- cross-posted to:
- selfhost@lemmy.ml
- privacy@lemmy.ml
- cross-posted to:
- selfhost@lemmy.ml
- privacy@lemmy.ml
cross-posted from: https://lemmy.crimedad.work/post/39255
Is self-hosted enough to avoid push notifications going through Apple and Google servers?
Pretty sure that is actually the recommendation from apple/google, as it reduces bandwidth for their notification servers.
I think the message payload is severely limited.
Like, pre-ios8 the limit was 256 bytes. Now it’s 2kb.
https://stackoverflow.com/a/6316022
I didn’t know that. Hmm, sounds like it’s decently likely this is a bit overblown then. I mean, I suppose there are a lot of lazy companies out there that will skip this, but that severely limits the functionality in a way that it’s going to force the secure method.
It opens users to timing attacks.
If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
So now you know that user A is likely talking to user B via WhatsApp.
And also user G, I X and M are also involved in this conversation.
And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.
It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.
Is it likely this bad?
Probably.
Theres the “Target knows I’m pregnant before told anyone” story.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/
That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.
So yeh, every bit of metadata counts