Apple provided governments around the world with data related to thousands of push notifications sent to its devices, which can identify a target’s specific device or in some cases include unencrypted content like the actual text displayed in the notification, according to data published by Apple. In one case, that Apple did not ultimately provide data for, Israel demanded data related to nearly 700 push notifications as part of a single request.
The data for the first time puts a concrete figure on how many requests governments around the world are making, and sometimes receiving, for push notification data from Apple.
The practice first came to light in 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice revealing the practice, which also applied to Google. As the letter said, “the data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”
The published data relates to blocks of six month periods, starting in July 2022 to June 2024. Andre Meister from German media outlet Netzpolitik posted a link to the transparency data to Mastodon on Tuesday.
For example, according to the data, the U.S. made 99 requests for push token data related to 345 different push tokens, and received data in response to 65 of the requests between July and December 2023. The U.K. made 123 requests, about 128 tokens, and received data in response to 111 requests in the same time period. Germany was the only other country to receive data, which was in response to 5 of the country’s requests. The Netherlands and France also requested data but did not receive any.
Israel made a single push notification data request in that time period, but it related to 694 push tokens, according to the data. Representatives of the Israeli government did not respond to a request for comment, and neither did Apple.
In another stretch of time, from January to June 2024, the U.K. received data in response to 127 requests, and the U.S. got data from 36. Germany did successfully receive some data during that period. Singapore has also made requests for data but has not received any, according to the transparency report.
Along with the data Apple published the following description: “Push Token requests are based on an Apple Push Notification service token identifier. When users allow a currently installed application to receive notifications, a push token is generated and registered to that developer and device. Push Token requests generally seek identifying details of the Apple Account associated with the device’s push token, such as name, physical address and email address.”
404 Media previously published a U.S. court record which sought access to push notification data.
In December 2023, Apple said it started to require a judge’s order to hand over push notification data. Before that, it was available with a subpoena.
