The Guardian, in partnership with the New York Times and ProPublica, has released new documents obtained from Edward Snowden, detailing how the NSA and its UK sidekick GHCQ obtain data from ‘leaky’ smartphone apps, allowing them to discover everything from detailed records such as ‘phone model and screen size to personal details such as age, gender and location’, to ‘users’ most sensitive information such as sexual orientation – and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger’(!).
For some reason much of publicity surrounding the story has focused on mobile games, and Angry Birds in particular. All kinds of apps however collect too much information about the user, with social media apps being among the worst offenders. The latest update of the Facebook app, for example, asks permission to access your SMS messages
Both iOS and Android apps require user consent for the permissions they request, and much of the heuristics data collected is very useful to developers in identifying how their apps are used so they can develop targeted improvements. However, not only do users rarely read through the permissions requested, but the usefulness or appeal of the app often outweighs any security considerations even if they do (the Facebook app being a classic example for this).
Furthermore, many apps suffer from ‘overreach’ – collecting information that goes far beyond what the app needs to perform its function, a problem made worse by the rise in popularity of ‘free-to-play’ and ad-supported apps whose business model relies on selling this data to advertising and analytics companies.
As the new Snowden slides demonstrate, because this information is routinely sent unencrypted, the NSA has a field-day hoovering it up, and because apps are often linked to social media profiles, discovering huge amounts of intimate information is almost laughably easy. The Guardia reports that,
‘Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user’s life: including home country, current location (through geolocation), age, gender, zip code, martial status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and number of children.’
The sheer glee shown by the NSA at their activities is just one of the many disturbing things about the new revelations. The answer to the question ‘What can we get?’ is revealed in the side notes to the slide – a ‘possible image’, email selector, phone, buddy lists, and ‘a host of other social working data as well as location’
Using Google Maps on your smartphone is a particular jackpot for the NSA and GHCQ, who in 2008 wrote that ‘[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system.’
As usual, a big song and dance is made in the obtained documents about how data is not (intentionally) collected on US citizens..
‘The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency…. Any implication that NSA’s foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true.
Moreover, NSA does not profile everyday Americans as it carries out its foreign intelligence mission. We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets.’
Whoopee doo, nice for them. All terrorists of course love to play Angry Birds!
If you are worried about such NSA and GHCQ intrusion through your smart phone, then the only thing you can really do is throw it away. Failing that, check app permissions carefully, looking out for permission requests which are not needed for the app to operate. If you find any then don’t install the app. You can also replace the incredibly leaky Facebook app on Android with Tinfoil for Facebook, a wrapper which ‘creates a sandbox for Facebook’s mobile site in order to protect your privacy and to avoid the ability others to track your browsing history.’