Image: Flickr/Susanti Chandra
Not content with mining your call data, your texts, your social media profiles, your search queries, and basically all the data crumbs you’ve left when communicating via phone or internet, the NSA has also been targeting “leaky” smartphone apps that can reveal more information about their users.
In previously undisclosed documents, the NSA and its British counterpart GCHQ apparently laid out how they could piggyback on apps to collect user data. This latest news comes from documents leaked by Edward Snowden and was reported in a joint effort by the Guardian, the New York Times, and ProPublica. The Times described the documents they were working from as “secret British intelligence documents.”
It seems like everyone’s favourite time-wasting mobile game has a few fans in the surveillance agencies, because they used Angry Birds as a case study. The image of spies lurking behind bushy-browed birds and green pigs is kind of amusing, until you hear quite how much information your commute button-mashing could be giving away.
The Guardian reported that data coming from various Android and iPhone apps could include everything “from phone model and screen size to personal details such as age, gender and location,” and in some cases even sexual orientation. “One app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger,” data journalist James Ball wrote.
I’d recommend reading the stories by the Guardian and the Times/ProPublica in full, but the main gist of the revelations is that we can add mobile apps to the growing list of things the NSA and GCHQ have at least thought about hacking, and that these apps provide a whole treasure trove of data the agencies could potentially collect without having to hack an individual handset.
The reason these apps obtain so many juicy nuggets of information in the first place is, of course, usually for commercial purposes. Most users will be aware that their information is often used in potentially annoying but relatively harmless practices like targeting advertising; we accept that, by and large, that’s how a lot of free or low-cost digital services work. Every time you fill in a user profile, the details you give will be available to someone, though there are certain restrictions. But of course, once the data’s out there, it’s vulnerable.
For its part, Angry Birds creator Rovio told reporters it was unaware its app was being targeted by the NSA, or of any involvement by its third party advertisers.
It’s only one app among many that has access to personal user data. In fact, it seems the holy grail for the NSA—the “Golden Nugget!” as they call it in one slide title—is when they find their target “uploading photo to a social media site taken with a mobile device.”
From that action, the Guardian reports, the agency wrote it could get a “‘possible image,’ email selector, phone, buddy lists, and ‘a host of other social working data as well as location.’” The newspaper noted that popular image-sharing services such as Facebook and Twitter strip this kind of EXIF data—though depending on when exactly that was done, it might still be vulnerable.
But it doesn’t stop there, and another particular unsettling revelation is the surveillance agencies’ targeting of the Google Maps app, which would give information on users' locations. The Times wrote that one document from 2008 bragged of this effort, “It effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system.” Ouch.
It’s unknown to what extent these tools were used, or how many people might be affected. The NSA is clearly sticking to its line that it doesn’t target innocent citizens, and told the Times, “NSA does not profile everyday Americans as it carries out its foreign intelligence mission,” with the admission, “Because some data of US persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for US persons exist across the entire process.”
On the British side, GCHQ gave the newspapers the stock response that they don’t comment on security issues (surprise, surprise). It’s a statement that’s getting increasingly familiar and frustrating, especially in cases like this where British documents are apparently at the heart of the matter.
Meanwhile, one amusing puzzle piece of the GCHQ operations was revealed, as we learned that the agency names the tools it uses on individual smartphones after characters from the Smurfs, and apparently invented one that sounds rather apt: “Paranoid Smurf.”