NSA and GCHQ target 'leaky' phone apps like Angry Birds to scoop user data

From today's Guardian website:

NSA and GCHQ target 'leaky' phone apps like Angry Birds to scoop user data

Thoughts anybody?

cheers, gryff

 

I could be angry but I honestly couldn't give a S***su. There's nothing I nor anyone can do to stop it. At the end of the day I would say, if asked why I don't care, the following:

Go for it government peeps: It don't make a difference to me and to save you time, you don't need to hack my phone or whatever, just head over to Adobe where all my details were already given away to criminals, by criminals.

Save your time government people. Adobe is doing a fine job of dishing out private data to the cosmos and claiming the phantom did. Don't forget also that Adobe, after joining forces with the butthole of the universe........Scratch that as Adobe are the butthole of the universe.

 

Wait wait wait... seriously? It shocks me sometimes how people look straight past what matters thanks to a little media sensationalism.

NSA and GCHQ are agencies which specifically exist to collect and analyze data with the intention of identifying threats to national security. Granted, some people don't like that idea in and of itself. But anyone upset about the piggybacking has already walked straight past something more important. Why get upset at people who are doing their jobs by piggybacking instead of getting upset about the people collecting and (inadvertently) broadcasting it in the first place?!?

Think on that. The NSA collect this data it for aggregate threat analysis. Some people might not like that, but it's their job and it's ostensibly for our benefit. We know this. It is not a surprise. It's a headline on a slow news day, that is all.

The real questions are: Why are the people making these apps collecting our personal information for in the first place?, and If we don't like the NSA/GCHQ having this data, why the hell are we even remotely ok with random app developers having it? We just got told that potentially anyone has access to that data... but it's security agencies who we're upset about?

Two points:
1. If they didn't collect it then intelligence agencies and other unknown people couldn't piggyback.
2. Either they're deliberately collecting data that has nothing to do with the service/software they are providing, or they're accidentally collecting and sharing it out of ignorance.

Whichever it is, point 2 above is way more scary to me than the idea that NSA/GCHQ have found just one more useful data stream. If they can get this data, who else can? And if it's being collected deliberately by the first party... why?

I'm not the biggest fan of Big Brother style security myself. I don't like the idea that this data is being collected and shared, deliberately or otherwise. But when I'm worried about who has the data it's not the people I know about - and who are meant to contribute to my security - who top the list.

Edit: Also I feel I should point out that a lot of what the article talks about is stuff we should be aware of anyway. If you take an image it quite possibly has EXIF data (location, time, device used, etc.) and if your'e uploading it to a site with a login... well, you're logged in...

I just get really annoyed when an article like this focuses on the fear mongering NSA bashing rather than on giving people actual, useful information. Like just straight up saying "when you upload a photo, this is the kind of data you're broadcasting on the open internet..."

 

I think the story is a bit misleading, the really personal data it talks about is almost certainly coming from apps like Facebook and other social networking or dating apps where you actively put the information in your profile (even if it's private) and that data then is sent back and forth between the server and app as you access the relevant bits. Apps like Angry Birds have no way of accessing information about your relationship status or sexual preference, those apps were mentioned in relation to ad companies sharing what data they have access to. Shopping apps where you put in your billing information is another place they can harvest personal information and chat apps can give the NSA GCHQ access to your contacts/buddy lists.

All these apps have legitimate use of the data they have access to and it's consensual. It's the combination of all these apps which allow these spy agencies to have a complete picture of your personal info. That's the outrageous thing here, that they gather all this data from all these different places and do it by hooking directly into cell towers and data centres without permission from anyone involved. They aren't targeting the "bad guys" here, they're indiscriminately collecting data from everyone they can and constructing full profiles of all their data and only then determining whether each person is a threat after all that data is analyzed.

 

I suspect that you're right about where the data is coming from and that it's all consensual. That doesn't really get around the security implications, though.

If the NSA can eavesdrop on some private-but-not-secure data sent between your phone and a web service somewhere, the potential is that anyone can. The solution is not to complain about the NSA, it is to either a) not send that data or b) protect it properly. Either way, users should be more aware about a) what data they are sending and b) how it is transmitted and c) who potentially has access to it.

Which is why these articles bother me. It's all about how intelligence agencies are evil, because that gets attention. If they really actually cared, what they'd actually do is explain the things I just listed in layman's terms so that people can make more informed decisions about how they use their phone and/or internet connections. But no, instead they just do some NSA bashing 'cause that's cool, bro.

 

So the NSA and GCHQ are targeting people who like blowing up pigs?!

Wasn't sure if I should post that on an open forum, as they can read everything I type here... hides behind sofa and deletes Angry apps!

 

Nah they can't find you. You can pretty much say what you want and the idiot Governments can't do anything abou...........Why is there a red glowing dot on my ches..................

 

Because various unrelated parties need data for various unrelated reasons and there's really no problem with that.

Like, phone companies need to know which numbers you dial so they can charge you for their service. They also need to know how many text messages you send etc. ... your doctor or health insurance needs certain information about you and your bank also needs certain information about you ... for us game developers, knowing what device you (or "people") are using is interesting, how often you (or "people") play and when might be interesting, what levels you (or "people") play and how you (or "people") play them ... and a few other stats are very interesting as well. That's why they/we collect this information. It's relevant for what they/we are doing - we can use it to learn and improve the game experience (or others may just use it to make more money).

In many cases, by law (in some countries), it must not even be connected to who you are - it's a legal requirement that you collect that data anonymously. In other words, for good reasons, in many countries we may be allowed to anonymously collect all kinds of data - but the moment we connect that data with your address, or even make it easy to connect that data with your address, we break reasonable privacy laws. Most of the time, if we ask you if you give us permission, and only collect with that permission, things are fine. People get sued when they don't obey these laws and while it makes our lives much more complicated because we have to be very careful with what we collect and why, and how exactly we collect it, it's a really good thing because it protects people's privacy.

What the NSA and their "friends" do, however, is put all data from all sources together into a few connected databases, precisely with the intention of gathering as much information on any individual on this planet as possible. And they never asked permission.

In other words, this agency, which is paid for by the American tax payer and therefore should serve the American citizens and obey the constitution (without funny word-twisting) is basically turning against every single citizen of this planet and gathers personalized profile information that can trivially be used to destroy anyone's life. Or that can be trivially used to find out where people disagree with the current status quo and want to change how society works (like, for example that maybe it's not okay to have slavery ... or that maybe women should be allowed to vote ... or maybe that we should have free speech ... or many other things that we currently take for granted because we haven't experienced the time before those little revolutions took place). Or, that can trivially be used to gather information on what companies of the whole world are currently working on. And the information that's missing because it's well-protected because a few people actually did their homework and properly encrypted their communication channels and storage can be easily obtained by using the information about their social environment for social engineering attacks (or worse - see "can trivially be used to destroy anyone's life" above).

One might naively think "they won't use blackmail" ... but ooops, these are more or less the same people that use torture to "gather information". That is not the kind of character that should be allowed these kinds of powers. In fact, no one should.

It's a completely different game they are playing and it's a game that should be ended very quickly by any reasonably democratic society that appreciates the values western society has established over the last few centuries with many people putting their lives in danger. As the democratic processes currently seem to no longer be as reliable as they should be, it's up to anyone that has to do with any kind of data no matter how uncritical it may seem "on its own" to become aware that there are people out there that feel a strong need to gather EVERYTHING and put EVERYTHING together, and also have the technical capabilities and enough criminal energy to actually pull this through. And they'll use your naivety to their "benefit". That's why they tried to keep this stuff secret.

In other words: While you may just be collecting a few device stats, some play sessions, maybe high scores and achievements - and much of the data you are collecting might even be anonymous in your databases, not connected to any individual - you need to be aware that a few very well-organized agencies that are currently beyond any reasonable democratic control will take that information and put it into a profile with a whole lot of other data and potentially use that data against you or any of your customers.

So either you don't collect that data at all - or you do your best to prevent that data from being stolen.

 

Facebook is a much larger threat to the average citizens privacy than the NSA. Not saying I agree with the NSA indiscriminately collecting data(I don't), but realistically as an attacker it is much easier for me to grab all of Facebook's data and resell it on the black market. The bottom line is if you give your data to someone on the internet, consider it public knowledge else you are just sticking your head in the sand ignoring the reality of today's world.

EDIT: This goes for Gmail and all the hosted webmail providers as well.

 

This is a bit like the phone hacking debacle in the UK, the newspaper were using 'private investigators' to hack into peoples phones. The funny thing is the debate is always about the hacking and hacked celebrities no one ever seams to mention that we could make our devices more secure.

So should you complain to the NSA or GCHQ for finding an exploit to monitor you or the device/OS maker for not allowing you to have a secure device.

 

The fact that the NSA/GCHQ can piggyback so easily makes me think about the device, OS maker, and app developers instead of spies.

Don't get me wrong - I'm not OK with spies scooping up every bit of data on everyone; I would like to trust them to be repeatedly and vigorously probing real threats like adversarial governments, terrorist organizations, and other ne'erdowells. However, the fact that they can make so little effort to scrape information means there are a lot of parties responsible for this mess, ironically the spies least of all.

The OS manufacturers usually do an OK job of securing their systems. There are yearly hack tournaments where white hat security research organizations and black-hat hackers who are looking for some easy cash, try to attack various operating systems in various ways. As part of the terms, the details of the hack are immediately reported to the OS manufacturer, and the flaw causing the hole fixed. This is responsible. They could do better, but at least they're trying. I'll throw them a bone on this one.

The device manufacturers I think are where we're getting cheated a lot more. In the rush for smaller and smaller devices, the inability to have a hard shutoff for things like speakers and cameras is already causing many other security holes, some of which with rather scary implications when criminals are involved. Some security - or at least some options that help - can be done at the hardware level.

The app makers, this is where I get mad. Sure, social engagement is good for some things, but do we need it freaking everywhere? I say, 'no'. When I play a first-person shooter, the fact that the server logs my IP address has some interesting security ramifications for me the player, but that usually amounts to DDoS attacks from players who like to cheat. What about identity theft? What about stalking? The amount of information about each of us bleeding into the vast internet is crazy.

There's some things we need to put out there - for anyone with a professional life, of course saying who we are, where we've worked, and things we've done is necessary. Contact information helps, because new jobs can be nice. But, the amount of things that are asked of us is way too much. What's more, most programmers - myself easily included - are not cryptologists or trained in security algorithms. We can half-ass some substitution cipher easily enough, but there are branches of mathematics that deal with encryption - which, our adversaries are well aware of, and know how to use.

As app developers, I assert we need to do some things:

1: Stop asking our customers for so much information. Not only is most of it unnecessary for the app in question, it probably won't help us sell more stuff to them in the long run.
2: Know when to stop solving problems that someone else already has. I'm aware that 'Not Invented Here' is a thing, as an engineer, but when it comes to security applications, someone way smarter than us has already built a more reliable API.
3: Watch what we send over networks, at all times. As soon as a piece of data leaves the server or the client it is in hostile territory. Spies who misbehave, criminals, or other unsavory types can figure out something nasty to do with that data, unless it's game-specific (in which case they can screw you out of score, which is way less sinister than stealing money, identity, or other bad things.)

I think if all types of app developers were just a bit more careful we'd have slightly less reason to be so wary of spies, or legitimate threats, for that matter.

 

I know I personally will not play a game or demo if it asks for personal information, so I would argue it actually hurts sales. What most games need from me - a user/player name, maybe a email address(for validation and news), and preferences that relate to THAT game. Anything outside of that should be irrelevant. You certainly don't need my real name and address, phone number(planning on calling me?), or any of that jazz.

 

Certainly the law is lagging behind in Facebook and other mainstream services from selling your information as they please but the real issue here is Government entities doing it to every individual both foreign and domestic without a search warrant, probably cause, or your permission.

Remember they do have a history of blackmail, death threats, character assasination when it's convienent.

Martin Luther King Jr was blackmailed by the CIA, they told him that if he didn't kill himself they would send videos of him having sex with another woman to his wife - and they did.

These are the kind of guys who know more about your life than you do. Ten or 50 years from now they will still have that data, and you will be at the mercy of whatever they deem appropriate.

Today you look at weird anime furry p**rn, 10 years from now you run as a member of Congress and decide to fight the NSA's power, suddenly those p**rn accounts get leaked to the public, oops. Now who's going to stand up to them?

 

Yes yes, I understand all of that, which is what I was getting at later on about people being educated about how the Internet / data transmission and storage works just enough to make informed decisions.

But it's not collecting data for for service provision that I'm talking about in my above quote. It's that it boggles me that we're upset about the NSA being able to scoop this stuff but everyone who's talking about it is seemingly oblivious to the fact that if the NSA can do it, then so can other people. The NSA exists to increase our security. The other people..?

I understand why there's an NSA hate bandwagon, but I can't help but think that it's missing the point in cases like this. Everyone's jumping up and down pointing fingers at the NSA where, to Average Joe out there, identity theft etc. by other sources is probably a far more practical threat, and one that we can do something about. But it's not big enough to make the news...

 

Well it would appear that the NSA have put back doors into a great deal of software and devices. So they may be largely responsible for the inability to totally secure devices and as a result have created the problem of identity theft.

 

I do agree that Facebook is a real problem that most people completely underestimate. Just recently, they published a paper where they used the information that people did not post to figure out some interesting stats (how much "self-censorship" is going on on Facebook). In other words: Not only do they transmit metadata of what you type while you type it - before you hit "post" - they also store it. And not only do they store it as some sort of auto-save feature (like this forum here does), and discard it once you hit send, but they keep it permanently persistent.

So they know at least the meta-data of what you considered posting to Facebook and did not. And they do analyze that data.

So, yeah, if you are using Facebook, you should educate yourself and be very conscious of what you are doing.

However, this is nothing compared to the NSA (and "friends"): First of all, it's up to me whether I use Facebook or not. I can opt out, and quite a few people do. And it's up to me what I type into those textboxes or not. If I feel uncomfortable with Facebook tracking what I type while I type, I can do what I did back then when the browsers permanently crashed and there was no auto-save: use a local texteditor. There's a gray zone there (people posting pictures of you and tagging them on Facebook without my permission) but in general, with Facebook we do have control of our private information.

With the NSA, we're talking about a 3rd party that steals all the data it can get. Facebook is just a tiny part of this - and it's included in Big Brother's databases. Plus all (g)mail. Plus so much more: This is not the "common criminal" that steals just your data from Facebook or from Angry Birds ... or from Adobe or Sony. We're talking about an organization that greedily stores and combines anything they can get (and since they have the technical infrastructure they can get everything that's communicated - not only online but also via text messages, phone calls etc.) ... in other words, if someone's doctor confidentially sends information to a lab - or the lab returns confidential information - and they use enough information to identify you as an individual, this information is very likely added to your "file".

They say no one looks at the data unless there's some legal, good reason ... but they do keep the files on everyone. And how many terrorist acts did they really prevent with all this insane infrastructure? Maybe this whole thing isn't really about protecting our western values. Look at history! [EDIT: Or here ;-) ]

That's why I disagree that the greater problem is individual companies collecting more data than they should. That is a problem, too, no doubt about that. And at the moment, if we are those companies, it's our responsibility to take as much care as possible with our player's data (only ask for what you really really need, and be careful to protect that information as best as you can even if it may look completely harmless from your perspective). And if we are customers of such companies, it's our responsibility to either not give them the information if we don't know what we're doing - or not even be their customers anymore. Power comes with responsibility - and if you feel powerless, the only real reason is because you dropped your own responsibility (one very common way of doing that is blaming others ;-) ).

Even if criminals can crack a few companies' databases and that sucks and is a problem - it's nothing compared to an organization that goes so far to compromise security standards in order to more easily access the data, or that installs eavesdropping technology into backbones to be able to catch more. That is not something that common criminals are capable of - as mentioned before: it's a completely different game. Think about it: Even if you go crazy, throw away your smartphone, completely disconnect from the Internet ... but fail to stop texting your girlfriend or having a bank account or going to a doctor that uses email ... or simply leaving your house and walking a street that has cameras installed ... you're still in that Web of surveillance. And since you're acting totally abnormally you can be sure that they'll target you as a potential threat to the established system - because if you opt out, you are.

And think about this: What if "common criminals" gain access to the data the NSA has? The databases are there and any digital system can be hacked ... let them fall into the wrong hands (assuming the hands this data currently is in isn't the wrong hands already, as discussed before). Such a system will never really prevent crime (because criminals have it in their job description to find ways around any kind of surveillance) - but it's a perfect means to control the world. Especially if people don't understand the full scope of what's going on.

It's very much like radioactivity: You cannot find it with your senses. You can't hear it, feel it, see it, taste it or smell it. But if it's there, it still has an effect. And once the effect is so strong that you actually notice it - it's already too late. The remedy is education and understanding what's going on. With radioactivity, there's devices you can use - with surveillance, there's the news:

This does need to be approached from all levels including the political dimension (as mentioned in my previous posting: some countries already do have laws that prevent certain abuses by companies - if your country does not, you might want to consider becoming active ... and it's time that global surveillance is put where it really belongs: into the list of capital crimes against society).

We should actually create lots and lots of games about this issue so more people become aware!

Or at least join https://thedaywefightback.org on February 11, 2014 ;-)

 

As others have state, it's not just the fact that the NSA access this information which is the problem, it's that they go out of the way to use their "legal" clout to force backdoors to be left in security standards, underlying software and hardware to be left vulnerable to attack and hardware installed in service backbones of ISPs and network providers in order to allow them to gather all this information into one place. This is is not something any old hacker could do, it's something uniquely possible by these large "security" organisations which have free reign and massive resources given to them by the most powerful governments in the world.

They have thousands of data analysts working with crazy amounts of computational power to gather, collate and inspect all the data they give themselves access to, which a completely different matter, not to mention an entirely different scale, to someone hacking a website and pulling their database or intercepting wireless packets. If blackhat hackers can gain access to the same data in the same way as the NSA/GCHQ/etc. it will be because of the vulnerabilities and backdoors those organisations have put in place to allow themselves access, not because of fundamental insecurities in the system which would otherwise be there.

Even if everyone was 100% educated and didn't give private information to apps that wouldn't stop the NSA and friends gathering all this information as they still can and do gather it from other means which are simply impossible to protect yourself from. The only way to avoid having your personal data collected and looked at under a microscope is to live completely off the grid, no internet access, no phones, no utility bills, no bank accounts, nothing, just live in a remote and isolated cabin living off the land.

 

I didn't say people shouldn't work to change privacy laws for things like the NSA snooping. I am ok with that as I think we all have a reasonable expectation of privacy from our govt.

However I think most people are completely oblivious about how compromised ANY online business is. See the recent Target, Neiman Marcus, Michael's hacks involving millions of customers. See Apple's developer portal last year. See Google, Microsoft who all have been hacked by China. See any one of a number of network security companies that were hacked last year.

If you think data is safe forget about it. The hackers are way more advanced than people give them credit for, and in most cases like someone said they target people as the way to get in the door. These aren't nigerian uncle scam emails any longer, they look like something even a network security professional would open up and click on...boom you just opened a backdoor to your company.

If it's on the internet or airwaves, it can be compromised, nsa backdoors or no nsa backdoors. The question is really whether your information is interesting enough for someone to care about, not whether they can get it.

 

"They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

 

Imagine if hitler has access to all that info, do you really think the totalitarian control freaks can be trusted with all that data

 

Wtf is the NSA doing targeting Angry Birds. They'd get far more data from Candy Crush

 

Which is precisely why we need to be vigilant about what we give them, not tell them they shouldn't take it.

And in this context, "them" is "anyone who might care to be watching or listening".

 

Just imagine it get too low a score on Angry Birds and you get a free train ticket to a Butlins Holiday camp with free showers!

That doesn't even work as an attempt at humor does it.

 

What about middleware like Unity, we could be developing games that have the spyware built in or have security vulnerabilities that could be exploited?

 

Get funding from the government in return for putting spyware in your game .

 

What?

The main reason I don't play games is I get sick of filling out my life history every time I want to visit a new web site or play a new game. I already know they resale this information to as many greedy data warehouses and advertising agencies as will pay for it and naturally the government has access to these data warehouses too...

They are collecting the same data, over and over, again. Guess what? I'm still as boring as ever. And I'm like, wow, I'm so boring and so poor and yet these corporate and government vultures won't leave me alone. Now add in criminal vultures and nationalist, political, religious zealots of all kinds and it's sick. All that money and resources available and they have to spend their limited time on earth trying to make the innocent miserable? At least the government and corporations can now worry about protecting us from criminals and skip right over my boring being.

Hello, this is the Ayatollah, I understand you browsed Facebook yesterday and cringed at the shared and suggested newsfeed posts of US Farming Industry's Husbandry practices and more than a few 'funny gifs' and 'falsely attributed wisdom filled tips' from the geniuses that were Marilyn Monroe and Albert Einstein. Void where prohibited.

Guess what...I'm not going to fill out my personal information to use your web site, play your game, take your survey, or win your prize. I may be boring but I'm not that boring.