this post was submitted on 06 Dec 2023
150 points (99.3% liked)

Privacy

31175 readers
461 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
150
Apple Confirms Governments Using Push Notifications to Surveil Users (www.macrumors.com)
submitted 9 months ago by cheese_greater@lemmy.world to c/privacy@lemmy.ml
22 comments fedilink hide all child comments
all 27 comments
sorted by: hot top controversial new old
[–] sxan@midwest.social 60 points 9 months ago* (last edited 9 months ago) (2 children)

Years ago, I worked for a company that provided phone location for emergency services (fire, police, medical) to the big 3 cellular companies in the US. It required cell providers to install special hardware; back then, GPS was less ubiquitous, but it (still) suffers from accuracy in urban environments; it doesn't take much to block GPS signals. Also, you don't need access to anything more than the service provider's logs to do trilateration; it's harder to get GPS data from a phone without having software on the phone. In any case, Google pioneered getting around that by mapping wifi signals and supplementing poor GPS with trilateration, and it was good enough. Even back then, our lunch was being eaten by the cost of our systems, and work-arounds like wifi mapping.

Anyway, fast forward a decade and I'm working for a company that provides emergency support for customers who are traveling, and we're looking at ways to locate customers' business phones to provide relevant notifications. One of the issues was that there are places in the world where data connections are not great, and it was not acceptable for us to just ignore clients without data connections. One of the things we explored was called zero-length SMS. It's what it sounds like: an SMS message with zero-length does not alert the phone, but it does cause a ping to the phone. It was an idea that didn't pan out, but that's not relevant.

Cell phones have a lot of power-saving algorithms that try to reduce the amount of chatter -- both to reduce load on cell towers, but because all that cellular traffic is battery-intensive. So, if you're a government trying to track a phone, and you're working with a cell provider, and you don't have a backdoor in the phone, then you will be able to see which cell tower the phone last spoke with, but that probably won't give you very good location data and it may not update frequently. This is especially true in rural environments, where there's low density and a single cell tower might have a service radius of 3 miles -- that's a lot of area.

If you're tracking someone by phone, a normal cell connection may not be granular enough. Sending SMSes to a phone can force the phone to ping the tower and give you more data points about where the phone may be, how it's moving, and so on.If you're lucky, you can get pings from multiple towers, which might allow you to trilaterate to within a dozen meters.

Push notifications use data, but I wouldn't be surprised if there's some of that going on, too. It says "through Apple and Google's servers" which means they're talking about the push notification servers and not the phones. Android phones are constantly sending telemetry back to Google, so if that is what they're doing sending push notifications is probably more useful to them for Apple phones.

The article is light on details, but that'd be my guess. Forcing traffic to get more frequent cell tower pings and more data points for trilateration.

[–] cheese_greater@lemmy.world 10 points 9 months ago

Very detailed, thanks brotha

[–] sabreW4K3@lemmy.tf 2 points 9 months ago (1 children)

Just been reading up on this, they're basically using the push device ID to see when certain devices are receiving data and from what apps. It sounds like more work than its worth, but it's clearly something that's being used widely.

[–] sxan@midwest.social 1 points 9 months ago (1 children)

That makes sense, too. So it's not that they're using push notifications, but the server data.

[–] sabreW4K3@lemmy.tf 0 points 9 months ago

Yup

[–] possiblylinux127@lemmy.zip 10 points 9 months ago (3 children)

This is why I have always said you shouldn't trust Apple. They have absolute power over you.

[–] sparky@lemmy.federate.cc 9 points 9 months ago (3 children)

Did you read the article? It says the federal government compelled Apple to comply and gave them a gag order.

[–] trebuchet@lemmy.ml 14 points 9 months ago (1 children)

You can de-Google an Android phone with a custom ROM and have a phone that you have control over and know nobody is spying on you by running a firewall on the phone.

Can't do that on an Apple.

[–] sparky@lemmy.federate.cc 2 points 9 months ago* (last edited 9 months ago) (1 children)

Actually, you can, with Lockdown for iOS or Lulu for macOS. There are other alternatives available, these are just a pair of FOSS examples. You can totally block *.apple.com if you really want to.

[–] bamboo@lemm.ee 1 points 9 months ago

It’s not quite the same though. With a custom android ROM, you can be pretty confident that everything kernel-and-up is not spying on you. On iOS and macOS, you don’t have the same level of verifiability, as the OS could just circumvent any VPN/firewall you might have configured. They might pinky promise not to, but without running another external firewall it’s not really verifiable.

[–] possiblylinux127@lemmy.zip 5 points 9 months ago

Which means Apple can't be trusted. My data stays local.

[–] Cheradenine@sh.itjust.works 3 points 9 months ago (2 children)

As the article says, Apple and Google both do it. Apple disclosed it, Google did not.

How is your conclusion 'I don't trust Apple'?

[–] trebuchet@lemmy.ml 6 points 9 months ago (1 children)

The Ars article on this said Google had been disclosing this for the past decade already whereas Apple didn't.

[–] Cheradenine@sh.itjust.works 1 points 9 months ago* (last edited 9 months ago)

It said that Google put it in their aggregated report. Not that they disclosed it. There is a big difference between 'we got 100 requests' and 'we got 10 requests for X info, 30 for Y info'.

ETA: I just looked at the data again, it's broken in to categories like FISA NSL etc, then it just gives a range of requests 0-1000 etc.

[–] possiblylinux127@lemmy.zip 2 points 9 months ago (1 children)

Fine, I don't trust google or apple. I don't use any of there services anyway.

[–] jasondj@ttrpg.network 0 points 9 months ago (1 children)

Well, you do. You just don’t know it or like it.

[–] possiblylinux127@lemmy.zip 2 points 9 months ago (1 children)

I do? I don't use google services at all. On my phone I run Lineage os and for file sharing I use self hosted nextcloud.

[–] jasondj@ttrpg.network 2 points 9 months ago

You can’t really go anywhere on the internet without using Google in some capacity. Cookies and trackers in all the things. Ads aplenty, and blocking them is perpetually an arms race.

[–] cheese_greater@lemmy.world 2 points 9 months ago

Just trust me, I've always got contingency plans. I'm not naïve about them

[–] yogthos@lemmy.ml -2 points 9 months ago

I can think of one government that definitely surveils data that goes through Google servers.