Reuters: Governments spying on Apple, Google users through push notifications - US senator

https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/

2 Likes

Are users affected that use microg with Push Services too? (Cloud Messaging)
Would be a reason to disable cloud messaging for me.

2 Likes

I was also curious about this. I would guess that whether or not you connected your g-mail account to Microg or stayed anonymous would affect it.

found an answer :slight_smile:
https://www.kuketz-blog.de/android-abhilfe-gegen-staatliche-ueberwachung-durch-push-nachrichten/

1 Like

Could you give a short summary? I don’t speak/read German.

Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.

Most users give push notifications little thought, but they have occasionally attracted attention from technologists because of the difficulty of deploying them without sending data to Google or Apple.

Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the U.S. tech giants via push notifications, calling them “a privacy nightmare.”

He just says microg might be a good solution in a sidenote. But not digging into it too much.

2 Likes

I think I read that your Google/Apple ID is what’s used to identify you from the notification metadata. That alone makes Microg way more privacy friendly, even if they still are able to capture notification metadata going through Microg. But, I think you’re correct, we have to assume that our notifications are also being captured, even if there’s no account being tied to it.

Settings > System > microG > Cloud Messaging says “Cloud Messaging is a push notification provider used by many third-party applications. To use it you must enable device registration.”

Regarding device registration Settings > System > microG > Google device registration says “Registers your device to Google services and creates a unique device identifier. microG strips identifying bits other than your Google account name from registration data.”

Both Cloud Messaging and Google device registration are on and I believe I didn’t turn them on myself when I just installed /e/OS on my FP5. I can understand if that is default behavior for usability reasons. I mean, the good, simple usability is why I use /e/OS in the first place and keep installing and recommending it to friends.

However, it would be nice to know if these settings do expose /e/OS users to the same kind of surveillance.

Edit: I did not add a Google account to my accounts in settings. So there may even be two cases to discuss here (what if a Google account is added vs. what if no Google account is added).

3 Likes

For some users, it probably makes sense to switch off microG before connecting to a network for the first time. It is questionable whether this function should be activated by default or whether the user should be given the decision to activate it at the first start.

Translated from the German article from the kuketz-blog:

A range of device data (device model, language, country, installed system libraries, hardware features, CPU type, UUIDs, Android version, etc.) is transmitted to Google. A note from the microG developer:

In general, the data sent during device registration is practically anonymized as far as possible. If the device’s memory is reset, it is no longer recognizable from Google’s point of view. The device-specific data is only model-specific, but not tailored to the individual device - so all Pixel 6a with iodéOS and German language look the same to Google.

1 Like

Yes it may be questionnable, though I still think this default choice is consistent.
If the device registration for google push notifications was disabled by default, then many apps do not work as they should and end up being useless. So the choice here is rather on the user side : whether he chooses to install and use apps that have google push notification library instead of normal notifications.
I agree with /e/ os choice in that regard, having the micro g device registration and cloud push notification set to ON by default will allow users to have a working phone with nearly all apps. The user can then choose to go towards more privacy by either not using some apps (we can still circumvent most situations by using a web browser and website equivalent of an app, just to the cost of less comfort like not having those notifications) or by deactivating google cloud push notifications and device registration.
I used to deactivate google cloud push notifications, but the problem was that some apps were not working without me aware of it, and it takes some informed guessing to understand that the problem comes from this cloud push notification configuration in microG. So it does makes sense to activate those google notifications in case the user wants to use proprietary apps, as most of us do.
I also agree with /e/ os policy of having a balanced trade-off between usability and privacy. I keep in mind that even on a web-browser with addons, google is still able to identify ourselves and link or cross-site browsing easily. Though, as with microg anonymous device registration, the data is incomplete, hence less valuable to them. They maybe do not bother to re-agregate our incomplete user data as we are not a big pool of users and the endeavour is maybe more costly than the profit they can make out of it. Although not absolutely sure of the latter as Google is very good at everything.

3 Likes

Well said.

Yes, it’s certainly fine the way it is at the moment.

This topic was automatically closed after 13 days. New replies are no longer allowed.