• towerful@programming.dev
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    11 months ago

    That said, some apps rather than sending your device the actual notification

    Pretty sure that is actually the recommendation from apple/google, as it reduces bandwidth for their notification servers.
    I think the message payload is severely limited.
    Like, pre-ios8 the limit was 256 bytes. Now it’s 2kb.

    https://stackoverflow.com/a/6316022

    • whofearsthenight@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 months ago

      I didn’t know that. Hmm, sounds like it’s decently likely this is a bit overblown then. I mean, I suppose there are a lot of lazy companies out there that will skip this, but that severely limits the functionality in a way that it’s going to force the secure method.

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        11 months ago

        It opens users to timing attacks.
        If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
        Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
        Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
        So now you know that user A is likely talking to user B via WhatsApp.
        And also user G, I X and M are also involved in this conversation.
        And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
        Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.

        It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
        We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.

        Is it likely this bad?
        Probably.
        Theres the “Target knows I’m pregnant before told anyone” story.
        https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

        That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.

        So yeh, every bit of metadata counts