Notification from the app? Now the government can read it too.
Privacy is over on the lock screen.
Apple has disclosed statistics on the number of government requests from various countries for data related to push notifications on its devices. These requests involved unique push tokens that identify specific devices and, in some cases, included unencrypted notification text displayed to users. The newly published data sheds light on the scale and regularity of such requests over a two-year period—from July 2022 to June 2024.
The practice of sharing this information came to light in 2023 when U.S. Senator Ron Wyden sent a letter to the Department of Justice, revealing that not only Apple but also Google obtains data from their notification systems, including metadata about which app received a notification, when it was received, and the Apple and Google account identifiers associated with it. In some cases, the letter noted, companies could also access unencrypted notification content, including app instructions or the text displayed on the screen. Thus, both tech giants were involved in a previously undisclosed scheme for collecting information on behalf of law enforcement.
According to the published report, between July and December 2023, the U.S. government submitted 99 requests covering 345 push tokens. Apple responded to 65 of them. The UK made 123 requests for 128 tokens during the same period and received data on 111. Germany obtained responses to 5 requests. The Netherlands and France also requested information but received no response.
Israel stands out with a single request during that period, but it involved 694 push tokens. However, Apple did not provide the data in response. Israeli government officials declined to comment, as did Apple itself.
In the second half of the reporting period—from January to June 2024—the UK again received data, this time for 127 requests. The U.S. obtained information for 36 requests, and Germany also received some data. Singapore, despite its requests, was left without a response.
As Apple explains, a push token is generated when a user enables notifications for a specific app. This token is registered to both the device and the developer. Requests for such data typically aim to identify the Apple account linked to the token. The information provided may include the user's name, physical address, and email.
In December 2023, Apple changed its policy: now, a judge's order is required to obtain push notification data. Before that, a subpoena was sufficient for law enforcement.
The information about data sharing came to light thanks to journalist Andre Meister, who posted a link to Apple’s transparency report on Mastodon. Earlier, similar details had partially surfaced in U.S. court documents.
