The FBI’s new tactic: Catching suspects with push alerts
The ubiquitous phone feature has powered a surveillance technique used to catch suspected kidnappers and pedophiles. It’s also fueled fears of a ‘privacy nightmare’ at a time when abortion is criminalized.

By Drew Harwell and Aaron Schaffer
February 29, 2024 at 8:00 a.m. EST

https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/

The alleged pedophile “LuvEmYoung” had worked to stay anonymous in the chatrooms where he bragged about sexually abusing children. A criminal affidavit said he covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself last month with a sleeping 4-year-old boy.

But the FBI had a new strategy. A foreign law enforcement officer got TeleGuard to hand over a small string of code the company had used to send push alerts — the pop-up notifications that announce instant messages and news updates — to the suspect’s phone.

An FBI agent then got Google to quickly hand over a list of email addresses this month linked to that code, known as a “push token,” and traced one account to a man in Toledo, an affidavit shows. The man, Michael Aspinwall, was charged with sexual exploitation of minors and distribution of child pornography and arrested within a week of the Google request.

The breakthrough relied on a little-known quirk of push alerts, a basic staple of modern phones: Those tokens can be used to identify users and are stored on servers run by Apple and Google, which can hand them over at law enforcement’s request.

But the investigative technique has raised alarms from privacy advocates, who worry the data could be used to surveil Americans at a time when police and prosecutors have used cellphone data to investigate women for potentially violating state abortion bans.

“This is how any new surveillance method starts out: The government says we’re only going to use this in the most extreme cases, to stop terrorists and child predators, and everyone can get behind that,” said Cooper Quintin, a technologist at the advocacy group Electronic Frontier Foundation.

“But these things always end up rolling downhill. Maybe a state attorney general one day decides, hey, maybe I can use this to catch people having an abortion,” Quintin added. “Even if you trust the U.S. right now to use this, you might not trust a new administration to use it in a way you deem ethical.”

The data has become prized evidence for federal investigators, who have used push tokens in at least four cases across the country to arrest suspects in cases related to child sexual abuse material and a kidnapping that led to murder, according to a Washington Post review of court records. And law enforcement officials have defended the technique by saying they use court-authorized legal processes that give officers a vital tool they need to hunt down criminals.

Joshua Stueve, a spokesman for the Justice Department, said, “After determining that non-content push notification metadata may help arrest offenders or stop ongoing criminal conduct, federal law enforcement investigators fully comply with the U.S. Constitution and applicable statutes to obtain the data from private companies.”

The Post found more than 130 search warrants and court orders in which investigators had demanded that Apple, Google, Facebook and other tech companies hand over data related to a suspect’s push alerts or in which they noted the importance of push tokens in broader requests for account information.

Those court documents — which were filed in 14 states, as well as the District of Columbia — were related to suspects in a range of criminal charges, including terrorism, sanction evasion, guns, drugs, covid relief fraud and Somali piracy. Some of the cases involved the pro-Trump mob that stormed the U.S. Capitol on Jan. 6, 2021.

Three applications and court orders reviewed by The Post indicate that the investigative technique goes back years. Court orders that were issued in 2019 to Apple and Google demanded that the companies hand over information on accounts identified by push tokens linked to alleged supporters of the Islamic State terrorist group.

But the practice was not widely understood until December, when Sen. Ron Wyden (D-Ore.), in a letter to Attorney General Merrick Garland, said an investigation had revealed that the Justice Department had prohibited Apple and Google from discussing the technique.

Apple confirmed the government restriction in a statement that month to The Post but said it intended to provide more detail about its compliance with the requests in an upcoming report now that the method had become public. Google said in a statement then that it shared Wyden’s “commitment to keeping users informed about these requests.”

Unlike normal app notifications, push alerts, as their name suggests, have the power to jolt a phone awake — a feature that makes them useful for the urgent pings of everyday use. Many apps offer push-alert functionality because it gives users a fast, battery-saving way to stay updated, and few users think twice before turning them on.

But to send that notification, Apple and Google require the apps to first create a token that tells the company how to find a user’s device. Those tokens are then saved on Apple’s and Google’s servers, out of the users’ reach.

In effect, Wyden said, that technical design made Apple and Google into a “digital post office” able to scan and collect certain messages and metadata, even of people who wanted to remain discreet. David Libeau, a developer and engineer in Paris, wrote last year that the ubiquitous feature had become a “privacy nightmare.”

In one of the cases found by The Post, an FBI agent said in an affidavit that New York police officers had obtained a “dual-factor authentication push token” for a suspect from Talkatone, a service for making phone calls over the internet. Prosecutors said the suspect had used the service to lure food-delivery driver Peng Cheng Li to a location in Queens, where they abducted him. Later, they allegedly killed him.

The officers used the Talkatone token to ask Apple whose account had been linked to it, the affidavit said. The company offered up the iCloud information for one of the two suspects later charged in the victim’s killing. Mike Langberg, a spokesman for Ooma, which owns Talkatone, said the company complies with “subpoenas and court orders as required by law.”

In two other cases, prosecutors were able to find Michigan men sharing child abuse images after demanding that the encrypted messaging app Wickr share information on push tokens for users who sent the images through its app. One of the men, John Garron, has pleaded guilty to sexually exploiting children and distributing child sexual abuse material; he is scheduled to be sentenced next month. Garron’s lawyer did not respond to a request for comment.

In a June hearing in the case, Assistant U.S. Attorney Christopher Rawsthorne cited the push-notification data as a critical way of identifying the defendant.

“It used to be that Wickr was something where it was impossible to figure out the identity … of the person using it,” Rawsthorne said. “And it’s only recently been that we’ve been able to figure it out.”

Wickr, which is owned by Amazon, shut down its free consumer-oriented app in December. Wickr and Amazon say on their websites that they respond to lawful requests from law enforcement. (Amazon founder Jeff Bezos owns The Washington Post.)

In the case of “LuvEmYoung,” federal investigators tracked the man through his messaging app of choice, TeleGuard, an affidavit shows. Though the app had promoted itself as saving no user data, its developers had nevertheless allowed for the creation of a piece of data that linked back to users through their push alerts.

In chats with an unidentified international law enforcement agent and an undercover FBI operative, known as an “online covert employee,” Aspinwall had shared explicit photos and videos and said he had sexually abused children known to him while they slept, the affidavit alleged.

To track him down, the operative worked with the international law enforcement agent and was given a push token linked to the suspect’s Android device, the affidavit said. The document says only that the investigator “provided” the token “as received from TeleGuard,” without explaining how.

Earlier this month, an FBI agent asked Google to hand over all data connected to that push token as part of what’s known as an “exigent,” or emergency, request. Google responded with information including the names of six accounts, one of which included Aspinwall’s name, as well as the IP addresses associated with those accounts.

Some of those IP addresses were linked to AT&T, which told the FBI that they had been used by Aspinwall’s neighbor, the affidavit shows. Aspinwall later told agents he had used his neighbor’s WiFi and admitted to the crime, the FBI affidavit alleged.

Aspinwall’s attorney declined to comment. TeleGuard’s owner, Swisscows, did not respond to requests for comment.

Google has said it requires court orders to hand over the push-related data. Apple said in December that it, too, would start requiring court orders, a change from its previous policy of requiring only a subpoena, which police and federal investigators can issue without a judge’s approval.

But in three of the four cases reviewed by The Post, Apple and Google handed over the data without a court order — probably as a result of the requests being made on an emergency, expedited or exigent basis, which the companies fulfill under different standards when police claim a threat of imminent harm.

Nomen Nescio <nobody@dizum.com> wrote:

>https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/
>
>The alleged pedophile “LuvEmYoung� had worked to stay anonymous in the chatrooms where he bragged about sexually abusing children. A criminal affidavit said he covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself last month with a sleeping 4-year-old boy.

The hard way to learn, that encryption doesn't implicate anonymity.

On Sun, 10 Mar 2024 21:51:53 +0100 (CET), Nomen Nescio <nobody@dizum.com>
said:

> Nomen Nescio <nobody@dizum.com> wrote:
>
>>https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/
>>
>> The alleged pedophile "LuvEmYoung" had worked to stay anonymous in
>> the chatrooms where he bragged about sexually abusing children. A
>> criminal affidavit said he covered his tracks by using TeleGuard, an
>> encrypted Swiss messaging app, to share a video of himself last month
>> with a sleeping 4-year-old boy.
>
> The hard way to learn, that encryption doesn't implicate anonymity.

Not only that, but it should also inspire significant skepticism with regard
to any provider's claims about generation and retention of any data that
could potentially identity you. Case in point:

Privacy protection on TeleGuard

TeleGuard uses HTTPS and end-to-end encryption to protect its users'
privacy. No user data, including IP address, metadata, etc., is
collected or stored. The messages are stored only until they are
delivered. After delivery, they are deleted immediately. Thus, if
no backup has been created, there is no possibility of recovery.
The language used here is absolute, not only implying, but outright /stating/
that no data is generated/stored by anyone that could identify a user.

Their privacy policy page makes similar claims:

What do these guidelines cover?

This data protection declaration ("data protection") sets out the data
protection declaration of Swisscows AG (hereinafter referred to as
"Swisscows") and applies to users ("user" or "you") of Swisscows
products, currently known as "TeleGuard" ("TeleGuard").

This declaration applies to all products and services that we offer
across our entire website, and also applies to the website and your
use of TeleGuard ("services"). THIS POLICY DOES NOT APPLY TO THIRD
PARTY WEBSITES, PRODUCTS OR SERVICES, EVEN IF THEIR WEBSITE IS LINKED
TO OUR WEBSITE. PLEASE ALWAYS CHECK A THIRD PARTY'S PRIVACY PRACTICES
BEFORE DECIDING WHETHER TO SUBMIT INFORMATION. By using our website
or services, you accept the practices described in this policy. If
you do not agree to this policy, please do not visit or use our
website or our services. Your continued use of our website or
services means that you accept this policy.
[Emphasis added]

What data do we collect?

IP addresses
IP address is NOT saved.

Nice weasel-wording -- TeleGuard don't collect your IP address, but third-
parties can, and they're off the hook for that one.

Data acquisition
We do not collect personal information from our visitors.

When using TeleGuard, your IP address is not recorded, nor do we
record which browser you are using (Internet Explorer, Safari,
Firefox, Chrome, etc.). It is not recorded which operating system
you are using (Windows, Mac, Linux etc.), and your search queries
are not recorded. The only information we store is the sum of the
search queries entered daily on our website (a measure of the total
traffic on our site), a breakdown of this traffic by language and
pure overall statistics.

Our strict policy of not collecting any data protects your privacy.

Which is apparently entirely negated by third parties doing so.
Your IP address and information about the browser and operating
system could be used together with other data to clearly identify
your computer, your place of residence and you. It is also important
not to save any search terms, as these can also contain personal data.
(Just think of someone who enters their own name and / or insurance
number in the search box.)

The story outlined in the Washington Post puts the lie to their bullshit.

Lessons to be learned here:

1) Don't enable push-notifications, EVER.

2) Make sure that if you connect an email address to a TeleGuard account,
that it is a secure one, i.e. created/accessed via Tor /exclusively/.

3) Take any 'secure' service provider's promises and statements with not
just a pinch of salt, but rather a carload.

4) Remember the lessons of history -- Hushmail made similar promises, and we
all know how /that/ turned out -- 12 CDs of *decrypted* email turned over
to the Drug Enforcement Administration (DEA).

Nomen Nescio <nobody@dizum.com> wrote:

>On Sun, 10 Mar 2024 21:51:53 +0100 (CET), Nomen Nescio <nobody@dizum.com>
>said:
>
>> Nomen Nescio <nobody@dizum.com> wrote:
>>
>>>https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/
>>>
>>> The alleged pedophile "LuvEmYoung" had worked to stay anonymous in
>>> the chatrooms where he bragged about sexually abusing children. A
>>> criminal affidavit said he covered his tracks by using TeleGuard, an
>>> encrypted Swiss messaging app, to share a video of himself last month
>>> with a sleeping 4-year-old boy.
>>
>> The hard way to learn, that encryption doesn't implicate anonymity.
>
>Not only that, but it should also inspire significant skepticism with regard
>to any provider's claims about generation and retention of any data that
>could potentially identity you. Case in point:

>4) Remember the lessons of history -- Hushmail made similar promises, and we
> all know how /that/ turned out -- 12 CDs of *decrypted* email turned over
> to the Drug Enforcement Administration (DEA).

Trust us, we're a Swiss company (as the Crypto AG once was).

<https://en.wikipedia.org/wiki/Crypto_AG>

On Mon, 11 Mar 2024 11:45:30 +0100 (CET), Nomen Nescio <nobody@dizum.com> wrote:
>Nomen Nescio <nobody@dizum.com> wrote:
>>On Sun, 10 Mar 2024 21:51:53 +0100 (CET), Nomen Nescio <nobody@dizum.com> said:
>>> Nomen Nescio <nobody@dizum.com> wrote:
>>>>https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/
>>>> The alleged pedophile "LuvEmYoung" had worked to stay anonymous in
>>>> the chatrooms where he bragged about sexually abusing children. A
>>>> criminal affidavit said he covered his tracks by using TeleGuard, an
>>>> encrypted Swiss messaging app, to share a video of himself last month
>>>> with a sleeping 4-year-old boy.
>>>
>>> The hard way to learn, that encryption doesn't implicate anonymity.
>>
>>Not only that, but it should also inspire significant skepticism with regard
>>to any provider's claims about generation and retention of any data that
>>could potentially identity you. Case in point:
>
>>4) Remember the lessons of history -- Hushmail made similar promises, and we
>> all know how /that/ turned out -- 12 CDs of *decrypted* email turned over
>> to the Drug Enforcement Administration (DEA).
>
>Trust us, we're a Swiss company (as the Crypto AG once was).
><https://en.wikipedia.org/wiki/Crypto_AG>

compartmentalization, need to know, big business, big brother;
they make aliens of the dead and those returning to the earth;
it is hard for them to kick against the pricks, orbs, of light

On 10 Mar 2024, Nomen Nescio <nobody@dizum.com> posted some
news:5e4d1b49c7dedf51a47a920f6958a324@dizum.com:

> Nomen Nescio <nobody@dizum.com> wrote:
>
>>https://www.washingtonpost.com/technology/2024/02/29/push-notification-
>>surveillance-fbi/
>>
>>The alleged pedophile ⤽LuvEmYoung�? had worked to stay anonymous in
>>the chatrooms where he bragged about sexually abusing children. A
>>criminal affidavit said he covered his tracks by using TeleGuard, an
>>encrypted Swiss messaging app, to share a video of himself last month
>>with a sleeping 4-year-old boy.
>
> The hard way to learn, that encryption doesn't implicate anonymity.

True, but I have no problem with a kiddy diddler getting nailed.

The perp in this case could have easily avoided being caught. Just
because your phone is "smart" doesn't mean you are.

Sanction for hire, that's a necessity and public service at times.

On 10 Mar 2024, Nomen Nescio <nobody@dizum.com> posted some
news:83cb084b6aee36bf0d8c0cc006ee3da6@dizum.com:

> On Sun, 10 Mar 2024 21:51:53 +0100 (CET), Nomen Nescio
> <nobody@dizum.com> said:
>
>> Nomen Nescio <nobody@dizum.com> wrote:
>>
>>>https://www.washingtonpost.com/technology/2024/02/29/push-notification
>>>-surveillance-fbi/
>>>
>>> The alleged pedophile "LuvEmYoung" had worked to stay anonymous in
>>> the chatrooms where he bragged about sexually abusing children. A
>>> criminal affidavit said he covered his tracks by using TeleGuard, an
>>> encrypted Swiss messaging app, to share a video of himself last
>>> month with a sleeping 4-year-old boy.
>>
>> The hard way to learn, that encryption doesn't implicate anonymity.
>
> Not only that, but it should also inspire significant skepticism with
> regard to any provider's claims about generation and retention of any
> data that could potentially identity you. Case in point:
>
> Privacy protection on TeleGuard
>
> TeleGuard uses HTTPS and end-to-end encryption to protect its
> users' privacy. No user data, including IP address, metadata,
> etc., is collected or stored. The messages are stored only until
> they are delivered. After delivery, they are deleted immediately.
> Thus, if no backup has been created, there is no possibility of
> recovery.
>
> The language used here is absolute, not only implying, but outright
> /stating/ that no data is generated/stored by anyone that could
> identify a user.
>
> Their privacy policy page makes similar claims:
>
> What do these guidelines cover?
>
> This data protection declaration ("data protection") sets out the
> data protection declaration of Swisscows AG (hereinafter referred
> to as "Swisscows") and applies to users ("user" or "you") of
> Swisscows products, currently known as "TeleGuard" ("TeleGuard").
>
> This declaration applies to all products and services that we
> offer across our entire website, and also applies to the website
> and your use of TeleGuard ("services"). THIS POLICY DOES NOT
> APPLY TO THIRD PARTY WEBSITES, PRODUCTS OR SERVICES, EVEN IF
> THEIR WEBSITE IS LINKED TO OUR WEBSITE. PLEASE ALWAYS CHECK A
> THIRD PARTY'S PRIVACY PRACTICES BEFORE DECIDING WHETHER TO SUBMIT
> INFORMATION. By using our website or services, you accept the
> practices described in this policy. If you do not agree to this
> policy, please do not visit or use our website or our services.
> Your continued use of our website or services means that you
> accept this policy.
> [Emphasis added]
>
> What data do we collect?
>
> IP addresses
> IP address is NOT saved.
>
> Nice weasel-wording -- TeleGuard don't collect your IP address, but
> third- parties can, and they're off the hook for that one.
>
> Data acquisition
>
> We do not collect personal information from our visitors.
>
> When using TeleGuard, your IP address is not recorded, nor do we
> record which browser you are using (Internet Explorer, Safari,
> Firefox, Chrome, etc.). It is not recorded which operating system
> you are using (Windows, Mac, Linux etc.), and your search queries
> are not recorded. The only information we store is the sum of the
> search queries entered daily on our website (a measure of the
> total traffic on our site), a breakdown of this traffic by
> language and pure overall statistics.
>
> Our strict policy of not collecting any data protects your
> privacy.
>
> Which is apparently entirely negated by third parties doing so.
>
> Your IP address and information about the browser and operating
> system could be used together with other data to clearly identify
> your computer, your place of residence and you. It is also
> important not to save any search terms, as these can also contain
> personal data. (Just think of someone who enters their own name
> and / or insurance number in the search box.)
>
> The story outlined in the Washington Post puts the lie to their
> bullshit.
>
> Lessons to be learned here:
>
> 1) Don't enable push-notifications, EVER.
>
> 2) Make sure that if you connect an email address to a TeleGuard
> account,
> that it is a secure one, i.e. created/accessed via Tor
> /exclusively/.
>
> 3) Take any 'secure' service provider's promises and statements with
> not
> just a pinch of salt, but rather a carload.
>
> 4) Remember the lessons of history -- Hushmail made similar promises,
> and we
> all know how /that/ turned out -- 12 CDs of *decrypted* email
> turned over to the Drug Enforcement Administration (DEA).

Anything in a data centre can be grabbed by the feds of any country at any
time putting thousands of legit subscribers at risk. Very clever of the
LEOs to figure that push trick out.

On 11 Mar 2024, D <J@M> posted some
news:ef1b139b066c6e0aa6a6b30d1c51238c@dizum.com:

> On Mon, 11 Mar 2024 11:45:30 +0100 (CET), Nomen Nescio
> <nobody@dizum.com> wrote:
>>Nomen Nescio <nobody@dizum.com> wrote:
>>>On Sun, 10 Mar 2024 21:51:53 +0100 (CET), Nomen Nescio
>>><nobody@dizum.com> said:
>>>> Nomen Nescio <nobody@dizum.com> wrote:
>>>>>https://www.washingtonpost.com/technology/2024/02/29/push-notificati
>>>>>on-surveillance-fbi/
>>>>> The alleged pedophile "LuvEmYoung" had worked to stay anonymous in
>>>>> the chatrooms where he bragged about sexually abusing children. A
>>>>> criminal affidavit said he covered his tracks by using TeleGuard,
>>>>> an encrypted Swiss messaging app, to share a video of himself last
>>>>> month with a sleeping 4-year-old boy.
>>>>
>>>> The hard way to learn, that encryption doesn't implicate anonymity.
>>>
>>>Not only that, but it should also inspire significant skepticism with
>>>regard to any provider's claims about generation and retention of any
>>>data that could potentially identity you. Case in point:
>>
>>>4) Remember the lessons of history -- Hushmail made similar promises,
>>>and we
>>> all know how /that/ turned out -- 12 CDs of *decrypted* email
>>> turned over to the Drug Enforcement Administration (DEA).
>>
>>Trust us, we're a Swiss company (as the Crypto AG once was).
>><https://en.wikipedia.org/wiki/Crypto_AG>
>
> compartmentalization, need to know, big business, big brother;
> they make aliens of the dead and those returning to the earth;
> it is hard for them to kick against the pricks, orbs, of light

Patriot Act.

"One of the most significant provisions of the Patriot Act makes it far
easier for the authorities to gain access to records of citizens�
activities being held by a third party. At a time when computerization is
leading to the creation of more and more such records, Section 215 of the
Patriot Act allows the FBI to force anyone at all � including doctors,
libraries, bookstores, universities, and Internet service providers � to
turn over records on their clients or customers."

Without a warrant...

On Tue, 12 Mar 2024 01:23:42 +0100 (CET), Nomen Nescio <nobody@dizum.com>
said:

> On 10 Mar 2024, Nomen Nescio <nobody@dizum.com> posted some
> news:5e4d1b49c7dedf51a47a920f6958a324@dizum.com:
>
>> Nomen Nescio <nobody@dizum.com> wrote:
>>
>>> https://www.washingtonpost.com/technology/2024/02/29/push-notification-
>>> surveillance-fbi/
>>>
>>> The alleged pedophile “LuvEmYoung� had worked to stay anonymous in
>>> the chatrooms where he bragged about sexually abusing children. A
>>> criminal affidavit said he covered his tracks by using TeleGuard, an
>>> encrypted Swiss messaging app, to share a video of himself last month
>>> with a sleeping 4-year-old boy.
>>
>> The hard way to learn, that encryption doesn't implicate anonymity.
>
> True, but I have no problem with a kiddy diddler getting nailed.

This is why, when arguing for why encryption-busting legislation, the perps
trotted out by law enforcement are almost always kiddie diddlers, because
most people are utterly revolted by their very existence.

What most people don't realize -- or simply refuse to accept -- is this:

Either EVERYONE is safe, or NO ONE is safe.

> The perp in this case could have easily avoided being caught. Just
> because your phone is "smart" doesn't mean you are.

True. One has to wonder, though, how many others have been lulled into
accepting TeleGuard's claims at face value? This is why stories like this
are so valuable.
> Sanction for hire, that's a necessity and public service at times.

Sanction for hire? I don't understand what you mean. Would you explain,
please?

Stainless Steel Rat