NSA and GCHQ Harvest User Data From Leaky Mobile Apps

The Guardian, New York Times and Pro Publica all yesterday published new reports taken from top secret documents leaked by Edward Snowden. They demonstrate that both the NSA and GCHQ believe that data 'leaked' by popular mobile devices is a valuable source of information.

"The data pouring onto communication networks from the new generation of iPhone and Android apps," notes the Guardian, "ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users' most sensitive information such as sexual orientation – and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger."

"With each new generation of mobile phone technology, ever greater amounts of personal data pour onto networks where spies can pick it up," notes the New York Times.

"When a smartphone user opens Angry Birds, the popular game application, and starts slinging birds at chortling green pigs, spy agencies have plotted how to lurk in the background to snatch data revealing the player’s location, age, sex and other personal information, according to secret British intelligence documents," warns Pro Publica.

The extent of the agencies' interest in this new source of information can be seen in two particular top secret documents. One NSA slide is titled 'Golden Nugget!' What can we get, it asks. "The question is answered in the notes to the slide," says the Guardian: "from that event alone, the agency said it could obtain a 'possible image', email selector, phone, buddy lists, and 'a host of other social working data as well as location.'"

The second document comes from GCHQ and involves the interception of Google Maps queries on a smartphone. "So successful was this effort," reports the guardian, "that one 2008 document noted that '[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system.'"

The irony is that the intelligence agencies are benefiting from the intrusiveness of advertisers and the attempts of app developers to lay the foundation for future monetizing of their apps. Garry Partington, CEO of custom app developer Apadmi said:  “It does make sense for some apps to have access to certain elements of users’ data, but in most cases there is absolutely no need for apps to collect masses of private user information. Apps and the developers that do this are exposing users’ data unnecessarily, causing real concerns over privacy – as today’s news shows."

It is a tricky problem for Google. Some apps need to transmit data – such as location data – in order to perform their function. Unless the app specifically encrypts that data, Partington told Infosecurity, "then the agencies have access to it as it crosses the networks they are 'tapped into.'” But he does think there is also a case for Google to be more stringent in its terms of service over the information app developers collect for their own use or sale. 

"This should start to be clearer through terms of service," he said, "however unless Google starts to test apps as Apple does for leaking or gleaning information, the change to the terms of service won’t affect this. Don’t get me wrong," he added, "I don’t want Google to do the testing, but there is a case for 'verified' apps to be stamped as approved so to speak. That way you can trust the app."

Another partial solution would be for Google to resurrect the privacy feature it accidentally let slip in December – the ability for users to refuse some of the permissions demanded by an app, rather than being given a simple all-or-nothing choice. That way users would be in more control over what data might end up in the hands of the spy agencies.

What’s Hot on Infosecurity Magazine?