Browser Push Notification Service Privacy

edited April 2016 in General Privacy Discussion Posts: 7
One interesting thing that's come up within the last several months is the idea of implementing website push notifications for browsers (both FF and Chrome).  Previously, a user had to have been signed into a browser like Chrome in order for the push notification service to be enabled, but now it appears that it's the default setting even without a Google account.

Push works essentially by maintaining a persistent connection to a server.  (Websites/services which use push connect to the push server which delivers the messages https://developers.google.com/cloud-messaging/gcm )  In FF for desktop they use Mozilla's server, in FF for Android they use Google Cloud Messaging.  Of course, Chrome and all Android devices all use GCM as well.  While individual websites cannot identify you directly, you still must transmit a browser based unique identifier to the push servers so that they can distinguish between individual users in order to deliver them notifications.  While the push device ID is encrypted (and is therefore difficult to intercept), Google can still decrypt it.  Google does not specify how long they keep logs of push connections, what they use that data for, or whether the service is truly turned off if you disable notifications.

So here's the privacy concern- if you're using PIA in order to browse, then you should make sure to disable all push notifications.  Otherwise, you'll be maintaining an always-on connection with either Google or Mozilla which uniquely IDs your browser.  From there it's relatively easy to correlate your VPN usage sessions with any unmasked browsing sessions with your real IP address.
Post edited by Bebop87 on

Comments

Sign In or Register to comment.