Apple admits to secretly giving governments push notification data

[desiibond]

People not storing contacts ?

1. My maid . Her phone doesn't have internet either.
2. Various service providers, who get calls from different people, and get full information of the service to be provided in each call. Often use landlines.

Now you are saying "it may help". Contradicting your previous statement again.

Didn't answer the simplest question. Contradicting yourself. If these tactics are required to make your point, what is the point ?

Bhai, what is your point? I explained Graph DB in the simplest way possible. I explained how your name can be easily tagged to your number and linked to others that store your contact, even if you do not store contacts in your phone. It does not matter if your maid is using dumb phone. your relatives, cousins, colleagues, friends will have your number linked to your name. That itself is enough to add you to a cluster.

> You are MDM/BYOD admin if you are working on MDM management. Please stop acting like a developer and please drop the act of 'I know devices in an out'.
In general, it is not application developers who decide how their application works. It is architectural designers and those from levels up. Not keyboard warriors.

Bwaaaaa haaaaa haaaaa. I have no idea why you are bringing architects into this. Probably because you still do not have any clue how apps work on phones and how APNs work. This again shows that you are disconnected from the world of software and mobiel applications. If you had spent some time before sharing that article.....

> Please stop acting like a developer and please drop the act of 'I know devices in an out'. I have seen similar behavior by some in my org. Install software remotely and they act like they designed the software.
You reeks like a sysadmin joke.
Top developers know what they are doing, but your class of discussions prove your are not one.
Again, bye.

LOL. Man, seriously. That sysadmin joke is really a PJ. Unfortunate for you, I am CSE grad, worked on various dev projects, expert in automations and going into ML world.

 

[TEUser2K1]

> Probably because you still do not have any clue how apps work on phones and how APNs work.

fyi:

Local and Remote Notification Programming Guide: Creating the Remote Notification Payload

Describes how apps can send and receive user notifications locally and remotely.

developer.apple.com

"Because the delivery of remote notifications is not guaranteed, never include sensitive data or data that can be retrieved by other means in your payload. Instead, use notifications to alert the user to new information or as a signal that your app has data waiting for it. For example, an email app could use remote notifications to badge the app’s icon or to alert the user that new email is available in a specific account, as opposed to sending the contents of email messages directly. Upon receiving the notification, the app should open a direct connection to your email server to retrieve the email messages"

Since just how Chinese chef get fed up eating Chinese food, application developers don't follow this advice from Apple.
Again, Bye.

 

[desiibond]

> Probably because you still do not have any clue how apps work on phones and how APNs work.

fyi:

Local and Remote Notification Programming Guide: Creating the Remote Notification Payload

Describes how apps can send and receive user notifications locally and remotely.

developer.apple.com

"Because the delivery of remote notifications is not guaranteed, never include sensitive data or data that can be retrieved by other means in your payload. Instead, use notifications to alert the user to new information or as a signal that your app has data waiting for it. For example, an email app could use remote notifications to badge the app’s icon or to alert the user that new email is available in a specific account, as opposed to sending the contents of email messages directly. Upon receiving the notification, the app should open a direct connection to your email server to retrieve the email messages"

Since just how Chinese chef get fed up eating Chinese food, application developers don't follow this advice from Apple.
Again, Bye.

No wonder you share that clickbait article. we are in a world where even having the term “password” in code is blocked in our commits even though it is a variable name that points to say a vault. There is no password in plaintext here. There are rigorous checks if any sensitive data will be showed anywhere without passing validations. If we have anything that pushes account detail in notification of app, we can’t even take it to build, forget about production.

What Apple says here is not to include any sensitive information in push notification. It is one of the key ways to avoid leaking sensitive data to prying eyes. Another example is this.
If you do not disable notifications on Lock Screen, one can easily see your notification content without unlocking phone. If that notification has account number or any other sensitive data etc, it is taken without entering phone. Notification should only contain generic detail , should not have any sensitive data.

If bank has to send push notification that there is unauthorised activity in your account, push notification can contain “your account xxxx789 had unauthized activity”. It should be “your account 123456789 in Andheri branch had unauthorised activity”

Saying this again, learn how applications and notifications work before getting into such discussions.

 

[rsaeon]

In multi-platform ad campaigns, the company told consumers that “what happens on your iPhone, stays on your iPhone,” and equated its products with security through slogans like “Privacy. That’s iPhone.”

Technically speaking (ha) the notification never happened on your iPhone, it just ended up there. The push notification started its life on Apple's servers. So that statement, in a roundabout way, is still true, maybe?

I remember when I first saw those ads, We (myself and the crowd I hung out with at the time) took it to mean that Apple won't reveal/monetize your content (photos, videos). As opposed to targeted advertising by Google and others.

What a clickbait article.

This I don't understand. What's clickbait about:

Apple admits to secretly giving governments push notification data

Breaking down the headline:

1. Apple did give notification data without informing the user (secretly)
2. Apple gave it to governments (how/why is irrelevant)

I don't understand how any of that is clickbait?

Was the article updated after we started throwing metaphorical overripe bananas at each other? Because this is what I see:

Apple has since confirmed in a statement provided to Ars that the US federal government "prohibited" the company "from sharing any information," but now that Wyden has outed the feds, Apple has updated its transparency reporting and will "detail these kinds of requests" in a separate section on push notifications in its next report. Ars verified that Apple's law enforcement guidelines now notes that push notification records "may be obtained with a subpoena or greater legal process."

Doesn't that mean the sharing of notification data was previously done without the user's consent (ie, secretly) but now such compliances will be documented in some way?

Tangentially, Apple wouldn't have responded to Arstechnica if they considered Arstechnica a disingenuous publication. Arstechnica is one of the oldest, and perhaps most reputed online-only publication of technology related news and articles. I can't think of a single instance of when they had to retract any of their reporting over the years. They're about as far from clickbait as anyone should or could expect.

 

[ze_cook]

What Apple says here is not to include any sensitive information in push notification. It is one of the key ways to avoid leaking sensitive data to prying eyes. Another example is this.
If you do not disable notifications on Lock Screen, one can easily see your notification content without unlocking phone. If that notification has account number or any other sensitive data etc, it is taken without entering phone. Notification should only contain generic detail , should not have any sensitive data.

Saying this again, learn how applications and notifications work before getting into such discussions.

You've confused notification as in the APN push vs notification the ui component that's shown to the user. Apple is suggesting you use APN as just a trigger to initiate an API call from the app to app backend to download updated data( that eventually displays the notification ui). They even enforce a limit of 4KB iirc for the APN payload. Here they're not talking about the ui when they say "data that can be retrieved by other means in your payload", they're talking about the APN push payload. Looks like they knew they couldn't guarantee the confidentiality.

 

[desiibond]

You've confused notification as in the APN push vs notification the ui component that's shown to the user. Apple is suggesting you use APN as just a trigger to initiate an API call to app backend to download updated data( that eventually displays the notification ui). They even enforce a limit of 4KB iirc for the APN payload. Here they're not talking about the ui when they say "data that can be retrieved by other means in your payload", they're talking about the APN push payload. Looks like they knew they couldn't guarantee the confidentiality.

I am talking about APNs only. And yes, it only has to be a trigger and the actual action has to be from the app with encrypted traffic. Mine is simplest example of how one can see and retrieve notification content. Explaining how the payload can be processed by another prying entity is beyond the understanding of some in this forum. Don’t want to bring all that discussion into this.

we all know that nothing in this world is absolutely secure. Every company add these guidelines and terms that say that it is possible to hack and pull data which is why they ask devs to avoid pushing sensitivity data unless it is absolutely necessary.

Technically speaking (ha) the notification never happened on your iPhone, it just ended up there. The push notification started its life on Apple's servers. So that statement, in a roundabout way, is still true, maybe?

I remember when I first saw those ads, We (myself and the crowd I hung out with at the time) took it to mean that Apple won't reveal/monetize your content (photos, videos). As opposed to targeted advertising by Google and others.



This I don't understand. What's clickbait about:



Breaking down the headline:

1. Apple did give notification data without informing the user (secretly)
2. Apple gave it to governments (how/why is irrelevant)

I don't understand how any of that is clickbait?

Was the article updated after we started throwing metaphorical overripe bananas at each other? Because this is what I see:



Doesn't that mean the sharing of notification data was previously done without the user's consent (ie, secretly) but now such compliances will be documented in some way?

Exactly. They did that and could not disclose due to gag order. Same happened for Google as well. I hope US government now allows adding these reports into Apples privacy report as the cat is now out of the hat.

Tangentially, Apple wouldn't have responded to Arstechnica if they considered Arstechnica a disingenuous publication. Arstechnica is one of the oldest, and perhaps most reputed online-only publication of technology related news and articles. I can't think of a single instance of when they had to retract any of their reporting over the years. They're about as far from clickbait as anyone should or could expect.

I do respect that site but clickbaiting and twisting news and showing explosive headlines is what I hate. Btw, Apple responded to letter from Senator that was submitted to DoJ.

Technically speaking (ha) the notification never happened on your iPhone, it just ended up there. The push notification started its life on Apple's servers. So that statement, in a roundabout way, is still true, maybe?

I remember when I first saw those ads, We (myself and the crowd I hung out with at the time) took it to mean that Apple won't reveal/monetize your content (photos, videos). As opposed to targeted advertising by Google and others.

If you mean all PNSes start on Apple's APNs servers. No, it does not start on APNs servers (for 3rd party ones). It starts on application's servers then is pushed to APNs. It stays on APNs servers till the target device is offline. Once it is online, payload is delivered and 'probably' removed from Apple servers and from application server. One thing that is not clear is if Apple/Google retrieved PNSes from their servers even though the notification was delivered. If this is true and if they were doing it long before Governments asked them to, Apple or Google has to share the blame. If they just pass on PNSes to Governments for IDs based on judicial/federal requests, cannot blame Apple (or Google).

This I don't understand. What's clickbait about:



Breaking down the headline:

1. Apple did give notification data without informing the user (secretly)
2. Apple gave it to governments (how/why is irrelevant)

I don't understand how any of that is clickbait?

Title and how they worded it in a way that blame lies with Apple and Google.

 

[TEUser2K1]

@rsaeon
> Technically speaking (ha) the notification never happened on your iPhone, it just ended up there. The push notification started its life on Apple's servers.
Apple keeps their application integration tightly contained and allowed this to happen. That is why it originated on their own servers and ended up there, like this. Apple gives their recommendations in their developer guide as mentioned above, which in fact clarifies the situation very well. Don't think even application developers strictly follows that, otherwise this concern would not have happened.
The primary objective for us should be to understand the situation, am not here to take sides. These are public articles, we just can read and understand the situation, that is all.

@desiibond
> No wonder you share that clickbait article. we are in a world where even having the term “password” in code is blocked in our commits even though it is a variable name that points to say a vault. There is no password in plaintext here.
Who is even are talking about password in plaintext. The link given is Apple Developer guide. Lolz. seems you don't even know how to read it properly, but talk like a worthless scriptkiddy keyboard warrior wasting time. btw, notification on locked screen was once a much touted feature of iOS, just saying. Anyways, you do you.

 

[desiibond]

@rsaeon
> Technically speaking (ha) the notification never happened on your iPhone, it just ended up there. The push notification started its life on Apple's servers.
Apple keeps their application integration tightly contained and allowed this to happen. That is why it originated on their own servers and ended up there, like this. Apple gives their recommendations in their developer guide as mentioned above, which in fact clarifies the situation very well. Don't think even application developers strictly follows that, otherwise this concern would not have happened.
The primary objective for us should be to understand the situation, am not here to take sides. These are public articles, we just can read and understand the situation, that is all.

Lol. Not every Push notification originates from their servers. We have mobile app and PNs start from our servers, pushed to APNS and then it is up to APNS to deliver to the device. We are in the world of microservices. The notifications arise from various modules and these are running in different containers or VMs. They are then pushed to Apple Push notification servers using API call. I do not want to go deep in what is between the origin containers and the API endpoint. Only PNs that originate from Apple servers are those that belong to Apple services (Pay, iCloud, mails etc). In this case of Government monitoring, the monitoring was done on all PNs for certain users (but I would wait till the new report is generated to know exactly what notifications were monitored).
Saying this again. Read, understand and then share if it is valid. Do NOT share to be the first to share.

@desiibond
> No wonder you share that clickbait article. we are in a world where even having the term “password” in code is blocked in our commits even though it is a variable name that points to say a vault. There is no password in plaintext here.
Who is even are talking about password in plaintext. The link given is Apple Developer guide. Lolz. seems you don't even know how to read it properly, but talk like a useless scriptkiddy keyboard warrior wasting time.

Of course, you do not understand why I mentioned password references. Sill me thinking that you will get the reference. I can understand your feeling and lack of understanding of this as well (just like how you could not understand what was written in that article). After all, you are not a developer, you have not used Apple devices recently. . To explain this again, when the mere mention of phrase 'password' is blocked by build pipelines, even without Apple guidelines, companies will not allow any sensitive data to be visible in notification area. Does not matter whether it is on Android or iOS. If any company does, hackers salivate at the prospect of how bad their InfoSec teams are and start attacking their infrastructure. Please stop faking as if you know how all of this works and please stop embarrassing yourself.

Respectfully, this is not your domain. If you want to learn, I can help you understand. If you want to argue to massage your ego, I can continue to correct your views.

 

[TEUser2K1]

> Lol. Not every Push notification originates from their servers. We have mobile app and PNs start from our servers,
The developer guide and brief given above describes how to create notifications. Since you are an incompetent developer, even after reading Apple's guidelines and examples, you don't know how and what a notification should be. lolz.

> In this case of Government monitoring, the monitoring was done on all PNs for certain users (but I would wait till the new report is generated to know exactly what notifications were monitored).
Well read and understood by those who want to, including journalists at that website and people on top with enough comprehension skills at places relevent. You won't get it, you are incapable of that.

> Saying this again. Read, understand and then share if it is valid. Do NOT share to be the first to share.
Lolz. You are an nobody scriptkiddy fanboi to beg others to not share articles from one of the most famous websites in internet. Who cares, it is out there and millions already read it. You are barking at wrong tree, can't blame you for your naivety; generally never post like this, but it looks like you deserve your class and kind responses only.
So, bye bye.

 

[desiibond]

> Lol. Not every Push notification originates from their servers. We have mobile app and PNs start from our servers,
The developer guide and brief given above describes how to create notifications. Since you are an incompetent developer, even after reading Apple's guidelines and examples, you don't know how and what a notification should be. lolz.

> In this case of Government monitoring, the monitoring was done on all PNs for certain users (but I would wait till the new report is generated to know exactly what notifications were monitored).
Well read and understood by those who want to, including journalists at that website and people on top with enough comprehension skills at places relevent. You won't get it, you are incapable of that.

> Saying this again. Read, understand and then share if it is valid. Do NOT share to be the first to share.
Lolz. You are an nobody scriptkiddy fanboi to beg others to not share articles from one of the most famous websites in internet. Who cares, it is out there and millions already read it. You are barking at wrong tree, can't blame you for your naivety; generally never post like this, but it looks like you deserve your class and kind responses only.
So, bye bye.

Seriously, please stop embarrassing yourself. You are going to great lengths to prove that you had no clue yet you are trying to massage your ego. Telling me I don’t know how to create notifications after I explained how APNs works, when you don’t even know A B C of development. Take a bow. You have knowledge of a n00b and confidence the size of dinosaur. Been a while since I saw someone who kept getting embarrassed.

 

[Crazy_Eddy]

Chill guys.

As I see it, the question simply put is - where can a company draw the line on privacy vs a govt/ legal request?

 

[TEUser2K1]

> As I see it, the question simply put is - where can a company draw the line on privacy vs a legal request?
Companies have limits on how much they can shield data for sake of privacy. One company constantly advertised clearly about whatever happened in their phones stayed in their phones to the consumers (even after infamous celebrity data leaks which later even made illegal to be published). They changed their T&C recently after having some necessary contact with authorities, gag orders, whatever. So, this article clarifies this ? Article exposes how a notification feature exposes user data (unless appropriately handled). I just posted article from one of most read websites, purely on merit basis for information of members here.

Other part, is one user being unnecessarily contentious from the beginning, being uncivil and burns down when mirror is shown on him.
His embarrassment could've being avoided if he discussed technicalities in a civilized manner rather than putting down others from undeserving high horse.

 

[desiibond]

Chill guys.

As I see it, the question simply put is - where can a company draw the line on privacy vs a govt/ legal request?

They cannot if the legal request is related to national security. For instances where data is needed for simple cases that does not involve danger to life or does not involve national security, companies process and decide whether to share data or not.

Same with hospitals. They will not share medical data every time police or court passes order.

Problem is that people get confused between legal orders and sale of data. We have to stop this itch to ‘share it first’. We are not TOIlet paper reporters to rush to show news without validating and say “Breaking news, we shared it first”.

 

[TEUser2K1]

> Problem is that people get confused between legal orders and sale of data. We have to stop this itch to ‘share it first’. We are not TOIlet paper reporters to rush to show news without validating and say “Breaking news, we shared it first”.

People should be able to discuss technical news which interest them without some fanboish gatekeeping. And why should someone bother who first posted it and how fast it was !!! ? This is a technical forum, information can be posted and discussed as and when available. This is an extremely weird allegation !

For eg., there was a post about Intel by one member:

Intel's insane marketing slides

lol. Latest is not the best, be careful what you wish for. Wonder which manager okayed this. :S

techenclave.com

I updated the post: https://techenclave.com/threads/intels-insane-marketing-slides.217484/post-2499060
with new info within hours once there was a change.

That is how it should be ? No name calling, gatekeeping, snobbish attitudes, etc. ? Decent technical discussions in a civil manner, why not ?

 

[desiibond]

> Problem is that people get confused between legal orders and sale of data. We have to stop this itch to ‘share it first’. We are not TOIlet paper reporters to rush to show news without validating and say “Breaking news, we shared it first”.

People should be able to discuss technical news which interest them without some fanboish gatekeeping.

For eg., there was a post about Intel by one member:

Intel's insane marketing slides

lol. Latest is not the best, be careful what you wish for. Wonder which manager okayed this. :S

techenclave.com

I updated the post: https://techenclave.com/threads/intels-insane-marketing-slides.217484/post-2499060
with new info within hours once there was a change.

That is how it should be ? No name calling, gatekeeping, snobbish attitudes, etc. ? Decent technical discussions in a civil manner, why not ?

1. Apple admits to secretly giving governments push notification data. Apple to update transparency report to break out push notification data requests. For their part, recently haven't seen Ads boasting how much Apple cares about user data privacy.

2. Governments in USA and other parts of the world forces Apple and Google to share user data. What does it take to draw a line to make Governments stop forcing companies to share private data and how to stop governments giving gag orders.

Which one is on point and not misleading? First one saying that Apple is responsible or second one questioning governments? The way I see it, it's not just these two. I would not be surprised if governments are forcing banking institutions to secretly share financial data of individuals.

First, read and understand the article in full and learn what the issue is, start a discussion. Second, do not share in a hurry. Third, when one tries to explain, listen. You cannot point finger at a company and cry foul when others point finger at you. If you post misleading lines about a company, you are trying to damage their reputation. Is this civil manner?

Rumors on upcoming products etc are shared and discussed because they are rumours. When there is damning content about a company, whichever company that is, you take time to understand and share. When you share, do not cherrypick statements that make it look lot different to what the actual problem is.

 

[TEUser2K1]

Whatever needed to make sense are already posted in this thread. Read that again and again, if you still find it difficult, you can reach journalists from Arstechnica, The Guardian, etc. Blaming or being uncivil to random forum members can only take you this much.
This does not make any sense, I will stop further comments, sorry, bye.

 

[desiibond]

Whatever needed to make sense are already posted in this thread. Read that again and again, if you still find it difficult, you can reach journalists from Arstechnica, The Guardian, etc. Blaming or being uncivil to random forum members can only take you this much.
This does not make any sense, I will stop further comments, sorry, bye.

The very reason you share the article and added cherry picked statements is to make it look like one company is at fault. There is no denying that. It was very very clear from your first post. Throughout, you showed no effort to try to understand what all I explained. You cannot post whatever you find in a hurry and say 'reach journalists of that post' when you are corrected in same 'civil' manner. I saw your post and I replied. If you do not want people to respond to your posts, do not post. Simple. But if you want to, understand it first and know if it is misleading or not. If you cannot understand, ask if it is true and what the issue is. We are happy to explain and put you in right direction.

 

[TEUser2K1]

> The very reason you share the article and added cherry picked statement is to make it look like one company is at fault. There is no denying that.
That is your misunderstanding or personal feeling, which even others clarified earlier in the thread. That is just a 'you problem'.
For me it is just a technical article which piqued my interest and that of few others.
A funny comment about the company (or some probable disingenuous practices) is not directed at you personally, don't know why you have to be riled up so much about that. You comments were not civil or decent, which dragged you till here.

> You cannot do this and say 'reach journalists of that post' when you are corrected in same 'civil' manner.
Definitely can, if those information is so concerning for you. Because I don't find any problem with the article and find the merit in it. Explained the interesting views and if you have further problems, deal with it.

> I saw your post and I replied. If you do not want people to respond to your posts, do not post. Simple.
I'm totally disinterested, but mod here may not be interested in this toxic fest. So, I had to clarify. Hence this last post.

 

[desiibond]

> The very reason you share the article and added cherry picked statement is to make it look like one company is at fault. There is no denying that.
That is your misunderstanding or personal feeling, which even others clarified earlier in the thread. That is just a 'you problem'.
For me it is just a technical article which piqued my interest and that of few others.
A funny comment about the company (or some probable disingenuous practices) is not directed at you personally, don't know why you have to be riled up so much about that. You comments were not civil or decent, which dragged you till here.

> You cannot do this and say 'reach journalists of that post' when you are corrected in same 'civil' manner.
Definitely can, if those information is so concerning for you. Because I don't find any problem with the article and find the merit in it. Explained the interesting views and if you have further problems, deal with it.

Exactly what I did. Saw a misleading post with cherrypicked statements to show one company in bad light and I dealt with the OP.

> I saw your post and I replied. If you do not want people to respond to your posts, do not post. Simple.
I'm totally disinterested, but mod here may not be interested in this toxic fest. So, I had to clarify. Hence this last post.

Clarify that you can post misleading and cherrypicked content from an article and ask others not to correct you? If mods allow people post misleading and cherrypicked content, they should obviously allow members to post that post OP in place. Right?

 

[TEUser2K1]

> Clarify that you can post misleading and cherrypicked content from an article and ask others not to correct you?

The original post is directly as is from ArsTechnica with first line. No cherry picking whatsoever. Now keep your misinformation and deflective tactics with yourself.

Second is my funny take about the situation. It is not even directed at the company leave alone a person like you, but purely about the situation. No one here are horse on blinkers. Hope mod understand the situation.