Caught by push alert

Full story: The FBI’s new tactic: Catching suspects with push alerts

After learning that the FBI had demanded Apple and Google not talk about the surveillance technique, we went looking for more details on the how criminal investigators were hunting down suspects through their push notifications, those ubiquitous pings of modern life:

The alleged pedophile “LuvEmYoung” had worked to stay anonymous in the chatrooms where he bragged about sexually abusing children. A criminal affidavit said he covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself last month with a sleeping 4-year-old boy.

But the FBI had a new strategy. A foreign law enforcement officer got TeleGuard to hand over a small string of code the company had used to send push alerts — the pop-up notifications that announce instant messages and news updates — to the suspect’s phone.

An FBI agent then got Google to quickly hand over a list of email addresses this month linked to that code, known as a “push token,” and traced one account to a man in Toledo, an affidavit shows. The man, Michael Aspinwall, was charged with sexual exploitation of minors and distribution of child pornography and arrested within a week of the Google request.

Our investigation was covered by Wired and The Register, where one expert said, "These types of scandals are the tip of the iceberg for how push notifications can be abused."

Thanks for reading. Let's talk: [email protected].