NSA Tapping Mobile Apps In Search Of User Data: Report
January 28, 2014

Is The NSA Tapping Mobile Apps In Search Of User Data?

redOrbit Staff & Wire Reports - Your Universe Online

The National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) are tapping into popular smartphone applications to gather potentially vast amounts of personal information about the user, including age, location, smartphone identification codes and even sexual orientation and political affiliation, according to various news outlets.

The news reports cite dozens of previously undisclosed classified documents provided by former NSA contractor Edward Snowden, which suggest the two spy agencies routinely access data generated by “leaky” apps such as Google Maps, the highly popular Angry Birds game, and mobile versions of Facebook and Twitter.

“The agencies have traded recipes for grabbing location and planning data when a target uses Google Maps, and for vacuuming up address books, buddy lists, telephone logs and the geographic data embedded in photographs when someone sends a post to the mobile versions of Facebook, Flickr, LinkedIn, Twitter and other Internet services,” The New York Times wrote in its report.

The US and UK have long intercepted cellphone traffic such as text messages and metadata from virtually every segment of the mobile network, and also spy on computer data transiting the Internet. Using these existing mass surveillance capabilities to tap into user data that mobile apps send over the network means the agencies no longer have to rely solely on hacking into individual mobile phones to access a target’s personal information.

One of the fourteen documents cited in Monday’s reports includes a 2010 NSA presentation with a slide entitled "Golden Nugget!” that describes the agency's "perfect scenario” of a target uploading a photo to a social media site taken with a mobile device.

From that single event, the agency said it could obtain a possible image, email selector, phone, buddy lists and "a host of other social working data as well as location."

Although most major social media sites strip photos of identifying location metadata, or EXIF data, before publication, this information may still be briefly available as it traverses the networks, according to a report from The Guardian.

Other data generated by apps could reveal a phone's settings, where it connected to, which websites it had visited and which documents it had downloaded, according to the documents.

The reports also indicate that the spy agencies utilized their mobile interception capabilities to collect location information in bulk from Google and other mapping apps.

“One initiative involved building a database geolocating every mobile phone mast in the world – meaning that just by taking tower ID from a handset, location information could be gleaned,” The Guardian wrote.

A more complex effort relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.

“So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system,” according to The Guardian.

The type and amount of information a mobile phone app sends over the network is determined by its developers, or by the company that delivers its advertisements. The Snowden documents do not reveal whether the NSA or GCHQ actually collect the personal details that apps are capable of storing or transmitting. Such personal data would likely be considered content, rather than metadata.

The NSA has not directly commented about the latest disclosures and whether or not it gathers mobile phone app data, but released a statement on Monday saying the communications of those who were not "valid foreign intelligence targets" were not of interest to the agency.

"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true," the statement read.

"We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes — regardless of the technical means used by the targets."

Britain’s GCHQ said it did not comment on intelligence matters, but insisted that all of its actions were "authorized, necessary and proportionate."