Revelations that the National Security Agency is tapping smartphone applications to mine personal information highlight the risk millions of mobile data users take each day when they play games, schedule lunch or check the weather.
Agencies in the US and UK have infiltrated mobile software for details about users’ movements and social ties, according to documents released by former NSA contractor Edward Snowden to The New York Times, The Guardian and ProPublica. Among the so-called leaky apps with the greatest privacy perils are Google Plus, Pinterest’s online bulletin board and “Candy Crush Saga”, the most popular game on Facebook, according to an analysis by Zscaler, an information security company.
“Privacy is dead in the digital world that we live in,” said Michael Sutton, vice-president of security research at Zscaler.
“I tell people, unless you are comfortable putting that statement on a billboard in Times Square and having everyone see it, I would not share that information digitally.”
The latest disclosures from Snowden underscore the vast data trove that mobile apps provide – and not just for advertisers that sweep them for consumer data.
The reach of apps, and of the networks advertisers use to pass data around, make them natural eavesdropping targets and are aiding a shift in the focus of surveillance efforts away from personal computers, Mahaffey said.
“They have a lot of valuable information and they’re everywhere,” he said. “Everyone from the NSA to Microsoft to Google see mobile as the future.”
Meanwhile, the US government is quietly funding research to prevent eavesdroppers from seeing who the US is spying on, even as the Obama administration considers ending the storage of millions of phone records by the NSA.
The Office of the Director of National Intelligence has paid at least five research teams across the country to develop a system for high-volume, encrypted searches of electronic records kept outside the government’s possession. The project is among several ideas that could allow the government to store Americans’ phone records with phone companies or a third-party organisation, but still search them as needed.
An encrypted search system would permit the NSA to shift storage of phone records to either phone providers or a third party, and conduct secure searches remotely through their databases, working around recent legal concerns.
President Barack Obama ordered the attorney general and senior intelligence officials to recommend changes by March 28 that would allow the US to identify suspected terrorists’ phone calls without US government agencies holding the phone records themselves.
The NSA’s surveillance programme collects millions of Americans’ daily calling records into a central agency database. When the agency wants to review telephone traffic associated with a suspected terrorist – the agency made 300 such queries in 2012 – it then searches that data bank and retrieves matching calling records and stores them separately for further analysis.
A computer science expert who heads one of the intelligence-funded teams, Steven Bellovin of Columbia University, estimates the US government could start conducting encrypted searches within the next year or two.
Mobile applications for smartphones and tablets present the latest privacy and security challenges because, unlike computer software, most apps depend almost entirely on ads to make money.
While technology companies often encrypt what they collect to shield the information from prying eyes, the advertising services they work with frequently don’t, says Kevin Mahaffey, co-founder of Lookout.
Lookout studied 30,000 apps and found that 38 per cent of those for Android systems could determine locations, that half the apps could access the unique code assigned to a personal device, and that 15 per cent could grab phone numbers. Zscaler found all but one of the top 25 social-networking apps request e-mail access, all but two ask for access to users’ address books and all but four inquire about users’ locations. Sutton said that most people willingly give the apps their private information.
The mobile app industry, less than 10 years old, will be worth US$143 billion globally by 2016, according to research firm VisionMobile.
Google declined to comment and referred to a statement from the Application Developers Alliance, a trade group to which it belongs.
“Uninhibited collection of consumers’ personal data by governments hacking into apps is unacceptable,” said Jon Potter, the group’s president, in the statement. “This surveillance damages our entire industry and undermines the hard work of app developer entrepreneurs everywhere.”
Jodi Seth, a spokeswoman for Facebook, said the company encrypts its mobile app data and pointed to two earlier statements defending its security technologies. King.com, the company behind Candy Crush Saga, and Pinterest didn’t respond to e-mail messages.
Many people aren’t aware of what their applications are scooping up, and the information is often tangential or irrelevant to an app’s central purpose.
One game that makes surprising grabs – asking for a user’s location or a device’s unique code – is Angry Birds, according to research by Jason Hong, an associate professor of computer science at Carnegie Mellon University. Another data-hungry app is Brightest Flashlight, which turns on all of a device’s lights at once, Hong found.
Angry Birds, whose games have been downloaded more than one billion times, was identified in the Snowden documents as a target of NSA spying.
Its creator, Rovio Entertainment, said it doesn’t share data with government agencies and that any leaking of customer data is being aided by vulnerable advertising networks.
“In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes,” said Mikael Hed, Rovio’s chief executive officer.
GoldenShores Technologies, the creator of Brightest Flashlight, didn’t respond to an e-mail message.
There are dozens of networks that collect and share details from apps and connect marketers to users with tailored ads. AdMob, owned by Google, and Millennial Media are the two biggest networks for Android, the largest smartphone operating system in the world. AdMob declined to comment and Millennial didn’t respond to e-mail messages.
The NSA sensors that capture traffic travelling across key internet junctures are probably what allow the agency to collect mobile ad data and look for patterns, Carnegie Mellon’s Hong said. Some ad networks pass around entire contact lists in unencrypted form, which makes them vulnerable to interception at any point along their path, Hong said.
While mobile app data could have unquestioned value for investigators in select cases, it’s difficult to separate key signals from noise in such huge datasets, he says. “It’s unclear what signals might be useful” to surveillance agencies.
The apps documents released by Snowden were the latest to bring to light the extent to which NSA and other agencies, including the UK’s Government Communications Headquarters, have targeted digital information.
The US has charged Snowden, a former US contractor and current Russian resident, with theft and espionage for leaking documents to The Guardian and The Washington Post last year. The documents unveiled the breadth of the NSA’s collection of internet and telephone records.
The agency has defended its data gathering as essential to national security.
Additional reporting by Associated Press