For context, we are sending ~35 million push notifications per month on iOS and ~67 million on Android, see more at [1]

[0]: https://developer.apple.com/documentation/bundleresources/en...

[1]: https://threadreaderapp.com/thread/1721717002946191480.html

Source code on GitHub.com/mozilla-mobile

APNS is not a "let my server wake up my app in the background whenever and however often I like" mechanism.

Defer handling other things until either your extension or your app would have run anyway and do them at that time.

Send a meaningless random ID, then do a get request to your API to get the actual content, then present it to the user.

Only a meaningless ID will transit through google/apple servers.

Honest question. I'm sure many thought about it before.

I built a finance app a few years ago that would take market data via a push notification, and then the transform extension would render it to a chart image and attach the image to the notification to avoid generating them server side.

I would pay to commission a blog post on the topic if you’re willing to write it.

Decrypting a push notification appears to be supported using 'mutable-content' with a notification service.

In fact that is the example used here: https://developer.apple.com/documentation/usernotifications/...

Zac also just let me know the other reason we need filtering is so we can properly unsubscribe users from notifications when one is received from a server they no longer are connected to.

https://www.wyden.senate.gov/issues/secret-law

https://www.wyden.senate.gov/news/press-releases/wyden-colle...

https://www.wyden.senate.gov/news/press-releases/wyden-intro...

https://www.wyden.senate.gov/priorities/gps-act

https://www.wyden.senate.gov/news/press-releases/wyden-relea...

It's sad we don't hear more about people like this in positions of power.

2008: https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla...

The votes: https://www.govtrack.us/congress/votes/110-2008/s168

But this is a MUCH older issue: https://en.wikipedia.org/wiki/Room_641A

And if you don't know about Quest: https://en.wikipedia.org/wiki/Joseph_Nacchio

The entire time period of the Bush admin is a microcosm for unresolved issues of today: Voting machines, government over reach and spying, security, encryption, copyright, bad behavior by corporate entities (M$ has a cohort).

That said, I also think things happen way before the first term. It requires consent of the Party to get on the ballot and hundreds of millions of dollars, increasingly trending towards billions, to run a campaign with a chance of winning, because in a democracy it's quite self evident that the person who spends the most money, must be the better person. Results don't lie!

And on top of all of this, if you aren't shaping up to be who the Party wants, then the completely independent, free, and honest media will demonize you. And even if this doesn't destroy you in the eyes of your own supporters, it'll rile up your opponent's base enough as they race to vote (for somebody they also don't even particularly care for) because if they don't, then you might win! That cannot be allowed to happen as it would obviously be the literal end of the world.

This is why it's ever more important for social media to be controlled, lest somebody angle-shoot around the traditional path to success - the media. If somebody's gaining traction on social media, then he's saying things that disagree with the powers that be. Since he's disagreeing with the powers that be, he is spreading misinformation by definition, so he must be censored. For our safety.

That's certainly a step above many of the grifters we have in government, but it's also not necessarily a good thing. People can truly believe in stuff that's harmful or flat out wrong.

Oregon is an extremely based state. Y'all crap on PDX but the reality is that we have more freedom and less tyranny here than in any other state in the nation, and possibly in the world. PDX is "bad" because it's one of the only places in the world that hated the cops enough to actually muzzle them - and not living in fear of the boot is worth needing to deal with homeless people.

Want to smoke weed? Check (lowest prices in the world). Want to do psychedelics? (functionally legalized) Check. Want to shoot guns? (relatively lax gun laws for a blue state) Check. Want to not be spied on? As check as Ron Wyden can make it!

Your DA is determined to destroy this right by spending tax dollars appealing 114 until they find a judge who agrees with them.

In all seriousness, Utah sounds like your ideal so long as you stay outside of Salt Lake City. I'm glad to no longer be a resident

When it intrudes upon the bodily autonomy of others (e.g. second hand smoke, which I am constantly facing and suffering from in the Bay Area).

Not enough trees. Nor enough employment in my non-remoteable field.

Public smoking is a concern, but the smoke will leak even if smoked inside of a home. With edibles and inhalers I don't understand why people thought it was a good idea to legalize marijuana smoking.

> Nor do I see how having bodily autonomy is necessarily a tyranny of the masses.

Generalizing the principle of the swinging your fists near someone else's nose saying.

You do know that, right? I'm not detecting any humour markers...

OP is complaining that he might get a whiff coming from his neighbors house.

> In a few states, however, public consumption is completely tolerated or allowed in licensed lounges and designated areas.

And the laws as is make it easy for people to lie to the police about exactly where they were when they were smoking the weed.

Wish it stopped at just the smell.

Second hand weed is harmful.

https://www.uclahealth.org/news/secondhand-marijuana-smoke-w...

You do understand that many tort suits, and outright laws, are over subjective harms, right? (trash in neighbors yards, loud sounds late at night, smells from chemical industries, etcetera) That laws such as disability protection laws exist?

https://www.chemicalsensitivityfoundation.org/index.html

Lots of people love the smell of cannabis. No one loves "trash in neighbors yards, loud sounds late at night, smells from chemical industries".

Arguing in bad faith is lame dude.

Second hand weed is harmful. https://www.uclahealth.org/news/secondhand-marijuana-smoke-w...

There are entire messy neighborhoods.

> loud sounds late at night

People sleep at different times of the day.

> smells from chemical industries

People who lack a sense of smell don't care.

Special pleading for marijuana smoking is also lame.

You want to live in a state where all smoking is illegal?

Because you don’t like the smell of weed smoke?

How interesting.

No, not because I "don't like" it, but because the smell of weed smoke causes quality of life and health issues.

One of the biggest reasons I'm happy I moved away from my home in Oregon. The second-hand weed smoke is gross.

When they were building the CSAM detector: "what if the government asks you to extend the detection to include other media such as political meme images?" "we would refuse".

The answer is both, which in particular means that they have to be technological. We need to prove their inability to defect with math because otherwise they can just lie about it.

What you need from the law is the right for everybody to use that kind of technology by default.

I guess now the yahoo phone doesn't sound like that bad of a joke https://www.slashgear.com/wp-content/uploads/2010/05/nokia_y...

https://www.reuters.com/article/usa-security-google/update-2...

I am legitimately surprised that more tech-heads didn't see this state-of-affairs (and all the other obvious drawbacks of The World's Most Featureful Spy Device, controlled end-to-end by a giant multinational, becoming ubiquitous in peoples back pockets) as an obvious, absolute given, right from the very start of the whole smartphone trend. Instead we all seem to have bought into it, hook-line-and-sinker.

Didn't see or didn't bite the hand that feeds?

Conduct yourself on your phone the way you would in public in front of friends and family. Only text/browse with stuff you'd be okay with a stranger knowing. I've operated this way for many years for the exact reason that this article highlights.

You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.

Then to extend to services, a lot of it depends on your ability to deploy your own stuff. This can involve a lot of time reading how-to guides after you've installed Linux on a machine in your house. Given how much documentation is readily available online most people with a high school diploma can probably figure it all out, but you have to be motivated enough to refuse to be helpless.

Today you can purchase a Pixel 7[|a|Pro] and flash GrapheneOS on it. There's a lot you can get from F-Droid, but if you really want Google Play Store apps, GrapheneOS does a reasonable job sandboxing it. Create a new Google account just for that installation of Google Play Store.

Never sign into anything Google, Microsoft, Apple, Facebook, Twitter/X, LinkedIn, or whatever from your phone. Or at least if you absolutely have to, use a trusted web browser in Incognito or Private Browsing Mode.

Keep location tracking disabled for everything but your favorite maps app. Put your phone in Airplane Mode when you're traveling if you don't want cell towers to capture your location info. GPS reception still works.

WG Tunnel can get you to your server when you're not on your home network. Some people swear by Tailscale, but you have to trust them with your node info.

Syncthing works for backup for a lot of people.

For private maps I've been using Organic Maps with some success. Searching for places isn't necessarily trivial, but the navigation feature has always worked well for me.

For private comms you really need it to go both ways (you and the recipient). The weak point is likely to be the recipient's environment, but at least something like Signal gives you a chance.

Something like Fastmail works for email and calendar, since they're probably not building a profile on you and selling that to advertisers. DAVx5 is free from F-Droid for calendar sync.

Kagi works really well for search. Also, they probably haven't sold out to advertisers. DuckDuckGo is another option with another set of trade-offs.

For music you can serve FLAC files via minidlnad to VLC. minidlnad was a 3-minute tweak to a config file after I apt-got it. There are tons of options here.

Explore F-Droid for stuff that might do better for privacy, like Spotube, FreeOTP, Podverse, Librara FD, Cheogram, etc. I'm not claiming that the F-Droid apps will all give you perfect privacy, but in general they're probably better than a lot of the stuff that's pushed in the Play store.

Check out e-books and audiobooks from your local library. Or copy them to your device via Syncthing after feeding your e-books through Calibre's DeDRM extension. The idea is to keep from having to context license servers from your phone.

Give up on Apple or Google Pay, credit cards, and loyalty programs if you don't want your eReceipts collected and added to your consumer profile by companies that do that sort of thing.

None of this is a surefire way to give yourself perfect privacy, but it can greatly reduce the amount of your personal information that your government and/or corporations collect on you via your mobile device.

I agree with all of this, but realistically it's not just a simple matter of being willing to live with less features - this is a significant amount of work to investigate, implement, and upkeep for someone who is techy, let alone a less technically-inclined person.

I can barely get my family to use Signal, let alone install F-Droid or learn how to configure Syncthing.

Ultimately, this does indeed come down to "if you use a big product, you're likely being spied on", but this shouldn't be the individual consumer's fault.

No matter what OS you put on, there's still a proprietary baseband blob with executuon permissions underneath. All of these devices are built compromised.

Seems like this is what is being implied:

Given:

- users with notifications enabled

- have X app installed

- targeted user(s) reside in USA

- targeted users(s) following “foo” on X app

When:

- issue FISA warrant for all smartphone users that received notifications in regards to “foo” user

Then:

- able to pull all Apple/Google accounts that match this criteria

- able to get real addresses and names

- can crosscheck names with other details to narrow down suspect

Or maybe it’s something even worse where notifications somehow leak location data

Who knows? Maybe you want to retroactively look at shit peopke received and decide on new crimes.

https://en.m.wikipedia.org/wiki/Utah_Data_Center

But since PRISM was exposed ~10 years ago, they have had to resort to using FISA court to scrape data

\s

[1] https://www.washingtonpost.com/news/morning-mix/wp/2016/08/1...

So a gov finds that IP address 7.8.9.0 received one of these notifications at 12:34. They then see that 7.8.9.0 is one of ATT’s addresses. They go to ATT and learn that address was used by their customer onionisafruit at 12:34 and the device was 5ms away from tower A.

You have captured the device of some group member, and you want to investigate his associates, but you don't know who they are. So you ask Google and Apple: Make a list of all of the devices that have received a push notification sent by where those devices have received at least 200 notifications within 50ms of a notification received by this device. (You will have to make Google or Apple share the list with the target timings with the other)

That will give you a list of everyone who is in a group chat with your target, regardless of whether or not the messages were deleted or encrypted. Now you tell Apple/Google to give all the data on those accounts. You will probably find enough in their Gmail/location history/browsing history to identify nearly all associated people without ever bothering to look at IP addresses.

This also works if you get into a chat with your target. You send some messages and then have Google/Apple identify their device via timing, then identify all their associates.

Apps notifications can trigger if you enter a "protest zone" for example then gov will know everyone who was there.

No mobile, no identification, obscure any way to uniquely be identified.

> - targeted users(s) following “foo” on X app

It seems "X app" means just any placeholder app (not the new Twitter rebrand), although I might be wrong.

One notable corollary is, the shittier the mobile browser webapp implementation is, the more they want to push people onto their app. See: Facebook, Twitter, Reddit, etc.

Yelp is the gold standard in this regard, blithely pretending that they can't show you any photos (or is it more than a few photos? I avoid yelp on mobile so much I can't recall). It's probably the right move for them, because the photos are 99% of the reason I ever want to use Yelp. Reviews can be outright lies or simply written by people ~~with no taste~~ whose tastes are not simpatico with mine, but photos don't lie*.

* well, nowadays I guess they can

https://molly.im/

(It isn't technically a mesh, since it doesn't support multi-hop routing. Still, it is peer to peer, and doesn't require a data connection.)

[0]: https://developer.apple.com/documentation/multipeerconnectiv...

[0] https://android-developers.googleblog.com/2018/09/notifying-...

If you're trying to hide from that type of attack you need to send a fixed rate stream of messages (most of which are dummy messages, except the occasional message containing genuine content -- like number stations). Furthermore, every point in the chain also needs to avoid revealing which messages are genuine (by fetching the encrypted message from the server when it receives a genuine notification, you're giving data away).

The operator of the app could send messages at fixed intervals to make it more difficult to correlate the messages (more samples required to have confidence in the recipient). If they send dummy notifications they'd probably fall foul of Apple/Google's constraints around invisible-to-the-user notifications (I know Apple prohibits them, I assume Google does as well)

I can't see that frustrating this type of attack would be interesting to Apple/Google: it would push up power & radio bandwidth requirements for everybody pretty significantly.

It's all about the timing (and meta-data like which app), not about the contents.

E.g: if I get a signal notification and the notification has no data except “event happened, call server for updates” - and then you fetch updates as a batch - doesn’t the sheer number of people making that same generic batch update call somewhat mask it?

I’m curious where Apple prohibits dummy notifications, by the way - I used them for a financial app I worked on a few years back and never got dinged for it.

However, I was actually wrong more generally because Apple does have push notification type for this, Background Updates[1] are permitted to run invisibly. They say not to try sending more than 2-3 per hour, and that "the system may throttle the delivery of background notifications if the total number becomes excessive" - which sounds like you're permitted some unspecified small number between app launches.

These notifications seem to only be able to send a single boolean flag, so it doesn't seem like an awfully viable way of implementing a fixed rate message system (especially because you'd also want to be sending messages out on that same fixed rate to frustrate analysis)

1: https://developer.apple.com/documentation/usernotifications/...

Even just E2EE on the notifications themselves would be an improvement over the current situation. It would make certain categories of data unavailable to eavesdroppers. The fact that it would not protect against 100% of all types of data/metadata exfiltration is not sufficient reason to oppose implementing it.

Additionally, with a little bit of work (well, really quite a lot) the push messages can be made to hide the source. This would make it harder to distinguish a Gmail or DoorDash notification from a WhatsApp notification.

But as others have pointed out, just having the timestamp and target of the notifications already tells a lot.

A lot of apps don’t even put much in the push messages themselves at all, they are mainly an indicator to phone home for more information.

Consequently no gov has been getting meaningful info from the content of this stuff for many years - it will all be what you can infer from observed patterns, which is a lot.

Eh, what’s a few orders of magnitude increase in notification infrastructure overhead anyway? /s

The most promising starting point is probably at the state level.

But yeah, I'm not going to let threat of death keep me from plowing forward. Embracing death is part of death practice. I'm still going to move forward playfully and through harm reduction.

I think you've read the government's self promotional material, and believe it - that it's trying to do the best for its citizens, keep people safe, etc as opposed to seeing it for what it is, which is a mafia exploration racket that keeps it's major beneficiaries out of public view.

Why isn't there key exchange happening at the time of enrollment? Why is it something apps have to manually do? We moved the web to https everywhere for a reason, why are apps behind the web in privacy?

Potentially stupid question - how is iMessage encrypted end to end if the notifications aren't?

Consider:

1. A phone call in which Mrs. Smith talks to a receptionist to set an appointment with a doctor for 9:30 next Wednesday.

Vs.

2. Knowing that Mrs. Smith called an abortion clinic.

#2 seems like a bigger violation of privacy. Metadata is the real data.

you'd still have to look up who the doctor they called is from the metadata; it's still info but absolutely not more informative than the real data

so this line of thought makes no sense, and glenn greenwald should be looked at very skeptically in general, he sounds smart but when you look at his logic closer it breaks down

You're assuming these things are mentioned. "Hi, I'd like to book/confirm an appointment with Dr. Jones." doesn't leak information about "abortion".

Yes, these things obviously depend on what information is transmitted. The point, however, is that metadata more reliably transmits sensitive information than does "the data".

yes it does.. just look up who dr jones is; is the metadata going to say "this lady is getting an abortion" ?

1. The conversation may or may not contain information pertaining to an abortion.

2. The metadata (namely: "it's an abortion clinic") inherently contains such information.

The point is that metadata is usually the more interesting data.

It can simultaneously be true that metadata contains less information than real data and that metadata is still dangerous. But when one is known for breathless hyperbole, should we be surprised when that’s what we get?

They’re not just a “doozy” they’re downright fascist authoritarian. Even the positive positives are infringements.

Someone pointed out that, while being watched is creepy, the real damning information on people actually comes from being listened to.

[0]: https://www.nybooks.com/online/2014/05/10/we-kill-people-bas...

> In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.

What is the point of transparency reports if they don't include major vectors of government surveillance?

IMO such gag orders shouldn't be legal when applied to dragnet surveillance. If you want to gag a company from notifying an individual they're being surveilled (with a warrant), then fine. But gagging a company from disclosing untargeted or semi-targeted surveillance, especially if it involves American citizens, seems like it should be unconstitutional on free speech grounds.

I see you have not read the Patriot Act, an Orwellian double-speak of a title if there ever was one.

Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.

It really is one of the best double-speak bill titles ever.

Is there any data on how often they're surveilling people without warrants vs with warrants?

This seems like important info to know.

But won’t someone think of the children!?

I wish it didn't cost a lot of money and years of your life to beat these over-reaches.

Hey we would like to bring suit because the government says we can't talk about them doing X. Oh no, that would be talking about doing X!!

https://www.aclu.org/documents/constitution-100-mile-border-...

As far as "reasonable suspicion" goes, I'm increasingly unwilling to support the right of law enforcement to independently, without oversight, determine what is "reasonable".

[0] https://www.nationalreview.com/2018/02/border-patrol-warrant...

I frankly don't care what's legal or not at this point. The surveillance and police state has gotten out of control, and needs to be rolled back. If we constantly just accept past precedent as dictating our future, our rights will be chipped away one by one.

I don't want to live in a society where I can be stopped and asked for identification by law enforcement at any time. Most Americans don't, that's why we still don't have a proper national ID. I consider that to be a warrantless search regardless of what the law currently says.

> Arm yourself with knowledge, just as the Founding Fathers intended.

I find that most people who pretend to speak for "the Founding Fathers" are extremely ignorant of the actual motivations of these people who lived 200 years ago. I won't pretend to speak for them, but I will note that I strongly suspect that the smugglers and tax evaders who signed the Declaration of Independence would probably not be in favor of the ever-growing police state we have today.

Regardless, what they wanted is immaterial—they set up this country for us, and presumably expected us to lead it after their deaths.

Oh, but you should - your freedom may depend on it.

> police state has gotten out of control, and needs to be rolled back

Maybe, but this is the world we presently find ourselves living in, and we can either choose to become empowered with knowledge about it, or throw a hyperbolic tantrum and wish for the moon.

> I don't want to live in a society where I can be stopped and asked for identification by law enforcement at any time.

You don't, at least not in the US. If you took more time to care about the laws you decry, you would know there is no such requirement, unless you have been suspected of a crime by a lawful sworn agent of the state. Which is a reasonable compromise in a society.

> smugglers and tax evaders who signed the Declaration of Independence ... would probably not be in favor of the ever-growing police state we have today

I agree. Those individuals knew well what an unchecked government can do, and took many reasonable precautions to safeguard against such infringements and tyranny. They were of course imperfect in their implementation, but the principals they set forth (freedom of speech, defense, religion, &c.) formed a radically different society to anywhere else on the planet today. Which is why I'm always puzzled when people disregard their hard work to take some agency's word and propaganda at face value, rather than consulting the original tenets which founded this great country.

If you took the time to read the article I sent you, you would know that CBP asserts that it has the right to get onto any bus at any time and demand to see proof of citizenship for anyone on board.

You can wave the book at me all day long, but what actually matters is how the law is implemented in practice, and it's pretty clear that law enforcement does, in fact, claim the right to stop anyone at any time and ask for ID.

They generally ask. If you refuse, you are now suspected of a crime. If you refuse again… well, I hope you like the back of a squad car.

Source: went for a walk in my own neighborhood at 3am.

Poor school kiddos. :( Anyway, if you prefer text, click the transcript. I recommend listening though, if you have time!

I looked it up though. This was 30 years ago. The court issued Border Patrol an injunction and protected students from discimination. A perfect example of the legal system acting justly and prudently, which only supports my argument that unbridled searches within 100 miles of the border is hyperbole only.

In practice, the evidence gathered by unlawful searches is going to be discarded in a court of law. Other wise said, there is no carving in penal law for "100 miles " from the border.

I don't understand how you reach this conclusion.

> In practice, the evidence gathered by unlawful searches is going to be discarded in a court of law

Yes, of course. What I'm talking about is the threshold for when evidence is considered "unlawful".

The "reasonable suspicion" threshold is intentionally an extremely low bar. Low enough that it's barely a meaningful threshold. In practice, it's incredible easy for any officer to make up some articulable suspicion for pretty much anything.

Maybe. Probably? But this isn't always the critical question.

Sometimes, "You May Beat the Rap, But You Can't Beat The Ride" is the problem.

How many times did those of us who knew all of this to be a farce warned about this?

That is until a government asks them to do things behind the scenes.

If you actually take a second to listen to Matt Gaetz, for example, you might be surprised to learn his (rather principled) positions are much closer to those of AOC than to President Orange, at least in some dimensions. He wants to require single-issue bills, and to completely eliminate FISA-702. Ironically, it seems like FISA will be reauthorized as part of an omnibus spending bill...

Support from members here and there is nice but in reality for the 20 years I’ve been paying attention has resulted in nothing.

The feels.

I think companies publishing whatever they can is a good thing. We would be worse off if they took the attitude of if we can't publish everything we might as well publish nothing.

But this is also a great reminder that there's a bunch of things they can't publish -- so "transparency reports" are of extremely limited value. Their greatest value is encouraging people to have a false sense of security.

The term "unelected bureaucrats" applies to people like...I dunno, the director of the NIH and field office managers. Heck, even a police captain is an "unelected bureaucrat". Sheesh.

See also the California senators, which have at this point been unilaterally appointed by Gavin rather than elected by the people. If that wasn’t bad enough, he appointed this latest one based on a personal promise made to put a Black woman in the seat, in exchange for some union to aid in his personal election campaign.

If anyone cared about civics, separation of power, or indeed democracy itself, there’d be rioting in the streets.

As for your alleged lesson in civics, the actual matter is covered by the 17th amendment to the constitution, which states:

> When vacancies happen in the representation of any State in the Senate, the executive authority of such State shall issue writs of election to fill such vacancies: Provided, That the legislature of any State may empower the executive thereof to make temporary appointments until the people fill the vacancies by election as the legislature may direct.

- U.S. Cons. amend. XVII § 2, emphasis mine

So then the question is how has the CA legislature directed the executive thereof to make temporary appointments? The answer to that lies in the California Code:

> If a vacancy occurs in the representation of this state in the Senate of the United States, the Governor may appoint and commission an elector of this state who possesses the qualifications for the office to temporarily fill the vacancy until a person is elected at a statewide general election...

- Cal. Elec. Code § 10720, emphasis mine

So we're left with a very simple question: Was Laphonza Butler an elector of the state of CA at the time she was appointed to fill the vacancy by Gavin? If not, Gavin was operating outside his authority as granted by the CA Legislature, and accordingly in volition of the 17th amendment to the US Constitution.

And the answer to that is very simple, a resounding "No":

> Butler is a longtime California resident but now lives in Maryland. She owns a home in California also. The governor’s office said she would re-register to vote in California soon.

- https://www.sfchronicle.com/politics/article/laphonza-butler..., emphasis mine

Perhaps we just go with rock solid transparency laws...

The fact this rarely happens is more due to people not actually knowing the law and typically wanting to avoid potential conflict.

> That rule didn't come from the people who wrote the law.

But lawmakers can write a law to address that.

https://aspe.hhs.gov/sites/default/files/documents/e4a791060...

How about the NSA spying on congress?

https://www.theguardian.com/world/2014/jan/04/nsa-spying-ber...

How about the ATF making up laws?

https://nclalegal.org/2019/09/atf-admits-it-lacked-authority...

The only teeth congress has with these bureaucracies is the power of the purse.

Not true. Congress can make laws defining what those agencies are and are not allowed to do.

It's certainly not a perfect system, but it's successfully done all the time.