Apple will now tell us when governments demand push notification records

Editor’s note: Updates 12/7/2023 with an update to Apple’s Legal Process Guidelines.

U.S. Senator Ron Wyden of Oregon announced on Wednesday that he has requested that the Department of Justice allow Apple and Google to be more transparent about surveillance of mobile push notifications. Wyden’s request comes after becoming aware of “a tip that government agencies in foreign countries were demanding smartphone ‘push’ notification records,” according to Wyden’s letter to the DoJ.

“These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data,” said Wyden.

The request would change the federal government’s current policy. In a statement to Reuters, Apple said, “In this case, the federal government prohibited us from sharing any information.” As a response to Wyden’s request, Apple told Reuters that, “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Apple has updated its Legal Process Guidelines with information on what Apple does when a government requests information. The following excerpt was added to page 19 of the Guidelines document:

AA. Apple Push Notification Service (APNs)

When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.

The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process.

Apple Legal Process Guidelines

Apple introduced push notifications to the iPhone in 2009 through version 3.0 of what was then called iPhone OS. System-related push notifications alert users to incoming messages, phone calls, OS updates, security info, and more. But apps, websites, and third-party software can perform push alerts, too.

Why should you care?

The types of push notifications that a user receives can be used to create a profile of a person or can give an idea of what a user has on their agenda. That information is valuable to a government performing surveillance.

Apple makes great efforts to promote the privacy features of the iPhone and iOS, but the Wyden letter and Apple’s statement show that the company can be hampered in its attempts to preserve user privacy. In this particular instance, Wyden’s request essentially gives Apple the green light to let you know when a government (domestic or foreign) requests your push notification data.

Reading between the lines leaves the impression that there are many other government requests that companies such as Apple are prohibited from being transparent about. Apple has not made a general statement about government requests, and Wyden’s letter specifically addresses push notifications only.

It remains to be seen how this will affect future versions of iOS. iOS’s Apple Privacy Report feature (Settings > Privacy & Security) provides details on how apps are using your data and sensors; Apple could update it to show when a government makes a data request. Or Apple could make it a separate setting altogether. Regardless of how it will be implemented, it could end up being a showcased feature of iOS 18 at WWDC 2024.