Notification services and our hidden dependence on proprietary network infrastructures

A few day ago, reports uncovered that Google collects the location of Android phones, even if location services are turned off. This collection was introduced in a change in Google’s Firebase Cloud Messaging service (formerly known as Google Cloud Messaging). Although almost all Android users rely on this service daily, many might never have heard of it. And those who have heard of it and try to avoid it for its privacy implications have a very hard time doing so. The dependence on such services is a prime barrier for truly independent and privacy preserving app development for mobile devices. This text will explain why.

Firebase is a mobile notification service. What does it do and why is it so important? Notification services allow app developers to notify your device of events, e.g. that a message has been sent to you. On most desktop applications, this problem has been solved by polling. For example, your e-mail client contacts your e-mail provider at regular intervals (like every ten minutes) and checks if new messages have arrived. For many mobile applications, this model is unsatisfactory. First, at least in the beginning, mobile data was expensive and regular polling causes traffic, even if no messages are waiting. Second, for almost real time messaging that is usual on Whatsapp, Signal, FB Messenger etc. you need answers immediately, not only every ten minutes. This could be solved with a permanent connection to the server. But that causes even more traffic and also a (slight) increase in usage of battery power.

This is where notification services come in. When your device starts up, it registers with a notification service and tells it your current internet address. If a new message arrives, the provider (e.g. Facebook, Whatsapp, etc.) contacts the notification service. The notification service knows where to find your device via the internet address and notifies it (hence the name) that a new message has arrived. Only then does your device contact the server and retrieve the message. This means that your device connects to the server only when it is necessary. But when it is necessary it knows so immediately.

Notification services usually do not transmit the messages themselves. They just tell the device of noteworthy events. Apart from messages, this could be that an update for an app is available, someone posted a new picture, someone started to follow you or liked your post, etc. After such notifications the device can contact the respective service provider and retrieve the necessary data. This optimizes the traffic of mobile devices. They never miss a thing but only connect to services when they need to. But it also optimizes the efforts of the service providers. They do not need a server infrastructure that can withstand constant polling of thousands of devices — let alone maintain constant connections. And they can develop apps more cheaply, because the tricky parts of communication are provided for free by the manufacturers of mobile operating systems.

That is why all mobile devices come with their own notification service. Google’s android has Firebird. IOS comes with Apples Push Notification Service, Amazon devices use Amazon Simple Notification Service, and Microsoft Phones Windows Push Notification Service. They are pre-installed, run in the background and give app developers an easily accessible communication infrastructure.

Given these advantages, almost all apps rely on notification services. Which means that almost all apps, regardless who developed it, depend on a centralized service. And it is this centralized service, which now started to collect location data for Google. (Location is not necessary for the service to operate since it only needs your internet address to contact your device.) So even if you are careful with your data, you disable location service, you don’t even have a Google account, you still need that notification service from Google. Otherwise most apps will cease to run. There are free and open source versions of Android like LineageOS or Copperhead, which do not run Firebase by default. But that means a very limited choice of apps. Even many of the great free and open source apps in the alternative app store F-Droid presuppose a working notification service.

I’ve operated a phone without Google’s notification service for the last couple of years. My use of the mobile internet was more or less limited to everything that works in the browser. Only recently did Signal start to support messaging without Firebase, so at least one more or less widely used messaging service is now available without relying on the centralized infrastructure of the data greedy Internet giants. (There are many messaging clients that work via XMPP, using decentralized servers via an open standard — more or less like e-mail. But so far, that is a niche product.)

This illustrates a bigger problem: mobile media are inherently networked. On a desktop computer, a couple of nerds who were discontent with commercial software could just build their own stuff. And slowly such self-built software turned into mature applications that time and again prompted big commercial manufacturers to introduce some changes. On a mobile device, you can build your own stuff, too. But it still needs to connect to the established network infrastructure in order to function — which destroys many of the benefits of free software development; in particular its greater sensitivity for data protection.

So here’s one more aspect — a rather hidden one — in which we are increasingly becoming dependent on a few big companies. Companies, that sell access to their services and infrastructure deeply entangled with their devices. To an extent where the device becomes more and more unusable without that infrastructure. Consequently, this dependence can only be solved by regulation — or by alternative infrastructures. In a better world we would probably have a free notification service, run by a trustworthy (e.g. public) institution on open source software. A second alternative would be to return to decentralized servers and polling — in times of flat-rate mobile plans and omnipresent wifi this is maybe the easier way to go. But first of all, the dependence needs to be recognized and understood as a problem by regulators and the public. Hopefully, the reports on Google’s data collection are a first step.