Alleged pedophile ‘LuvEmYoung’ had tried to remain anonymous in chat rooms where he bragged about sexually abusing children. He covered his tracks by using TeleGuard, an encrypted Swiss messaging app, to share a video of himself with a sleeping 4-year-old boy last month, according to a criminal affidavit.
But the FBI had a new strategy. A foreign law enforcement official had TeleGuard hand over a small string of code that the company had used to send push alerts (the pop-up notifications that announce instant messages and news updates) to the suspect’s phone.
Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.
An FBI agent then quickly had Google hand over a list of email addresses linked to that code, known as a “push token,” this month and traced one account to a man in Toledo, an affidavit shows. The man, Michael Aspinwall, was charged with sexual exploitation of minors and distribution of child pornography and was arrested within a week of Google’s request.
The breakthrough was thanks to a little-known form of push alerts, a staple of modern phones: These tokens can be used to identify users and are stored on Apple and Google servers, which can hand them over to police upon request.
But the investigative technique has raised alarms among privacy advocates, who worry the data could be used to surveil Americans at a time when police and prosecutors have used cellphone data to investigate women for possible violations of the abortion ban by the state.
“This is how every new surveillance method starts: the government says we’re only going to use this in the most extreme cases, to stop terrorists and child predators, and everyone can get behind that,” said Cooper Quintin, a technologist at the advocacy group Electronic Frontier Foundation.
“But these things always go downhill. Maybe one day an attorney general will decide, maybe I can use this to catch people having abortions,” Quintin added. “Even if you trust the US to use this now, you may not trust that a new administration will use it in a way that you consider ethical.”
The data has become valuable evidence for federal investigators, who have used push tokens in at least four cases across the country to arrest suspects in cases related to child sexual abuse material and a kidnapping that led to murder, according to a review of the court in the Washington Post. records. And law enforcement officials have defended the technology, saying it uses court-authorized legal processes that give officers a vital tool they need to track down criminals.
Joshua Stueve, a spokesperson for the Department of Justice, said: “Having determined that metadata from non-content push notifications can help apprehend offenders or stop ongoing criminal behavior, federal law enforcement investigators are fully complying with the U.S. Constitution and applicable statutes to obtain data from private companies.”
The Post found more than 130 search warrants and court orders in which investigators had demanded that Apple, Google, Facebook and other tech companies hand over data tied to a suspect’s push alerts or noted the importance of push tokens in broader requests for account information.
Those court documents – which were filed in 14 states, as well as the District of Columbia – concerned suspects in a range of criminal charges including terrorism, sanctions evasion, weapons, drugs, Covid aid fraud and Somali piracy. Some cases involved the pro-Trump mob that stormed the U.S. Capitol on January 6, 2021.
Three applications and court orders reviewed by The Post indicate that the investigative technique is years old. Court orders issued to Apple and Google in 2019 required the companies to hand over information about accounts identified by push tokens linked to alleged supporters of the Islamic State group.
But the practice did not become widely understood until December, when Sen. Ron Wyden (D-Ore.) said in a letter to Attorney General Merrick Garland that an investigation had found that the Justice Department had banned Apple and Google from discussing the technique .
Apple confirmed the government restriction in a statement to The Post that month, but said it planned to provide more details about its compliance with the requests in an upcoming report now that the methodology had become public. Google said in a statement at the time that it shared Wyden’s “commitment to keep users informed about these requests.”
Unlike normal app notifications, push notifications, as their name suggests, have the power to wake up a phone – a feature that makes them useful for the urgent pings of everyday use. Many apps offer push alert functionality because it gives users a fast, battery-saving way to stay informed, and few users think twice before enabling them.
But to send that notification, Apple and Google require the apps to first create a token that tells the company how to find a user’s device. These tokens are then stored on Apple and Google servers, out of reach of users.
Wyden said Apple and Google’s technical design essentially created a “digital post office” that could scan and collect certain messages and metadata, even from people who wanted to remain discreet. David Libeau, a developer and engineer in Paris, wrote last year that the ubiquitous feature had become a “privacy nightmare.”
In one of the cases found by The Post, an FBI agent said in an affidavit that New York police officers obtained a “dual-factor authentication push token” for a suspect from Talkatone, an Internet phone call service. Prosecutors said the suspect used the service to lure food delivery worker Peng Cheng Li to a location in Queens, where they kidnapped him. Later they allegedly killed him.
The agents used the Talkatone token to ask Apple whose account was linked to it, the affidavit said. The company offered the iCloud information of one of two suspects later charged in the victim’s murder. Mike Langberg, spokesman for Talkatone owner Ooma, said the company is complying with “subpoenas and court orders as required by law.”
In two other cases, prosecutors were able to find Michigan men who shared child abuse images after demanding that the encrypted messaging app Wickr share information about push tokens for users who sent the images through the app. One of the men, John Garron, has pleaded guilty to sexually exploiting children and distributing child sexual abuse material; he will be sentenced next month. Garron’s attorney did not respond to a request for comment.
At a hearing in the case in June, Assistant U.S. Attorney Christopher Rawsthorne cited the push notification data as a crucial way to identify the suspect.
“Wickr used to be something where it was impossible to find out the identity… of the person using it,” Rawsthorne said. “And it’s only recently that we’ve been able to figure it out.”
Amazon-owned Wickr shut down its free consumer-facing app in December. Wickr and Amazon say on their websites they respond to lawful requests from law enforcement. (Amazon founder Jeff Bezos owns The Washington Post.)
In the case of “LuvEmYoung,” federal investigators tracked the man through his favorite messaging app, TeleGuard, according to an affidavit. Even though the app had promoted itself as not storing user data, the developers had still allowed the creation of a piece of data that linked to users through their push notifications.
In chats with an unidentified international law enforcement agent and an undercover FBI agent known as an “online covert operative,” Aspinwall had shared explicit photos and videos and said he had sexually abused known children while they slept, the affidavit alleged.
To track him down, the agent worked with the international law enforcement agent and obtained a push token linked to the suspect’s Android device, the affidavit said. The document only says that the researcher “provides” the token as received from TeleGuard,” without explaining how.
Earlier this month, an FBI agent asked Google to hand over all data associated with that push token as part of a so-called “urgent” or emergency request. Google responded with information including the names of six accounts, one of which contained Aspinwall’s name, as well as the IP addresses associated with those accounts.
Some of those IP addresses were linked to AT&T, which told the FBI they had been used by Aspinwall’s neighbor, the affidavit states. Aspinwall later told agents he had used his neighbor’s Wi-Fi and confessed to the crime, the FBI affidavit alleged.
Aspinwall’s attorney declined to comment. TeleGuard’s owner, Swisscows, did not respond to requests for comment.
Google has said it needs court orders to turn over the push-related data. Apple said in December that Apple would also begin seeking court orders, a change from its previous policy of requiring only a subpoena, which police and federal investigators can issue without a judge’s approval.
But in three of the four cases reviewed by The Post, Apple and Google handed over the data without a court order — likely due to the requests being made on an urgent, expedited or urgent basis, which the companies meet under different standards when police claim a threat of immediate harm.
Daniel Kahn Gillmor, a senior technologist at the American Civil Liberties Union, worried that the set of account information associated with a push token could allow it to be used to obtain other data. In the future, he said, law enforcement could use the tactic to infiltrate a group chat for activists or protesters, whose push tokens could give them away.
“This isn’t just American law enforcement,” Gillmor said. “This also applies to all other law enforcement regimes around the world, including in places where dissent is more heavily policed and monitored.”
related content
Michigan’s significant “uncommitted” votes are fueling debate among Democrats
What is the best fast food fish sandwich? We have ranked the top 5.
Bowser, business leaders present $400 million plan to fix DC’s ailing downtown