Print 26 comment(s) - last by prophet001.. on Jan 30 at 9:14 AM

Browser cookies, mobile apps do the NSA's data mining work for it

The words are ignored by most of us:

This application has access to the following...

...but to everyone's favorite spy agency, the U.S. National Security Agency (NSA) such permissive features and the data they mine can represent a "Golden Nugget!" of information, according to a 2010 agency slide deck.

I. All Your Metadata Are Belong to U.S.

It's already well known that the NSA is spying on Americans, ally states, and everyone else via intercepting internet communications from both PCs and mobile devices, plus telephony metadata.  Sometimes this spying is hard work, but it turns out these agencies are also greedily eye the metadata mined by mobile applications, as a quick and dirty route to spying on the public.

Android app permission
Data mining apps are likely sharing your personal information with the NSA for deep storage.
[Image Source: NProtect]

Potential privacy concerns about companies like Google Inc. (GOOG) and Facebook, Inc. (FB), as well as top mobile/social gaming firms like Facebook app-maker Zynga Inc. (ZNGA) and Angry Birds developer Rovio Entertainment Ltd., have been raised in the past.  Users have mostly ignored such warnings, though, so mobile providers have been able to quietly amass hordes of data which they use to target advertisements at customers.

Rovio admitted in 2012 to collecting certain private information to monetize its apps, but says that it does not "knowingly" collect app data for users under 13.

WSJ app data sharing
What your app knows about you might surprise you. [Image Source: The New York Times]

Rovio and others harvest user details via the help of third party toolkits, which contain plug-and-go codes to monitor user behavior.  The information gathered can help third party ad partners  -- or direct ad distributors like Google, Apple, Inc. (AAPL), and Facebook -- guess what ads might work on you.  And smart advertising can mean big profits.

When it comes to cellular networks, app developers typically feel less need to obfuscate data as there's often the false assumption that interception is prohibitively expensive/complex.  This misconception has even been seen at times in the security analysis space. 

Many security experts worry about the wealth of app-mined plaintext (unecrypted) cellular data traveling about, but most discussion has focused on the endpoints -- where the data is being stored.

fiber cablesUndersea cable
The NSA taps data at the cable level. [Image Source: Unknown (left); AFP (right)]

That's because no one expected hackers to be tapping into the fiber optic backbone of the internet -- an incredibly complex and time-consuming process.  But that's exactly what the NSA has been revealed to be doing.  And unlike app makers and OS platform makers, who at most have access to data of a substantial chunk of consumers, a spy agency tapping the backbone has the ability to basically achieve total data dominance.  U.S. and UK spy agencies can literally see everyone's data, regardless of what platform you're on.

II. Profiling Your Private Life

According to an accompanying deck by the NSA's UK sister agency, the Government Communications Headquarters (GCHQ), for an app like Angry Birds, that includes:
  • handset model
  • unique handset ID number
  • software version
  • operating system version
  • intimate personal details
Angry Birds marital status
Burstly Software's Dev Kit, used to monetize Angry Birds, can profile your marital status and sexual behavior. [Image Source: Propublica]

A report in The New York Times -- who along with The Guardian and ProPublica received leaked documents originally leaked by Edward Joseph Snowden -- reports:

The streams are divided into “traditional telephony” — metadata — and others marked “social apps,” “geo apps,” “http linking,” webmail, MMS and traffic associated with mobile ads, among others. (MMS refers to the mobile system for sending pictures and other multimedia, and http is the protocol for linking to websites.)

Angry Birds

The basic handset information provided by an app like Angry Birds could help the government attack your device with malware for deeper monitoring.  One GCHQ slide suggests:

GCHQ's targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone's microphone 'hot', to listen in to conversations, is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf", power management – an ability to stealthily activate an a phone that is apparently turned off – is "Dreamy Smurf", while the spyware's self-hiding capabilities are codenamed "Paranoid Smurf".

GCHQ Guide to Smartphone Spying by jasonmick

Cookies and other micro-software can also be employed for similar data-mining gains, when you browse on your PC.  Ironically the UK has one of the world's strictest laws regulating third-party cookies, the local spy agency is reportedly spying on citizens via its own distributed cookies and the intercepted results of those third-party cookies.

A UK slide states, "[Cookie information] [is] gathered in bulk, and [is] currently our single largest type of events."

Cookies are a top data source for the NSA and GCHQ. [Image Source: Magdex USA]

Past NSA slides indicate that the NSA is attacking Americans via artificial intelligence queries.  Type something the NSA finds suspicious?  It can start installing malware on your machine.  The agency cleverly claims it's not targeting Americans as many of these attacks are fully automated and require no human intervention.  Thus the government uses criminal tactics to attack your data, but says that's okay because no physical humans were involved.

III.  Personal Information: Ammo for Blackmail, Suppression

According to the GCHQ deck, potential information that could be mined from various apps also includes:
  • age
  • gender
  • ethnicity
  • friends
  • location
  • medical history
  • political leanings
  • work records/status
  • sexual behavior (e.g. whether you're a "swinger")
  • sexual orientation
  • marital status
NSA between the sheets
The NSA and GCHQ know what you're doing between the sheets. [Image Source: Scanpix]

The NSA and GCHQ call this a "perfect scenario" for their goal of spying on everyone.  A slide reads, "Target uploading photo to a social media site taken with a mobile device. What can we get?"
NSA cartoon
An NSA cartoon depicts apps as a magical fairy that gives the spy agency your data.

The answer appears to be everything from user uploaded photos, to intimate details of users life, to users work information.  But the question is how much information the NSA and GCHQ were really intercepting from mobile apps.  Recall that past documents and testimony indicated that these capabilities not only exist, they were being used to spy on most Americans -- around 75 percent of data transfers in the case of internet traffic and roughly 99 percent of data transfers in the case of telephone calls.

With mobile apps, the GCHQ gleefully cheers, "[This] effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

Google Maps
The NSA is spying on Google Maps queries to track Americans.

The seizure of image texts (MMS) and information on citizen's private lives is especially alarming, as the NSA's and GCHQ's have the potential to try to use the personal foibles of politicians (affairs, sexual orientation, etc.) to blackmail them into supporting increased domestic spying and a transfer of power to the intelligence community. 

The NSA has already essentially admitted to spying on Congress, telling them they get "the same privacy protections" as normal Americans. How do you get away with such tactics?  You could claim you only saw that data via "an accident" -- the blanket excuse the NSA uses for its analysts who break the law thousands of times a year.

IV. What Does the NSA Say?

An NSA official similarly indicated that it was likely mass harvesting senstive data from Americans and citizens of other nations.  They commented to The NYT:

The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency.  Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true. Moreover, NSA does not profile everyday Americans as it carries out its foreign intelligence mission. We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets.

Because some data of US persons may at times be incidentally collected in NSA's lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of data. In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process.

Continuous and selective publication of specific techniques and tools lawfully used by NSA to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies – and places at risk those we are sworn to protect.

The NSA implies it seizes corporate mined data to spy on Americans. [Image Source: NYPost]

Likewise the GCHQ spoksperson comments:

It is a longstanding policy that we do not comment on intelligence matters.

Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework that ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.

Britain's GCHQ headquarters. [Image Source: Duncan Campbell]

Government pressure in the European Union and U.S. has forced companies like Google and Microsoft Corp. (MSFT) to limit their data storage to several months at most.  But the NSA stores data from U.S. citizens and foreigners for at least 15 years.

V. Der Wille Zur Macht

One major concern is that these massive data troves could be targets for malicious hackers -- a similar concern as what is voiced about internet advertising/data-mining firms, only on a far greater scale given the government's ability to harvest everyone's data.

Other concerns include the potential for political suppression, military-intelligence coups, individual abuses (e.g. people stalking their exes), and corporate espionage.

The NSA could use its data to silence political opposition in Congress.

U.S. government audits confirmed some of these abuses occurred.  While full-blown political suppression may not have been used, President George Walker Bush (R) used his power to monitor pro-peace groups like the Quakers, while President Obama used his authority to spy on anti-corporate groups like Occupy Wall Street, according to various documents.  Other documents also indicate that analysts "occasionally" used software to stalk their current or former lovers, a practice that's frequent enough to have earned a nickname -- "LOVEINT" -- within the intelligence community.

The programs are also costly.  According to Canadian intelligence officials, the NSA spent an estimated that in 2007 the budget for app spying quadrupled from $204M USD to $767M USD.  Spending today is thought to be in the billions of dollars yearly.

It's easy to understand why the NSA and GCHQ would be keen on seizing this data; platform providers and app developers have already done the hard work of collecting and performing early characterization on user characteristics.  The spy agencies can swoop in and seize the fruits of their labor.

Still, the question of why exactly the NSA and GCHQ are spending so much remains to be asked.

The NSA admittedly spent hundreds of billions to spy on Americans, and it admits it only contributed to the investigations of "possibly" one or two terror plots at most.

We're watching
The NSA is committed to illegal surveillance of Americans. [Image Source: Whoviating]

Just how woefully incompetent are these tools at identifying terrorists?  Well, according to a 2009 test by the NSA and GCHQ, using a small, randomly selected sliver of the NSA's database and 120 computers, the profiling scripts identified 8,615,650 "actors" -- potential national security threats.  When the two agencies added in a small section of the GCHQ data set, that number ballooned to 24,760,289 actors.

The agency essentially admit that in both cases millions of law-abiding Americans were identified making the tools basically useless for national security.  Or in their words:
  • "Not necessarily straightforward"
  • "Analysts [are] dealing with immaturity"
While its tools endanger national security and are virtually useless for spying on terrorists, they offer ample opportunity for political and financial power grabs. [Image Source: PolicyMic]

If the NSA applied its full database -- necessary to truly track down terrorists -- it's not difficult to imagine the results returned might include one million individuals.  Even if you filtered such results, this demonstrates definitively how this technology is currently useless to improve national security.

At the same time it actively endangers national security in other ways, and endangers citizen freedoms. 

To summarize such tools endanger the public, but offer the potential to subvert free elections and the free market.  Sounds like something worth spending billions on right?

Counting Money
U.S. and British taxpayers pay twice -- first in taxes, second in lost business due to the untrustworthiness of their governments. [Image Source: Unknown]

Well, that's what the bloated national governments of the U.S. and its former imperial master, Britain, seem to think.

Sources: The Guardian, The New York Times, Propublica

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Paid by SLOC?
By ebakke on 1/28/2014 2:46:33 PM , Rating: 2
Whoever wrote getMaritalStatus() must be getting paid by the line of code written.

return maritalStatus == null ? maritalStatus : maritalStatus.toLowerCase();

is much simpler, cleaner, and it's obvious what the author intends to happen.

RE: Paid by SLOC?
By ebakke on 1/28/2014 2:48:44 PM , Rating: 2
Aww. Embarrassing. My code doesn't enforce that marital status is one of single, divorced, engaged, relationship, or swinger. But still. That could be done with 1 more line.

RE: Paid by SLOC?
By Spookster on 1/28/2014 5:45:59 PM , Rating: 1
Oh look a programming noob who thinks using ternary expressions makes him look "l33t".

RE: Paid by SLOC?
By ebakke on 1/28/2014 5:55:15 PM , Rating: 2
I never understood the aversion to the ternary. Nested ternary's, sure. But a single ternary is not complex and reduces the cruft. Some people absolutely refuse to use them though.

RE: Paid by SLOC?
By phorealz on 1/28/2014 7:04:14 PM , Rating: 2
Why is it that when people do a null pointer check, they make it so damn hard to read?
Try this:

return null != maritalStatus ? maritalStatus.toLowerCase() : null;

in C/C++ it would have been even easier, ran faster, and made more obvious what it's doing:

return pMaritalStatus ? pMaritalStatus->toLowerCase() : NULL;

RE: Paid by SLOC?
By ebakke on 1/28/2014 8:40:01 PM , Rating: 2
I see little difference between the two from a readability standpoint:
return maritalStatus == null ? maritalStatus : maritalStatus.toLowerCase();
return null != maritalStatus ? maritalStatus.toLowerCase() : null;

But Groovy's leagues better than the Java example, and I'd argue far better than C/C++ (at least in readability):
return maritalStatus?.toLowerCase()

RE: Paid by SLOC?
By Solandri on 1/29/2014 2:33:55 AM , Rating: 3
Does it really matter how you code it if the compiler will generate the same code regardless?

And as long as we're comparing notes, I would've made an enumerated list of marital statuses, and have the function convert the string to one of the list members and return an enum instead of a string. That way you only deal with a string once. Afterwards it's been converted to an int. Any future comparisons are then a single integer register op, instead of a multi-character string comparison (if maritalStatus == "single").

RE: Paid by SLOC?
By ebakke on 1/29/2014 11:15:46 AM , Rating: 2
Agreed, an enum would be most appropriate here.

Does it really matter how you code it if the compiler will generate the same code regardless?There are obviously varying degrees of severity on this, but as a rule of thumb I'd answer yes. If the compiled code is the same, I want the source to be as concise, easy to read, and fastest to write as possible. Particularly for things as common as null checks in Java. The actual logic is diluted in the sea of boilerplate.

Google implicit by not taking a stance
By invidious on 1/28/2014 3:05:05 PM , Rating: 4
If Google was really interested in their customer's rights they would enable users to install an app while denying the app various permissions. Forcing us to accept all of the author's demands to install an app forces users into an all or nothing scenario. Denying apps that would compromise your privacy renders the device useless since almost every app demands extraneous permissions that have little to do with the core functionality of the app. Google's native apps are note exception.

RE: Google implicit by not taking a stance
By lagomorpha on 1/28/2014 4:20:42 PM , Rating: 2
If Google was really interested in their customer's rights they would enable users to install an app while denying the app various permissions.

If that happened apps would just refuse to function unless you agreed to give them the permissions they claim to require.

By Solandri on 1/29/2014 2:38:46 AM , Rating: 3
If you're rooted, xprivacy gets around that. If you "disable" a permission, it feeds fake random info to the app instead of outright refusing to allow the app to access the info. So if an app insists on my GPS location and crashes if it doesn't get it, I can still use it. It'll just think I'm in Moldavia one day, Antarctica the next.

RE: Google implicit by not taking a stance
By cruisin3style on 1/29/2014 1:19:55 AM , Rating: 2
I could swear I read that that did happen in some recent version of android but I think it was killed or removed or whatever

Could be wrong

By disposer on 1/29/2014 2:55:23 PM , Rating: 2

it's not a root version but it works pretty well. I had heard that Google tried to kill it also but here it is still. Get it while you can

By Reclaimer77 on 1/30/2014 5:01:44 AM , Rating: 1
Amazing the anti-Google bias on DT. You idiots are funny.

You're calling out Google, for providing detailed information about what permissions an app wants BEFORE you install it, giving users a choice? If you don't like the permissions, don't install the app!! Find a similar one with better permissions. OR *gasp* get the paid version which usually always has less intrusive permissions.

Go install something from the iTunes store. They don't even tell you what permissions the app wants before hand.

Not only would your idea be impossible to implement in the current Play Store environment, because it would allow users to break apps entirely, but it's a horrible idea because it would heavily dissuade Android developers. You're basically saying Google should make it so that it's impossible for any app to make the developers any profit! Congratulations, you just killed off Android.

Also Google DOES allow you to do what you just criticized them for not, by the way. You can install apps that curtail permissions, you can root your phone, you can even bring back App Opps. Google doesn't lock down Android like Apple does iOS.

This is just stupid! The complete ignorance you are displaying should not even be allowed on a tech blog.

By inperfectdarkness on 1/30/2014 6:34:13 AM , Rating: 2

And now you know one of the key reasons I use FF instead of Chrome....

Man I love being part of....
By Neodude007 on 1/28/2014 1:35:15 PM , Rating: 3

This government is simply awesome. Your argument is invalid.

RE: Man I love being part of....
By ritualm on 1/28/2014 1:52:15 PM , Rating: 2
If you achieve the #1 score on global Angry Birds rankings, expect the feds to start knocking at your doors.

RE: Man I love being part of....
By Argon18 on 1/28/2014 1:58:54 PM , Rating: 4
Don't you mean: O'BAMA!!! He's the best thing since sliced bread after all.

Who cares that he's spying on us all, breaking laws left and right, racking up record debt, and pissing off all our allies. He won a freaking NOBEL PEACE PRIZE! That counts for something, right?

By geddarkstorm on 1/28/2014 6:19:59 PM , Rating: 2
Don't forget Britain is the other half of all this too. And who know who else. Possibly all the Five Eyes members.

Question to Jason
By Murloc on 1/28/2014 4:07:21 PM , Rating: 1
Are you now or have you ever been a member of the Communist Party of the United States?

RE: Question to Jason
By drycrust3 on 1/29/2014 12:00:41 PM , Rating: 2
You don't seem to understand: What is the difference between "them" countries and "us" countries?
The founders of modern America understood that not only does power corrupt, but that the desire of the corrupted is more power, so they wrote your Constitution so as to hinder that happening, and to a large extent it did.
I'm not American, so to some extent it isn't my argument, but if you don't want America to be a "them" country then you need to keep the issues relating to "power corrupts" in the media spot light, and that is exactly what Jason is doing. Maybe it is tedious, freedom is tedious, maybe it is boring, freedom is boring, and that is exactly what those wanting to take freedom from you will bet on: that you will loose interest and not notice freedom is gone.

hidden costs
By purerice on 1/28/2014 2:40:52 PM , Rating: 2
There is no such thing as a free lunch or apparently "free apps". Freedom has become free+dumb. Dumb people want something for free but pay the hidden costs. I am really starting to miss the days of boxed software that came in the form of 5 archived floppy disks that took 2 hours to install but had a 1 paragraph EULA.

Government involvement or not I don't care. Rovio markets products to little kids and the fact that they design their apps to spy on little kids is revolting and shameless, regardless of whom they sell that to.

By cokbun on 1/28/2014 10:03:44 PM , Rating: 2
apparently those terrorist shouted " allahuakbar " everytime they launched a bird

I'm not naive...
By prophet001 on 1/30/2014 9:14:17 AM , Rating: 2
... so give me my tinfoil hat please and show me where to sit.

By Dr of crap on 1/28/14, Rating: 0
By Argon18 on 1/28/2014 4:41:19 PM , Rating: 1
Actually, it ain't bad for a few minutes while you're on the shitter. Sometimes you don't have a newspaper handy, ya know?

"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki