Articles › Technical Insights, Web Push Notifications

Web Push Notifications and privacy

  • # push-api

Are web push notifications a good technology for privacy?

The short answer is: YES.

If you want a more complete answer, with some technical aspects, please read the following sections: they describe in more details what makes the Push API / Web Push a perfect solution for privacy.

The push subscription is anonymous

First of all, using the Push API alone, you cannot personally identify the recipients of the notifications: when a user visits a website and subscribes to the notifications, a random token (endpoint) is generated. This endpoint is similar to a secret "mailbox": it allows the website to send messages to that specific browser. However since the endpoint is just a URL with a random token, it doesn't convey any personal information about the real person that has subscribed to the notifications.

Basically the users can receive the notifications while remaining anonymous. They can obviously provide more information to your website if they want, and you can keep that data together with the push subscription, but that is totally optional: a user that simply subscribes to the notifications doesn't share any personal data with the website.

No sign up required to receive the notifications

The recipients don't need to sign up and don't need to provide personal data to receive the notifications: usually a click on a button is sufficient to start receiving the notifications from a website.

When you accept to receive the notifications from a website, your browser doesn't share any personal data about you (it just generates a random token that allows the website to reach you).

Traditionally, in order to subscribe to the news of a website, you would need to provide some personal data - your name and email for example. Now thanks to web push notifications you can subscribe, without sharing any personal information.

Note that while an email address is usually associated to a user profile (e.g. a Google account), and thus is not usually anonymous, the endpoints generated to receive the notifications are totally random and anonymous.

Unsubscribe from notifications at any time

If you accept to receive the notifications from a website and then you change your mind, you can easily unsubscribe.

When you unsubscribe, it becomes technically impossible for the website to send you other notifications.

This is a huge step forward compared to email or phone number: when you give away your email or phone number you cannot revoke it. You can just ask the sender to stop sending messages. However some malicious senders may continue to hassle you. Web push is different: once you revoke a permission for a website to send notifications, that website is unable to reach you (technically).

No spam

Web push notifications don't have any problem with spam:

  • It's technically impossible to subscribe you to notifications without your permission: the browser always display a permission prompt before subscribing you to the notifications.

  • The unsubscription is easy and always effective: if you revoke the permission for notifications, it's technically impossible for the website to send you more notifications (the endpoint is technically deleted by the browser and permission revoked).

  • Unlike the email addresses, the push subscriptions cannot be easily shared with other senders. The push subscription is associated only to one specific domain (e.g. example.com) and there are also some cryptographic keys (like VAPID) that protect the endpoints.

Preventing spam at a technical level, thanks to the design of the technology, has great benefits both for the recipients and for the senders.

The users never receive spam and can unsubscribe at any time (e.g. from browser preferences).

The senders never have to worry about spam filters, bounces, lost messages and reputation management.

Encryption at rest and in transit for the push messages

Encryption is widely used by the Push API standard, which ensures:

  • confidentiality: the push messages are encrypted by the application and decrypted by the user browser, with a key that is stored privately on the user device. This ensures that no man in the middle can read the content of the messages. Not even the browser push service (e.g. Mozilla autopush, Google FCM, etc.) can read them, because the key is stored in the user browser. This also ensures that any third party that gains access to the push service cannot read the contents of the messages.
  • integrity: the push messages are encrypted / cryptographically signed and thus it's not possible to alter their content.
  • no censorship: since the push services cannot read the contents of the messages they cannot selectively choose to deliver some notifications and not others. Furthermore each browser can choose its own push service, based on privacy considerations (for example Mozilla Firefox uses a push service managed directly by Mozilla, which is called Mozilla autopush).

The encryption algorithms used by the Push API are recent and extremely secure: in particular the push messages are encrypted with the Elliptic Curve Digital Signature Algorithm (ECDSA). The messages are encrypted end-to-end, with a key stored locally in the user browser.

Basically all the data is encrypted and cannot be read at rest (when stored in the browser push service) and all the connections are also encrypted (SSL/TLS is required for websites in order to subscribe the users or send the notifications).

No spoofing

A spoofing attack is a technique in which a website identifies as another by falsifying data: for example spoofing is quite easy with emails, where you can freely set the sender address (From). Although email has introduced some additional protocols to reduce these attacks, the base protocol doesn't offer any protection. The situation is completely different with Web Push Notifications, which have built-in protection: it's technically impossible to send notifications from a website pretending that it's another website.

Basically you can clearly identify the sender domain and the sender domain displayed inside the notification is always correct. This can be explained simply if you know the Push API protocol: the browser has generated a unique endpoint ("mailbox") for each website and thus, when it receives a message, knows exactly what is the sending domain.

Obviously all these reasonings hold true until all the private keys used for cryptography are kept secret.

No tracking

As you may know, cookies can be used to track a user across different websites: basically they can collect the user journey on the web and they can be used to understand the user interests and activities. This can be a privacy concern.

On the other hand, the Push API has a perfect design for privacy and generates a different "push subscription" for each domain: each website gets a different endpoint (push subscription) to reach the user. To use a metaphor, it's like a user that gives a completely different email, made with random names, to each website.

Basically the Push API prevents cross-site tracking. There isn't any global identifier for the device that can be used by multiple sites to track the user and aggregate the data: each website gets a different identifier, for the same browser, and thus it's hard to track the browser across the web.

An open standard

Compared to other technologies, like the proprietary Apple Push Notification service, the Push API is a standard defined by the W3C (the consortium that creates the web standards) and is the result of the collaboration between different browsers (the major contributions are from Mozilla and Google).

An open standard is more secure than a proprietary protocol, because it allows the peer review and contributions from different people. Anyone can read the standard and raise privacy or security concerns, if any.

Finally note that the Push API standard has a section with all the privacy considerations.

Choose a trusted browser

Although the standard for delivering the push messages is extremely secure, consider that the browser is an app installed on your device and can ideally read all the local information on your device.

It's useless to have trusted communications, if you don't trust the browser installed on your device. For this reason you should choose your browser carefully (personally I trust all the most common browsers, like Chrome, Firefox, Edge, Safari, Brave, etc.).

Be careful with intermediaries (service providers)

If you are a website owner or a developer and you want to keep a high level of privacy, you should carefully choose the provider for web push notifications: many websites don't deal with the Push API directly and use an additional layer of abstraction, a service that can manage the notifications for the website.

Obviously this intermediary is an important piece in the chain of trust.

Pushpad is a reliable service focused on privacy. Unlike other major push services, Pushpad has never sold data for advertising purposes (it's not our business model). Data is only yours and you can choose what data you want to collect. We are a company based in EU (Italy) and we offer a reliable service since 2017.