this post was submitted on 04 Jun 2025

291 points (99.3% liked)

Privacy

38498 readers

508 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

291

Apple Gave Governments Data on Thousands of Push Notifications (www.404media.co)

submitted 2 days ago by sabreW4K3@lazysoci.al to c/privacy@lemmy.ml

57 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Ulrich@feddit.org 23 points 2 days ago* (last edited 2 days ago) (1 children)

Yes. 100%. Some app creators will encrypt the contents but I don't think they can encrypt the metadata.

Even the most "private" of companies like Signal and Proton don't provide any alternative either. Third-party fork Molly adds UnifiedPush support to Signal.

From Signal CEO:

PSA: We've received questions about push notifications. First: push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls–not to Apple, not to Google, not to anyone but you & the people you're talking to.

In Signal, push notifications simply act as a ping that tells the app to wake up. They don't reveal who sent the message or who is calling (not to Apple, Google, or anyone). Notifications are processed entirely on your device. This is different from many other apps.

What's the background here? Currently, in order to enable push notifications on the dominant mobile operating systems (iOS and Android) those building and maintaining apps like Signal need to use services offered by Apple and Google.

Apple simply doesn’t let you do it another way. And Google, well you could (and we've tried), but the cost to battery life is devastating for performance, rendering this a false option if you want to build a usable, practical, dependable app for people all over the world.

So, while we do not love Big Tech choke points and the control that a handful of companies wield over the tech ecosystem, we do everything we can to ensure that in spite of this dynamic, if you use Signal your privacy is preserved.

(Note, if you are among the small number of people that run alt Android-based operating systems that don't include Google libraries, we implement the battery-destroying push option, and hope you have ways to navigate.)

https://mastodon.world/@Mer__edith/111563865413484025

[–] jasonthedragon442@lemmy.ml 10 points 2 days ago (2 children)

PSA: We've received questions about push notifications. First: push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls–not to Apple, not to Google, not to anyone but you & the people you're talking to.

Doesn't this mean there is nothing to log? You got me confused

[–] icelimit@lemmy.ml 12 points 2 days ago (1 children)

I guess it's possible to log the fact that a push notification was received and the time of it?

[–] jasonthedragon442@lemmy.ml 2 points 1 day ago* (last edited 13 hours ago) (1 children)

Honestly I wouldn't expect Signal to try and take care of this

[–] Ulrich@feddit.org 1 points 17 hours ago

They could, very easily, by implementing UnifiedPush. Let the users decide if they want/need to use it. But as of now the only way to do that is by installing a third-party app.

[–] Ulrich@feddit.org 8 points 2 days ago* (last edited 2 days ago) (1 children)

Not necessarily. I'm not some sort of tech genius but she's using some choice language here:

push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages

metadata is not "contained" in the notification.

When pushed on this she basically changed the subject to "there's no alternative":

Another Twitter user pointed out that rather than the exposure of the text, the bigger issue is that “the push gets sent at all, not what’s in it. It lets an attacker identify somebody by when they get messages, messages the attacker may even have sent.”

To this, Whittaker replied, “So this is an issue worth clarifying. It’s not possible [right now] to build a mass [communications] app [without] push notifications, [especially with] calling. This is a problem, we agree.”

https://www.medianama.com/2023/12/223-signal-push-notifications-content-meredith-whittaker/

I could be misinterpreting these statements but that's how it reads to me. Seems like encrypting metadata would require Google's involvement and I'm sure that's the opposite of what they want.

[–] dev_null@lemmy.ml 1 points 17 hours ago* (last edited 17 hours ago) (1 children)

You are trying to read what isn't there. Push notifications just don't contain any messages, at all, in any form, whether you want to call it data or metadata. They are just telling the Signal app to wake up, and then it securely checks with the server what's up.

The only think authorities are getting then, is the fact your Signal app was told to wake up at time X. Not whether you actually received a message, let alone any information about any messages.

It is confusing the system is called "push notifications", because it has nothing to do with the actual notifications you are seeing on your phone. It's just a mechanism to wake up sleeping apps so that they can check up with their server.

[–] Ulrich@feddit.org 1 points 17 hours ago (1 children)

The only think authorities are getting then, is the fact your Signal app was told to wake up at time X

That's called metadata.

It's just a mechanism to wake up sleeping apps so that they can check up with their server.

So why do the authorities want it?

[–] dev_null@lemmy.ml 2 points 17 hours ago (1 children)

Yes it's called metadata. I don't know why they want it.

[–] Ulrich@feddit.org 1 points 16 hours ago (1 children)

It's because it's used in tandem with other data they collect to profile you. To profile all of us.

[–] dev_null@lemmy.ml 2 points 16 hours ago

Yes, I assume so.