Years ago, I worked for a company that provided phone location for emergency services (fire, police, medical) to the big 3 cellular companies in the US. It required cell providers to install special hardware; back then, GPS was less ubiquitous, but it (still) suffers from accuracy in urban environments; it doesn’t take much to block GPS signals. Also, you don’t need access to anything more than the service provider’s logs to do trilateration; it’s harder to get GPS data from a phone without having software on the phone. In any case, Google pioneered getting around that by mapping wifi signals and supplementing poor GPS with trilateration, and it was good enough. Even back then, our lunch was being eaten by the cost of our systems, and work-arounds like wifi mapping.
Anyway, fast forward a decade and I’m working for a company that provides emergency support for customers who are traveling, and we’re looking at ways to locate customers’ business phones to provide relevant notifications. One of the issues was that there are places in the world where data connections are not great, and it was not acceptable for us to just ignore clients without data connections. One of the things we explored was called zero-length SMS. It’s what it sounds like: an SMS message with zero-length does not alert the phone, but it does cause a ping to the phone. It was an idea that didn’t pan out, but that’s not relevant.
Cell phones have a lot of power-saving algorithms that try to reduce the amount of chatter – both to reduce load on cell towers, but because all that cellular traffic is battery-intensive. So, if you’re a government trying to track a phone, and you’re working with a cell provider, and you don’t have a backdoor in the phone, then you will be able to see which cell tower the phone last spoke with, but that probably won’t give you very good location data and it may not update frequently. This is especially true in rural environments, where there’s low density and a single cell tower might have a service radius of 3 miles – that’s a lot of area.
If you’re tracking someone by phone, a normal cell connection may not be granular enough. Sending SMSes to a phone can force the phone to ping the tower and give you more data points about where the phone may be, how it’s moving, and so on.If you’re lucky, you can get pings from multiple towers, which might allow you to trilaterate to within a dozen meters.
Push notifications use data, but I wouldn’t be surprised if there’s some of that going on, too. It says “through Apple and Google’s servers” which means they’re talking about the push notification servers and not the phones. Android phones are constantly sending telemetry back to Google, so if that is what they’re doing sending push notifications is probably more useful to them for Apple phones.
The article is light on details, but that’d be my guess. Forcing traffic to get more frequent cell tower pings and more data points for trilateration.
Very detailed, thanks brotha
Just been reading up on this, they’re basically using the push device ID to see when certain devices are receiving data and from what apps. It sounds like more work than its worth, but it’s clearly something that’s being used widely.
That makes sense, too. So it’s not that they’re using push notifications, but the server data.
Yup
So they read push notifications dates and times, apps, devices name maybe? That’s a lot even without text itself…
Fuckin metadata strikes again but also they likely have access to it all unless the app dev specifically and painstakingly implements it 🤯
The article mentions about advising devs to not iclude sensitive data, and notifications could contain lots of it, think of emails or messengers notifications, what E2EE mean if you can read pushes lol. I never thought about me, but maybe We all should…
Nah, it can be encrypted. Fuck this bullshit, we have the technology, I shouldn’t need to log into everything or open every 1/5000 apps to get quick cues/updates. Apple needs to fuck off with the spying bullshit, even the governmen itself (lawmakers like Wyden are saying fuck this shit and shining a light+exposing it) is saying enough in the way it can.
Republicans/Democrats/humans who don’t want all their private data becoming endless Kompromat should be united on this, they have a hell of a lot more to hide than any of us singular private citizens
Edit: 💡on second thought, I switched to Never for “Show Previews” and I kinda like the way it keeps me on my toes and attentive to what it could be (anticipatory and curious). Maybe its just as well. Time will tell
This is why I have always said you shouldn’t trust Apple. They have absolute power over you.
Did you read the article? It says the federal government compelled Apple to comply and gave them a gag order.
You can de-Google an Android phone with a custom ROM and have a phone that you have control over and know nobody is spying on you by running a firewall on the phone.
Can’t do that on an Apple.
Actually, you can, with Lockdown for iOS or Lulu for macOS. There are other alternatives available, these are just a pair of FOSS examples. You can totally block *.apple.com if you really want to.
It’s not quite the same though. With a custom android ROM, you can be pretty confident that everything kernel-and-up is not spying on you. On iOS and macOS, you don’t have the same level of verifiability, as the OS could just circumvent any VPN/firewall you might have configured. They might pinky promise not to, but without running another external firewall it’s not really verifiable.
Which means Apple can’t be trusted. My data stays local.
deleted by creator
As the article says, Apple and Google both do it. Apple disclosed it, Google did not.
How is your conclusion ‘I don’t trust Apple’?
The Ars article on this said Google had been disclosing this for the past decade already whereas Apple didn’t.
It said that Google put it in their aggregated report. Not that they disclosed it. There is a big difference between ‘we got 100 requests’ and ‘we got 10 requests for X info, 30 for Y info’.
ETA: I just looked at the data again, it’s broken in to categories like FISA NSL etc, then it just gives a range of requests 0-1000 etc.
Fine, I don’t trust google or apple. I don’t use any of there services anyway.
Well, you do. You just don’t know it or like it.
I do? I don’t use google services at all. On my phone I run Lineage os and for file sharing I use self hosted nextcloud.
You can’t really go anywhere on the internet without using Google in some capacity. Cookies and trackers in all the things. Ads aplenty, and blocking them is perpetually an arms race.
Just trust me, I’ve always got contingency plans. I’m not naïve about them
I can think of one government that definitely surveils data that goes through Google servers.
deleted by creator
Ah yes, Android bad GrapheneOS good propaganda.