The FBI’s new tactic: Catching suspects with push alerts

The FBI’s new tactic: Catching suspects with push alerts

The alleged pedophile “LuvEmYoung” had worked to stay anonymous in the chatrooms where he bragged about sexually abusing children. A criminal affidavit said he covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself last month with a sleeping 4-year-old boy.

But the FBI had a new strategy. A foreign law enforcement officer got TeleGuard to hand over a small string of code the company had used to send push alerts — the pop-up notifications that announce instant messages and news updates — to the suspect’s phone.

An FBI agent then got Google to quickly hand over a list of email addresses this month linked to that code, known as a “push token,” and traced one account to a man in Toledo, an affidavit shows. The man, Michael Aspinwall, was charged with sexual exploitation of minors and distribution of child pornography and arrested within a week of the Google request.

The breakthrough relied on a little-known quirk of push alerts, a basic staple of modern phones: Those tokens can be used to identify users and are stored on servers run by Apple and Google, which can hand them over at law enforcement’s request.

But the investigative technique has raised alarms from privacy advocates, who worry the data could be used to surveil Americans at a time when police and prosecutors have used cellphone data to investigate women for potentially violating state abortion bans.

“This is how any new surveillance method starts out: The government says we’re only going to use this in the most extreme cases, to stop terrorists and child predators, and everyone can get behind that,” said Cooper Quintin, a technologist at the advocacy group Electronic Frontier Foundation.

“But these things always end up rolling downhill. Maybe a state attorney general one day decides, hey, maybe I can use this to catch people having an abortion,” Quintin added. “Even if you trust the U.S. right now to use this, you might not trust a new administration to use it in a way you deem ethical.”

The data has become prized evidence for federal investigators, who have used push tokens in at least four cases across the country to arrest suspects in cases related to child sexual abuse material and a kidnapping that led to murder, according to a Washington Post review of court records. And law enforcement officials have defended the technique by saying they use court-authorized legal processes that give officers a vital tool they need to hunt down criminals.

Joshua Stueve, a spokesman for the Justice Department, said, “After determining that non-content push notification metadata may help arrest offenders or stop ongoing criminal conduct, federal law enforcement investigators fully comply with the U.S. Constitution and applicable statutes to obtain the data from private companies.”

The Post found more than 130 search warrants and court orders in which investigators had demanded that Apple, Google, Facebook and other tech companies hand over data related to a suspect’s push alerts or in which they noted the importance of push tokens in broader requests for account information.

Those court documents — which were filed in 14 states, as well as the District of Columbia — were related to suspects in a range of criminal charges, including terrorism, sanction evasion, guns, drugs, covid relief fraud and Somali piracy. Some of the cases involved the pro-Trump mob that stormed the U.S. Capitol on Jan. 6, 2021.

Three applications and court orders reviewed by The Post indicate that the investigative technique goes back years. Court orders that were issued in 2019 to Apple and Google demanded that the companies hand over information on accounts identified by push tokens linked to alleged supporters of the Islamic State terrorist group.

But the practice was not widely understood until December, when Sen. Ron Wyden (D-Ore.), in a letter to Attorney General Merrick Garland, said an investigation had revealed that the Justice Department had prohibited Apple and Google from discussing the technique.

Apple confirmed the government restriction in a statement that month to The Post but said it intended to provide more detail about its compliance with the requests in an upcoming report now that the method had become public. Google said in a statement then that it shared Wyden’s “commitment to keeping users informed about these requests.”

Unlike normal app notifications, push alerts, as their name suggests, have the power to jolt a phone awake — a feature that makes them useful for the urgent pings of everyday use. Many apps offer push-alert functionality because it gives users a fast, battery-saving way to stay updated, and few users think twice before turning them on.

But to send that notification, Apple and Google require the apps to first create a token that tells the company how to find a user’s device. Those tokens are then saved on Apple’s and Google’s servers, out of the users’ reach.

In effect, Wyden said, that technical design made Apple and Google into a “digital post office” able to scan and collect certain messages and metadata, even of people who wanted to remain discreet. David Libeau, a developer and engineer in Paris, wrote last year that the ubiquitous feature had become a “privacy nightmare.”

In one of the cases found by The Post, an FBI agent said in an affidavit that New York police officers had obtained a “dual-factor authentication push token” for a suspect from Talkatone, a service for making phone calls over the internet. Prosecutors said the suspect had used the service to lure food-delivery driver Peng Cheng Li to a location in Queens, where they abducted him. Later, they allegedly killed him.

FBI headquarters.

The officers used the Talkatone token to ask Apple whose account had been linked to it, the affidavit said. The company offered up the iCloud information for one of the two suspects later charged in the victim’s killing. Mike Langberg, a spokesman for Ooma, which owns Talkatone, said the company complies with “subpoenas and court orders as required by law.”

In two other cases, prosecutors were able to find Michigan men sharing child abuse images after demanding that the encrypted messaging app Wickr share information on push tokens for users who sent the images through its app. One of the men, John Garron, has pleaded guilty to sexually exploiting children and distributing child sexual abuse material; he is scheduled to be sentenced next month. Garron’s lawyer did not respond to a request for comment.

In a June hearing in the case, Assistant U.S. Attorney Christopher Rawsthorne cited the push-notification data as a critical way of identifying the defendant.

“It used to be that Wickr was something where it was impossible to figure out the identity … of the person using it,” Rawsthorne said. “And it’s only recently been that we’ve been able to figure it out.”

Wickr, which is owned by Amazon, shut down its free consumer-oriented app in December. Wickr and Amazon say on their websites that they respond to lawful requests from law enforcement. (Amazon founder Jeff Bezos owns The Washington Post.)

In the case of “LuvEmYoung,” federal investigators tracked the man through his messaging app of choice, TeleGuard, an affidavit shows. Though the app had promoted itself as saving no user data, its developers had nevertheless allowed for the creation of a piece of data that linked back to users through their push alerts.

In chats with an unidentified international law enforcement agent and an undercover FBI operative, known as an “online covert employee,” Aspinwall had shared explicit photos and videos and said he had sexually abused children known to him while they slept, the affidavit alleged.

To track him down, the operative worked with the international law enforcement agent and was given a push token linked to the suspect’s Android device, the affidavit said. The document says only that the investigator “provided” the token “as received from TeleGuard,” without explaining how.

Earlier this month, an FBI agent asked Google to hand over all data connected to that push token as part of what’s known as an “exigent,” or emergency, request. Google responded with information including the names of six accounts, one of which included Aspinwall’s name, as well as the IP addresses associated with those accounts.

Some of those IP addresses were linked to AT&T, which told the FBI that they had been used by Aspinwall’s neighbor, the affidavit shows. Aspinwall later told agents he had used his neighbor’s WiFi and admitted to the crime, the FBI affidavit alleged.

Aspinwall’s attorney declined to comment. TeleGuard’s owner, Swisscows, did not respond to requests for comment.

Google has said it requires court orders to hand over the push-related data. Apple said in December that it, too, would start requiring court orders, a change from its previous policy of requiring only a subpoena, which police and federal investigators can issue without a judge’s approval.

But in three of the four cases reviewed by The Post, Apple and Google handed over the data without a court order — probably as a result of the requests being made on an emergency, expedited or exigent basis, which the companies fulfill under different standards when police claim a threat of imminent harm.

Daniel Kahn Gillmor, a senior technologist at the American Civil Liberties Union, worried that the range of account information connected to a push token could allow it to be used to uncover other data. Down the road, he said, law enforcement could use the tactic to infiltrate a group chat for activists or protesters, whose push tokens might give them away.

“This is not just U.S. law enforcement,” Gillmor said. “This is true of all the other law enforcement regimes around the world as well, including in places where dissent is more heavily policed and surveilled.”