Push Notification Token Privcay

timothytalker

I have a question about push notification token privacy. However, since the Matrix chat was quite confused by my question, I would like to clarify two things:

Even though I am using Signal in my example, this is not an app-specific question.
This threat is not about push notification content, but about the push token (identifier) itself.

My understanding is that if a company is legally required by the police to hand over push tokens that the app has registered with Google (let's say Signal), then that information can be used to identify the Google account. In this way, a Signal user could be identified via Google account information matched by the push token.

You can read more about this practice here: https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/

Now to my questions:

1) Is the method as I describe the police process (first getting push tokens, then matching with Google to get account information) correct?

2) How can someone protect themselves from this?

2.1) The obvious way would be not to use Google Play Services or to separate apps into a secondary free Google profile. However, profiles are more of an identity separation, and push notifications are great for many apps.

Therefore, I would like to know if it is possible to disable push notifications for an individual app within the same profile. My understanding is that this is not currently possible on GrapheneOS, but the app communication restriction toggle that the GrapheneOS team is currently working on would allow this. Is this correct?

2.2) Are there other ways to protect against this privacy threat?

3) What do you think about defending against this attack via an anonymous Google account? I think this would not be sufficient as there could be other apps connected to the user's identity that could be matched via the push token (like Signal push token legal request > Google account (anonymous) > other app connections to that Google account > other identity leaking app > user identification.

In other words, even if the requested application is not tied to the user's identity in the first place, and the Google Account itself is anonymous, other connected applications could still leak the user's identity. For example, a super-private app connects to a super-anonymous Google Account via push tokens, but the Google Account also has a push token from a dating app with the user's picture, name, and GPS location.

Thanks for your thoughts and feedback!

akc3n

timothytalker
Non-paywall https://archive.is/ktvJN

See our replies in the comments for detailed explanation: https://discuss.grapheneos.org/d/9407-governments-obtaining-push-notification-metadata-from-applegoogle

minxes0v

timothytalker Is the method as I describe the police process (first getting push tokens, then matching with Google to get account information) correct?

That is what the WaPo article says. If a service (in this case, Firebase Cloud Messaging) can send you a message (which notifications are a form of message), you should assume they can identify you and correlate any and all messages sent to you.

timothytalker How can someone protect themselves from this?

Don't use apps that use FCM or don't install Play Services so your device doesn't register with Firebase. Otherwise, you can't. But this is a generic threat, not specific to using FCM specifically. Having a centralized service will always be a privacy risk.

timothytalker The obvious way would be not to use Google Play Services or to separate apps into a secondary free Google profile. However, profiles are more of an identity separation, and push notifications are great for many apps.

Is preventing correlation of identity from push notifications not identity separation? I don't quite understand your reticence here. It seems to boil down to "profiles are inconvenient", which yes, maintaining privacy and/or anonymity in the modern world is indeed inconvenient. However, I am not familiar with the specifics of when the Firebase SDK generates tokens, so I won't claim that using profiles is a sufficient condition to separate push tokens.

timothytalker Therefore, I would like to know if it is possible to disable push notifications for an individual app within the same profile. My understanding is that this is not currently possible on GrapheneOS, but the app communication restriction toggle that the GrapheneOS team is currently working on would allow this. Is this correct?

No. FCM will always send the notification to the device if it has registered a push token. To prevent this type of privacy threat, you would need to prevent the app from sending the message to FCM in the first place. You have no control over this.

timothytalker Are there other ways to protect against this privacy threat?

Use different phones on different networks with different accounts. Don't cross contaminate identities.

timothytalker What do you think about defending against this attack via an anonymous Google account? [...] In other words, even if the requested application is not tied to the user's identity in the first place, and the Google Account itself is anonymous, other connected applications could still leak the user's identity.

Right. Using the same Google account across multiple apps can still be correlated.

There's nothing special about this being "push tokens". If you prefer, you can think of them as an email address. If you use the same email address for multiple apps, then obviously it will be trivial to connect them to the same identity if someone is in a privileged position to observe the message traffic. The fact that it's a "token" instead of an "email address" changes nothing. And if you're logged into a Google account, thinking of it as an email address is apt.

timothytalker

Thanks for your reply!

I read the other post. However, my question is more about the user de-anonymization factor through push token likeability (and how to avoid it). I understand that push content can be empty or encrypted. That is not my question.

Just for 1) I would assume the answer is YES.

de0u

timothytalker It may be helpful to focus on what you want to conceal from whom, because it is not possible to extract full convenience from a cellular network and the Internet while concealing everything from everybody.

For example, if you use a messaging app with UnifiedPush notifications and an ntfy server hosted by AWS, then AWS will know you are running an ntfy server, if they care to. If you use a VPN to conceal your browsing habits from your ISP or cellular carrier, you will be turning that information over to your VPN provider.

Roaming around while carrying a cellular tracking beacon is convenient, but also makes one conveniently trackable.

timothytalker

minxes0v

Thanks for your answer! It was really helpful.

To sum up, to avoid push notification tracking, I have to either
1) Not use Google services at all (not installing Google Play Services)
2) Separate accounts across different Google accounts (with multiple user profiles)

Can you please confirm?

other8026

@timothytalker please be polite when responding to comments from other community members.

In this case, there's obviously unique IDs, otherwise how would users get their specific notifications? IDs, IPs, account names, etc. all can be used as a breadcrumb trail to find more data.

So it does matter who you're trying to hide your identity from.

If this concerns you, then don't use Google, or utilize profiles. It's possible an app communication scopes feature will be able to block apps from setting up push notifications from within a profile too, but I'd wait to see what the GrapheneOS devs have to say about the feature's capabilities.

timothytalker

other8026

Thank you. When have I been rude? Telling people to focus on one question seems fine to me...

minxes0v

timothytalker I cannot confirm. I think that will work, since GrapheneOS does not let Google run as privileged code (preventing any possible cross profile identifiers). However, I am not a GrapheneOS dev nor have to tools set up to be able to test it.

other8026

timothytalker saying that answering in a certain way is "useless" can be understood to mean that the whole post was "useless."

If you think an answer is off topic, you can flag a post and let someone on the moderation team handle it. Unfortunately, we can't send private messages on the forum. Most of the moderators have contact info in our bios. If you have concerns, you can contact us that way too.