this post was submitted on 06 Dec 2023
519 points (98.7% liked)

Technology

59377 readers
5196 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
519
Apple Confirms Governments Using Push Notifications to Surveil Users (www.macrumors.com)
submitted 11 months ago by DannyMac@lemmy.world to c/technology@lemmy.world
49 comments fedilink hide all child comments
all 50 comments
sorted by: hot top controversial new old
[–] homesweethomeMrL@lemmy.world 58 points 11 months ago* (last edited 11 months ago) (1 children)

The data is said to have been used to attempt to tie anonymous users of messaging apps to specific Apple or Google accounts.

So it's not about the notifications or even necessarily the data the app handles; just that there's an apple ID or google ID they're pinging to see who it is.

Today's lesson is: Never use your apple ID or (ugh) google ID for anything important. If you can not use either for anything, great, but we all know we're not international super spies and sometimes you just want to play a card game or something. Still. If someone's unaware that smartphones are tracking devices they should probably know that now.

I'm amazed that Apple was prohibited from saying anything until now.

[–] BearOfaTime@lemm.ee 24 points 11 months ago (1 children)

Just because we're not James Bond today, doesn't mean we won't be a person of interest tomorrow.

That's what's so dangerous, especially for stuff that's just collected for no particular reason. Look at the man who was arrested for a crime simply because he biked through the area during the right time, and his Google location history showed up in a search.

[–] AVincentInSpace@pawb.social 15 points 11 months ago (1 children)

Look at the man who texted photos of his son's genitalia to said son's doctor and got his entire Google account banned when his phone automatically synced them to Gdrive and the algorithm decided he was a pedophile

[–] Socsa@sh.itjust.works -4 points 11 months ago* (last edited 11 months ago) (1 children)

I don't know if that's a great example tbh. How does Google know it's a medically necessary picture of a child's genitals? Just don't do that. Don't send anyone pictures of your kid's junk. Or anyone's junk for that matter, except maybe your own if you really want to. Certainly not over unencrypted channels. That seems very obvious to me. If your kid's dick is falling off, go to the ER

[–] deweydecibel@lemmy.world 13 points 11 months ago

You missed the point of the examples.

They're cases of people who did nothing wrong but none the less found themselves in trouble because they didn't appreciate how their privacy was being invaded. You can argue about the merits of invading one's privacy to look for child porn, but it is an invasion of privacy, and it's one that a tremendous amount of people are complete unaware of.

That man presumed his phone was secure, and presumed the channel to his doctor was secure. So he sent sensitive images believing the only people that would see them would be the recipient, a licensed medical professional who presumably asked for or at least expected the photos. If what he believed had been true, there'd be no story.

He didn't realize that his photos were synced to g-drive, and he didn't appreciate that images backed up to a cloud are not private, and that no matter what the context, those images would trigger a response. These are all things they were ignorant of until it was too late.

The larger point is that he is not alone. A lot of people truly don't appreciate just how much information of theirs is out there on somebody else's computer, and they do not have the knowledge or the imagination to know how much trouble they could be in one day.

[–] mojo@lemm.ee 33 points 11 months ago

Anyone who thinks Apple is private is getting fucked balls deep by marketing at face value.

[–] noodlejetski@lemm.ee 33 points 11 months ago (1 children)

not sure how it works on iOS, but at least on Android Signal has been taking some extra measures to avoid that. the message contents aren't delivered over GCM, just the ping that there's a new incoming message, which is then downloaded by Signal separately.

[–] BearOfaTime@lemm.ee 7 points 11 months ago* (last edited 11 months ago)

That's kind of how iMessage works, the Apple equivalent to GCM (Google Cloud Messaging) is called APN (or is it ANP? I always forget), and it sends a notification to the phone which then retrieves the message.

Be interesting to hear the perspective of the developers of Bubble Mini, since they just reverse-engineering iMessage.

https://jjtech.dev/reverse-engineering/imessage-explained/

[–] kpw@kbin.social 8 points 11 months ago (2 children)

How do those governments have access to this data? Is it not TLS encrypted?

[–] GenderNeutralBro@lemmy.sdf.org 10 points 11 months ago* (last edited 11 months ago)

Apple would be able (and perhaps required?) to provide the decrypted data. TLS is not end-to-end encryption; it's just server-to-client. It's useful to prevent MITM wiretapping but it is NOT useful to prevent server-side spying.

The article quotes Apple as saying they can update their transparency report now that this is public. Doesn't look like they have data for 2023 yet at https://www.apple.com/legal/transparency/

I'd think Apple could make push notification content end-to-end encrypted if they so desired, but I don't know how they could avoid having access to the vendor and user at minimum for the sake of validation and delivery.

[–] ImTryingLemmy@lemmy.world 3 points 11 months ago

To turn that question around, what incentive do the corporations have to encrypt that data? Whole bunch easier to just not care.

[–] LainOfTheWired@lemy.lol 7 points 11 months ago (3 children)

Good time to switch to an open source degoogled android ROM and set up your own push notification server.

Until people stop giving up their freedom to these companies by agreeing to legal documents they don't even read, it's only going to get worse.

[–] solarvector@lemmy.zip 51 points 11 months ago (1 children)

I agree those are good things to do.

But... Blaming people who are being fucked over by forces generally outside their control is not really going to help their or our situation. Expecting or demanding "people" to just change is also not realistic. Even if they wanted to, time, effort, energy, knowledge, skills, and attention are all finite. This is just one important issue or source of exploitation among a sea of others.

[–] registrert@lemmy.sambands.net -1 points 11 months ago

But… Blaming people who are being fucked over by forces generally outside their control is not really going to help their or our situation.

The whole premise of the comment is that it's not outside of their control, they just chose not to be responsible for the agreements they make. If you have any better suggestions than blaming those responsible for the situation I'm willing to listen and maybe even change my mind.

Expecting or demanding “people” to just change is also not realistic. Even if they wanted to, time, effort, energy, knowledge, skills, and attention are all finite.

Is it more unrealistic than "we" deciding to change and find a better path forward than surrendering our digital lives to strangers? I'm able to self-host my own push server. I wasn't born with that knowledge. I had to invest time, effort and energy to gain the knowledge and skills. If I can, so can others. I am not an extraordinary smart person.

Still, long before one starts to self-host entire platforms like NTFY or Nextcloud Push, there's a ton of free to use services ran by idealists rather than capitalists. Or payed options with good terms. There's so much between just not caring and being ones own sysadmin that I don't think "don't have the time" is a valid excuse anymore. It's not just push messages, it's everything - as you point out:

This is just one important issue or source of exploitation among a sea of others.

Sure. And most people I offered a free Nextcloud account to said the same. And Mastodon/Friendica-accounts. And so on. It's like a technological mass depression, we can't do everything we need to so there's no point doing anything at all.

And today I'm running a custom ROM and no push services from Big Data while they're literally getting robbed of their phonebooks by Meta.

[–] iAmTheTot@kbin.social 27 points 11 months ago (9 children)

Lol you're dreaming if you think even 0.1% of people will be interested in setting up their own server.

[–] Socsa@sh.itjust.works 3 points 11 months ago* (last edited 11 months ago)

They're also dreaming if they think doing these things doesn't just make them stand out, and provides them any real protection from state actors.

The number one rule of tradecraft is to blend in. I promise that you haven't thought of some way of using an always connected smartphone that the NSA hasn't considered. They are probably the ones making your degoogled ROMs.

This is hubris, plain and simple. If your goal is to hide from state actors then the best way of doing that is to be uninteresting statistical noise.

[–] LWD@lemm.ee 2 points 11 months ago* (last edited 11 months ago) (1 children)

deleted

[–] deadcade@lemmy.deadca.de 8 points 11 months ago (3 children)

Most "standard" messaging apps (that includes signal, telegram) use the "OS provided" push service. On Android, they use firebase cloud messaging, a component of google play services.

Degoogled Android means not having any notifications, unless the app supports UnifiedPush, runs in the background 24/7 (which drains battery), or runs in the background occasionally (which delays notifications).

If the app runs in the background occasionaly, you can "burden" the people on the other side by being slow to respond.

[–] wreckedcarzz@lemmy.world 5 points 11 months ago* (last edited 11 months ago) (1 children)

Eh, I use a few apps that have true foss forks and thus don't use gcm but the keep-alive method, and I didn't notice a difference in battery when I made the switch.

Also lol #3 isn't exactly a "burden", take the hint and go away people. Let me live in blissful solitude.

[–] registrert@lemmy.sambands.net 1 points 11 months ago

Pretty much my experience with pull-based notifications. I've even tested the same client on the same setup against both NTFY and client-pull without seeing a noticable difference in battery usage.

[–] Socsa@sh.itjust.works 1 points 11 months ago

It also means you will be on a very short list of people who use Unified Push.

[–] BearOfaTime@lemm.ee 0 points 11 months ago

Well I'd say those going the degoogle route learn about things like Unified, NLP, etc, along the way. But it is something the end user has to handle themselves, rather than it just being there in the OS.

[–] theneverfox@pawb.social 1 points 11 months ago

That's why I bothered to set up a nixOS config to deploy a docker cluster... I'm planning to give my friends and family a USB that connects to a private shared VPN, so all I have to do is walk them through booting from it

We all get a way to back up stuff with redundancy, and I'll throw up a Jellyfish server, maybe set up some llm assistants to scrape the web for interesting news and put it in a Lemmy instance or something. These are all things I want for myself, and I am willing to configure it exactly once... At that point, might a well let people I trust join the cluster.

Even my technical family used to scoff and ask why bother... This last week when my sister called and asked what I was up to, instead of explaining that it's more than just targeted ads, I asked if they noticed that everything sucks way more lately.

They never used to listen before... I think that's changing. I think it's time to build out alternatives

load more comments (6 replies)
[–] ImTryingLemmy@lemmy.world 1 points 11 months ago (1 children)

Is there a self-hosted alternative to SMS push? That's my main push notification, I can't think of another "service" I use on my phone. I'm an edge case though, already degoogled and don't let much push to me. SMS is a necessity for work and personal.

[–] BearOfaTime@lemm.ee 6 points 11 months ago (1 children)

Hell, SMS is clear text, no need to get the notifications.

This issue is about the notifications for (supposedly) encrypted chat apps hat use Apples notification service (and Google's) such as iMessage, Telegram, WhatsApp, etc.

[–] ImTryingLemmy@lemmy.world 1 points 11 months ago

iMessage is supposed to be encrypted? I had no idea.

[–] Brkdncr@sh.itjust.works 6 points 11 months ago

Sounds just like the idea that governments can retrieve metadata from phone calls without much hassle.

I’m not sure there is much you could do to get around this on iOS besides disabling push notifications in your app.

[–] pizza@lemmy.today -3 points 11 months ago (1 children)

https://youtu.be/rLXWqdry3Qc?si=LItEsEzrkK2DTL2D

[–] PipedLinkBot@feddit.rocks 1 points 11 months ago

Here is an alternative Piped link(s):

https://piped.video/rLXWqdry3Qc?si=LItEsEzrkK2DTL2D

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] AVincentInSpace@pawb.social -5 points 11 months ago (1 children)

pRiVaCy. ThAt'S iPhOnE