Browser cookies, mobile apps do the NSA's data mining work for it

The words are ignored by most of us:

This application has access to the following...

...but to everyone's favorite spy agency, the U.S. National Security Agency (NSA) such permissive features and the data they mine can represent a "Golden Nugget!" of information, according to a 2010 agency slide deck.

I. All Your Metadata Are Belong to U.S.

It's already well known that the NSA is spying on Americans, ally states, and everyone else via intercepting internet communications from both PCs and mobile devices, plus telephony metadata.  Sometimes this spying is hard work, but it turns out these agencies are also greedily eye the metadata mined by mobile applications, as a quick and dirty route to spying on the public.

Android app permission
Data mining apps are likely sharing your personal information with the NSA for deep storage.
[Image Source: NProtect]

Potential privacy concerns about companies like Google Inc. (GOOG) and Facebook, Inc. (FB), as well as top mobile/social gaming firms like Facebook app-maker Zynga Inc. (ZNGA) and Angry Birds developer Rovio Entertainment Ltd., have been raised in the past.  Users have mostly ignored such warnings, though, so mobile providers have been able to quietly amass hordes of data which they use to target advertisements at customers.

Rovio admitted in 2012 to collecting certain private information to monetize its apps, but says that it does not "knowingly" collect app data for users under 13.

WSJ app data sharing
What your app knows about you might surprise you. [Image Source: The New York Times]

Rovio and others harvest user details via the help of third party toolkits, which contain plug-and-go codes to monitor user behavior.  The information gathered can help third party ad partners  -- or direct ad distributors like Google, Apple, Inc. (AAPL), and Facebook -- guess what ads might work on you.  And smart advertising can mean big profits.

When it comes to cellular networks, app developers typically feel less need to obfuscate data as there's often the false assumption that interception is prohibitively expensive/complex.  This misconception has even been seen at times in the security analysis space. 

Many security experts worry about the wealth of app-mined plaintext (unecrypted) cellular data traveling about, but most discussion has focused on the endpoints -- where the data is being stored.

fiber cablesUndersea cable
The NSA taps data at the cable level. [Image Source: Unknown (left); AFP (right)]

That's because no one expected hackers to be tapping into the fiber optic backbone of the internet -- an incredibly complex and time-consuming process.  But that's exactly what the NSA has been revealed to be doing.  And unlike app makers and OS platform makers, who at most have access to data of a substantial chunk of consumers, a spy agency tapping the backbone has the ability to basically achieve total data dominance.  U.S. and UK spy agencies can literally see everyone's data, regardless of what platform you're on.

II. Profiling Your Private Life

According to an accompanying deck by the NSA's UK sister agency, the Government Communications Headquarters (GCHQ), for an app like Angry Birds, that includes:
  • handset model
  • unique handset ID number
  • software version
  • operating system version
  • intimate personal details
Angry Birds marital status
Burstly Software's Dev Kit, used to monetize Angry Birds, can profile your marital status and sexual behavior. [Image Source: Propublica]

A report in The New York Times -- who along with The Guardian and ProPublica received leaked documents originally leaked by Edward Joseph Snowden -- reports:

The streams are divided into “traditional telephony” — metadata — and others marked “social apps,” “geo apps,” “http linking,” webmail, MMS and traffic associated with mobile ads, among others. (MMS refers to the mobile system for sending pictures and other multimedia, and http is the protocol for linking to websites.)

Angry Birds

The basic handset information provided by an app like Angry Birds could help the government attack your device with malware for deeper monitoring.  One GCHQ slide suggests:

GCHQ's targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone's microphone 'hot', to listen in to conversations, is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf", power management – an ability to stealthily activate an a phone that is apparently turned off – is "Dreamy Smurf", while the spyware's self-hiding capabilities are codenamed "Paranoid Smurf".

GCHQ Guide to Smartphone Spying by jasonmick

Cookies and other micro-software can also be employed for similar data-mining gains, when you browse on your PC.  Ironically the UK has one of the world's strictest laws regulating third-party cookies, the local spy agency is reportedly spying on citizens via its own distributed cookies and the intercepted results of those third-party cookies.

A UK slide states, "[Cookie information] [is] gathered in bulk, and [is] currently our single largest type of events."

Cookies are a top data source for the NSA and GCHQ. [Image Source: Magdex USA]

Past NSA slides indicate that the NSA is attacking Americans via artificial intelligence queries.  Type something the NSA finds suspicious?  It can start installing malware on your machine.  The agency cleverly claims it's not targeting Americans as many of these attacks are fully automated and require no human intervention.  Thus the government uses criminal tactics to attack your data, but says that's okay because no physical humans were involved.

III.  Personal Information: Ammo for Blackmail, Suppression

According to the GCHQ deck, potential information that could be mined from various apps also includes:
  • age
  • gender
  • ethnicity
  • friends
  • location
  • medical history
  • political leanings
  • work records/status
  • sexual behavior (e.g. whether you're a "swinger")
  • sexual orientation
  • marital status
NSA between the sheets
The NSA and GCHQ know what you're doing between the sheets. [Image Source: Scanpix]

The NSA and GCHQ call this a "perfect scenario" for their goal of spying on everyone.  A slide reads, "Target uploading photo to a social media site taken with a mobile device. What can we get?"
NSA cartoon
An NSA cartoon depicts apps as a magical fairy that gives the spy agency your data.

The answer appears to be everything from user uploaded photos, to intimate details of users life, to users work information.  But the question is how much information the NSA and GCHQ were really intercepting from mobile apps.  Recall that past documents and testimony indicated that these capabilities not only exist, they were being used to spy on most Americans -- around 75 percent of data transfers in the case of internet traffic and roughly 99 percent of data transfers in the case of telephone calls.

With mobile apps, the GCHQ gleefully cheers, "[This] effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

Google Maps
The NSA is spying on Google Maps queries to track Americans.

The seizure of image texts (MMS) and information on citizen's private lives is especially alarming, as the NSA's and GCHQ's have the potential to try to use the personal foibles of politicians (affairs, sexual orientation, etc.) to blackmail them into supporting increased domestic spying and a transfer of power to the intelligence community. 

The NSA has already essentially admitted to spying on Congress, telling them they get "the same privacy protections" as normal Americans. How do you get away with such tactics?  You could claim you only saw that data via "an accident" -- the blanket excuse the NSA uses for its analysts who break the law thousands of times a year.

IV. What Does the NSA Say?

An NSA official similarly indicated that it was likely mass harvesting senstive data from Americans and citizens of other nations.  They commented to The NYT:

The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency.  Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true. Moreover, NSA does not profile everyday Americans as it carries out its foreign intelligence mission. We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets.

Because some data of US persons may at times be incidentally collected in NSA's lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of data. In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process.

Continuous and selective publication of specific techniques and tools lawfully used by NSA to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies – and places at risk those we are sworn to protect.

The NSA implies it seizes corporate mined data to spy on Americans. [Image Source: NYPost]

Likewise the GCHQ spoksperson comments:

It is a longstanding policy that we do not comment on intelligence matters.

Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework that ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.

Britain's GCHQ headquarters. [Image Source: Duncan Campbell]

Government pressure in the European Union and U.S. has forced companies like Google and Microsoft Corp. (MSFT) to limit their data storage to several months at most.  But the NSA stores data from U.S. citizens and foreigners for at least 15 years.

V. Der Wille Zur Macht

One major concern is that these massive data troves could be targets for malicious hackers -- a similar concern as what is voiced about internet advertising/data-mining firms, only on a far greater scale given the government's ability to harvest everyone's data.

Other concerns include the potential for political suppression, military-intelligence coups, individual abuses (e.g. people stalking their exes), and corporate espionage.

The NSA could use its data to silence political opposition in Congress.

U.S. government audits confirmed some of these abuses occurred.  While full-blown political suppression may not have been used, President George Walker Bush (R) used his power to monitor pro-peace groups like the Quakers, while President Obama used his authority to spy on anti-corporate groups like Occupy Wall Street, according to various documents.  Other documents also indicate that analysts "occasionally" used software to stalk their current or former lovers, a practice that's frequent enough to have earned a nickname -- "LOVEINT" -- within the intelligence community.

The programs are also costly.  According to Canadian intelligence officials, the NSA spent an estimated that in 2007 the budget for app spying quadrupled from $204M USD to $767M USD.  Spending today is thought to be in the billions of dollars yearly.

It's easy to understand why the NSA and GCHQ would be keen on seizing this data; platform providers and app developers have already done the hard work of collecting and performing early characterization on user characteristics.  The spy agencies can swoop in and seize the fruits of their labor.

Still, the question of why exactly the NSA and GCHQ are spending so much remains to be asked.

The NSA admittedly spent hundreds of billions to spy on Americans, and it admits it only contributed to the investigations of "possibly" one or two terror plots at most.

We're watching
The NSA is committed to illegal surveillance of Americans. [Image Source: Whoviating]

Just how woefully incompetent are these tools at identifying terrorists?  Well, according to a 2009 test by the NSA and GCHQ, using a small, randomly selected sliver of the NSA's database and 120 computers, the profiling scripts identified 8,615,650 "actors" -- potential national security threats.  When the two agencies added in a small section of the GCHQ data set, that number ballooned to 24,760,289 actors.

The agency essentially admit that in both cases millions of law-abiding Americans were identified making the tools basically useless for national security.  Or in their words:
  • "Not necessarily straightforward"
  • "Analysts [are] dealing with immaturity"
While its tools endanger national security and are virtually useless for spying on terrorists, they offer ample opportunity for political and financial power grabs. [Image Source: PolicyMic]

If the NSA applied its full database -- necessary to truly track down terrorists -- it's not difficult to imagine the results returned might include one million individuals.  Even if you filtered such results, this demonstrates definitively how this technology is currently useless to improve national security.

At the same time it actively endangers national security in other ways, and endangers citizen freedoms. 

To summarize such tools endanger the public, but offer the potential to subvert free elections and the free market.  Sounds like something worth spending billions on right?

Counting Money
U.S. and British taxpayers pay twice -- first in taxes, second in lost business due to the untrustworthiness of their governments. [Image Source: Unknown]

Well, that's what the bloated national governments of the U.S. and its former imperial master, Britain, seem to think.

Sources: The Guardian, The New York Times, Propublica

"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki