In a letter to the Department of Justice, Senator Ronnie Wyden reveals that foreign governments have been spying on how American citizens use their iPhones and Android phones through push notifications.

Most people don’t think much of them, but some technologists have started to pay more attention to them because of the technology. Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the U.S. tech giants via push notifications, calling them “a privacy nightmare”:

Push notification is a subscription based system. Your smartphone subscribe to a channel and everything needs to go through the smartphone constructor’s servers. By « constructor’s server », I actually mean Apple if you have an iPhone or Google if you have an Android phone.

When the app wants to send a push notification even when it is closed, it is the app’s server that trigger a notification by sending the information to the smartphone constructor’s servers. So potentially, Apple or Google could read your push notifications or at least know that you are receiving data from an app.


That gives, according Wyden’s letter, the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps”. For this reason Wyden asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying.

Meanwhile, several companies that have made privacy their core business are starting to remove from their applications any features that use push notification services provided by Google or Apple.

For example, Tuta, a provider of secure email services, recently released a version of its app based on its own push notification server:

GCM (or, how it’s called now, FCM, Firebase Cloud Messaging) is a service owned by Google. We at Tuta used FCM for our old Android app. Unfortunately, FCM includes Google’s tracking code for analytics, which we didn’t want to have in our secure app.

And, even more importantly: For being able to use FCM, you have to send all your notification data to Google - which should be a no go for any secure email service. You also have to use their proprietary libraries. Because of the privacy and security concerns that naturally go along with this, we did not send any information along with the notification messages with the old app (which, understandably, led to complaints by our users). Therefore, the push notification in the old Android app only mentioned that you received a new message without any reference to the email itself or to the mailbox the message has been placed in.

FCM is quite convenient to use, over the years Google made changes to Android which made it harder not to use their service for notifications. On the other hand, giving up Google’s notification service would free us from requiring our users to have Google Play Services on their phones. The challenge to replace Google’s FCM

The Tuta apps are Libre software, and we want to provide a true open source alternative to Gmail, which to us includes publishing our Android app on F-Droid. We wanted our users to be able to use Tuta on every ROM and every device, without the interference of a third-party service like Google.

We decided to take on the challenge and to build our own push notification service.


We’ve made a research on how others (Signal, Wire, Conversations, Riot, Facebook, Mastodon) have been solving similar problems. We had several options in mind, including WebSockets, MQTT, Server Sent Events and HTTP/2 Server Push. Replacing FCM with SSE

We settled on the SSE (Server Sent Events) because it seemed like a simple solution. By that I mean “easy to implement, easy to debug”.