drastically decrease the reliability of push notifications. If a smartphone happens to be offline for some time, it’s expected that push notifications appear once it is back online, which, however, would not be the case if the push token expired during the device’s downtime.

In conclusion, the only solution at this point is to resort to alternative notification mechanisms where no identifiers can be exploited to derive a user’s identity. Even though the issue doesn’t hold the potential for mass surveillance (in Threema’s case, anyway) and is primarily relevant for subjects of targeted government surveillance, it still is a privacy issue we wish to address on all platforms. Regrettably, there’s no way for us to bring Threema Push to iOS, but we hope Apple is going to reconsider the restrictions that currently prevent this from happening.