
US and UK spy agencies scoop up private data from 'leaky' phone apps - weu
http://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data
======
suprgeek
Many interesting "nuggets" buried in this report. For example:

...A more sophisticated effort, though, relied on intercepting Google Maps
queries made on smartphones, and using them to collect large volumes of
location information.

So successful was this effort that one 2008 document noted that "[i]t
effectively means that anyone using Google Maps on a smartphone is working in
support of a GCHQ system."

At this point it is perhaps not wrong to conclude that the whole internet is
bjorked by these agencies. Open to snooping and manipulation at any and every
level for any user.

It is time for a reboot, this time with much more focus on security.

~~~
cryoshon
That was in 2008. Imagine what else they've been able to jimmy in 6 years!

I'm still waiting on the reveal that they've stored geolocational data at
regular timepoints of every X minutes.

~~~
jonknee
> I'm still waiting on the reveal that they've stored geolocational data at
> regular timepoints of every X minutes.

Considering Apple did that on your behalf I would be surprised if this was
_not_ the case.

[http://bits.blogs.nytimes.com/2011/04/20/3g-apple-ios-
device...](http://bits.blogs.nytimes.com/2011/04/20/3g-apple-ios-devices-
secretly-storing-users-location/)

~~~
gress
Apple didn't store users location data. Cell tower positrons were cached on
iOS _devices_ , and this was turned into a false controversy because
sensationalism sells. Citing this piece as if it asserts that Apple collects
user location data in the way the parent poster fears the NSA might do is
dishonest.

~~~
jonknee
Apple programmed a feature that cached all location data on a file on the
iPhone. GCHQ's linked PowerPoint says "If it's on the phone, we can get it".
Ergo, GCHQ and the NSA certainly had access to your cached location data if
they wanted it. Maybe Apple intended this to be the case, maybe Apple did not,
but the mere fact that the file existed is enough that it most certainly could
have been scooped up by spooks.

~~~
gress
No. "All the location data" was not cached. Only cell tower locations.

"Maybe apple intended this to be the case" is baseless innuendo and has no
place here.

"If it's on the phone, we can get it" has separately been shown only to apply
when the agencies have _physical access_ to the device to extract data or
implant malware.

You seem to want to spread the idea that spies can access the real-time
location of your iPhone remotely - which is what the parent post was fearing,
but for which there is no evidence. What is your motive here?

~~~
nitrogen
Cell tower data is sufficient to determine phone location via triangulation.
Additionally, spies can get real-time data from the carrier directly, as can
law enforcement.

The parent comment said nothing about _real-time_ access, but if someone has a
remote exploit that gives filesystem access (and if jailbreakers can do it,
then the NSA can, too), that location data file would provide a detailed
history of the phone's location.

~~~
gress
No. Triangulation requires near-simultaneous signal strength readings from
multiple towers at the time the position is to be computed.

The cell tower cache you refer to does not contain that kind of data, so the
data file des not provide a detailed history of the phones location. This has
been shown by the people who investigated the file.

An extremely coarse location, to the resolution of cell towers _can_ be
obtained from the file, but as we know, that is available to the phone network
anyway.

The parent comment talks about geolocation data at regular X minute intervals.
This file does not provide that. Nor does it provide any information that the
NSA can't get via the cell network about any phone. Indeed the network likely
_can_ provide triangulation.

The link you referenced is nothing but innuendo intended to implicate 'Apple'
somehow.

------
CWuestefeld
_One slide from a May 2010 NSA presentation on getting data from smartphones –
breathlessly titled "Golden Nugget!" – sets out the agency's "perfect
scenario": "Target uploading photo to a social media site taken with a mobile
device. What can we get?"_

To me, this is quite telling.

The NSA is not considering what data they need to achieve their mission, and
then trying to find that data. Instead, they're just looking for "what can we
get", and worry later about how it might be useful (or legal!).

This is no way to run a successful organization in the 21st century.

~~~
rdl
Why not? It is technically feasible. There was essentially no legal oversight
at NSA or GCHQ.

It seems like they responded correctly to the incentives they were given. The
problem is with the legislature (and the judiciary), voters, and the media.

~~~
DerpDerpDerp
Why should our government agencies not commit crimes just because no one is
looking?

I'm just going to assume you were being sarcastic and move on.

~~~
rdl
I'm specifically questioning "no way to run a successful organization"; it was
morally wrong (and legally, but there's no legal oversight, so that doesn't
matter), but in no way hindered their success at their mission.

So, because it's not hurting them in terms of success to operate this way,
there's a need for external controls to prevent it. If being all-collecting
hurt their _effectiveness_ , we wouldn't need any new controls, because they'd
be replaced for being unsuccessful.

~~~
DerpDerpDerp
> in no way hindered their success at their mission

Except that their mission is deeply compromised by their actions: they've
lowered domestic cyber-security, undermined the rule of law, and deeply shaken
the public confidence in the armed forces - all of which are contrary to their
core mission.

They seem to have lost sight of their high level goals in their quest for more
power to accomplish specific secondary tasks.

------
cryoshon
So they're spying on the children playing Angry Birds in the name of
preventing terrorism. I bet the data they're gathering has saved a lot of
lives.

This is just one more strike into the already well-beaten dead horse of an
argument that the NSA is spying in the name of preventing terrorism.

I will spell it out: the goal of the NSA surveillance is omniscience in the
name of preserving the power of the state. They have made great progress
toward this ideal.

~~~
ommunist
What about leaking bookmarks from Al-Quran app?

~~~
cryoshon
Still a ridiculous unneeded incursion onto an individual's right to be left
alone when they aren't hurting anyone.

As violent and primitive as the Islamic fundamentalists are, the vast, vast,
vast majority of the world's 1.6 billion Muslims are not fundamentalists, nor
are they terrorists, nor do they aid terrorists.

The phrases that people bookmark in a religious app book are a very far cry
from demonstrable intent to commit violence, anyway. If you spied on
everyone's bookmarks in religious text apps, I'm fairly certain that if you
pitched it properly you could depict my own gentle mother as a genocidal
crusader.

~~~
Crito
While I would agree that the "vast, vast, vast" majority of Muslims do not
present a threat to national security, it is going too far to say that the
"vast, vast, vast" majority are not fundamentalists.

The majority are almost certainly not, but a frighteningly large minority are.
For example, only 54% of Muslims in Turkey believe that suicide bombings are
never justified, and 16% believe that they are sometimes or often justified:
[http://www.pewglobal.org/2013/09/10/muslim-publics-share-
con...](http://www.pewglobal.org/2013/09/10/muslim-publics-share-concerns-
about-extremist-groups/#suicide-bombing)

This should not be particularly surprising. Fundamentalism also runs strong in
Christianity. Nearly half of all Americans are creationists, believing that
the earth is only a few thousand years old, and that people did not evolve
_(we 're not talking Catholic-style "god used evolution" creationism here,
we're talking straight up "literal talking snake" creationsim)_:
[http://www.gallup.com/poll/155003/hold-creationist-view-
huma...](http://www.gallup.com/poll/155003/hold-creationist-view-human-
origins.aspx)

People take religion seriously, film at 11.

~~~
judk
"Fundamentalist" is code for militant here, and you knew that.

What percent of Americans believe drone attacks are justified?

What does "fundamentalism" have to do with any of this?

------
falcolas
Anymore, it seems prudent to simply assume that if you use the internet at
all, all of the details about you are available to determined individuals,
public or private. Even details you've never consciously given out over the
internet are available to those with the power and desire to infer from your
browsing datasets (see: Target and the pregnant daughter).

Someone, please tell me I'm wrong.

~~~
aryastark
I'm afraid it's much worse than that, even. You don't even need to use the
internet.

You can be walking down the street and an hour later, unbeknownst to you, your
picture makes it to the front page of reddit. It could be that you were
skipping work that day, and told your boss you were sick. Or perhaps picking
up an engagement ring.

This sort of free-for-all will only get worse as technologies like Google
Glass and the so-called "Internet of Things" become mainstream. Your life is
now a commodity for internet voyeurism and, possibly, witch hunts.

The tech is ripe for turning citizens against citizens. "Turn in your neighbor
for un-American activities" sort of stuff.

------
hackoder
(Copied from
[https://news.ycombinator.com/item?id=7132790](https://news.ycombinator.com/item?id=7132790))

If you're using Android, I'd highly recommend using a combination of XPrivacy
[1] and Android Firewall [2] (iptables frontend).

To make your life easier, disallow everything from accessing the net in
Android Firewall. Then, for those apps which you've allowed net access,
further tweak what they're allowed to access in XPrivacy. As a rule, turn off
account info, clipboard, location, contacts, and storage.

Not perfect, but a decent solution.

[1] [https://github.com/M66B/XPrivacy](https://github.com/M66B/XPrivacy)

[2]
[https://play.google.com/store/apps/details?id=com.jtschohl.a...](https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall)

~~~
fulafel
Better yet, only use Android as a game console / YouTube viewer with no
personal info or real Google ID. Web browsing only through Firefox that can
use some privacy addons.

------
fit2rule
The only solution is to move to a phone OS that is 100%, completely, open.
I.e. Not even apps developers are allowed to ship blobs - its All-Source-Code,
All-The-Time.

I know, its a highly unlikely scenario, but I can't help but feel in the midst
of this human rights disaster, Open Source can come to the rescue.

~~~
joosters
That's not enough. Take the Google maps example, for instance. I bet the NSA
could grab the same data from an open-source map app that used OpenStreetMap
data. They can infer your location based upon the set of map tile URLs that
your phone is loading over the network.

No need for any code weaknesses in the app. Open source is not your saviour
here!

~~~
pgeorgi
many OSM apps provide offline vector data. works without data connection and
also leaks less information - the most you can infer from those downloads is
that people are interested in mapping data of a certain area.

------
Learjet
Ridiculous,seems like they are taking data and storing it and waiting to get
subpoenas to look into and analyze the data later. Welcome to the new world
order where your every movement is known.

~~~
er35826
Don't be alarmed citizen. They only 'know' about your movements if they
actually look at them. Until then, they don't 'know' anything as long as it
sits in their archives untouched.

~~~
ryoshu
It's a bit more Orwellian than that. The NSA claims it doesn't "collect" data
until it looks at the data. Somehow the data magically appears in its
databases, but it isn't collected.

~~~
DanBC
If a tree falls in a forest etc.

These caches of information exist all over the place. While I'd prefer
NDA/GCHQ to not slurp and store this stuff at least they have a duty to keep
it secret. I am a lot more bothered by my ISP keeping that stuff. They're a
lot less competant and have many fewer access controls.

~~~
zAy0LfpBZLC8mAC
Which access controls do they have and how do you know? And how is that
consistent with Snowden leaking all those documents?

------
acd
I will quote United nations declaration of human rights: Article 12

"No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference
or attacks."

Privacy or correspondence... "No one shall be subjected to arbitrary
interference with his privacy, family, home or correspondence"

------
pirateking
The only fix to our information, privacy, and security pop culture is
destroying the whole system, and building a new one holistically with a focus
on security and education at the lowest levels of the system. This almost
certainly means destroying computing as we know it as a prerequisite.

 _“Once you have something that grows faster than education grows, you 're
always going to get a pop culture.” - Alan Kay_

------
minimax
_Exploiting phone information and location is a high-priority effort for the
intelligence agencies, as terrorists and other intelligence targets make
substantial use of phones in planning and carrying out their activities, for
example by using phones as triggering devices in conflict zones._

That's a good point and a good reason why it's irresponsible for these
newspapers to post the details about this technology. This kind of CI doesn't
work as well once everybody knows what you're doing. It also gives a road map
to more oppressive governments looking for ways to spy on their citizens.

 _The documents do not make it clear how much of the information that can be
taken from apps is routinely collected, stored or searched, nor how many users
may be affected._

Right, so this is just publishing some details of NSA/GCHQ counterintelligence
technology without saying how they are using it. Unless they have some
evidence of wide scale deployment of these techniques, how is this surprising?
Do we not expect spy agencies to develop surveillance technology?

~~~
guelo
> It also gives a road map to more oppressive governments looking for ways to
> spy on their citizens.

This is just sad. Western governments are the oppressive governments. That we
have the “moral high ground” is a lie that’s been used as a weapon by these
same warmongering immoral people that have always been in charge. “American
exceptionalism” is an immoral indefensible position.

To still be trying to state that our governments are the only ones morally
worth to use these military weapons, after all the revelations of torture,
lying into war, detaining people for life without trial, kidnaping,
assassinations, spying, etc, is to willfully refuse to break out of the
military propaganda that you've been subjected to.

~~~
minimax
_Western governments are the oppressive governments._

If you think Western governments are the oppressive ones, what do you think
about the governments of China, Russia, and Iran?

~~~
DerpDerpDerp
The US has 1.5 times the number of prisoners as China, with 6.3 times as many
per capita.

The US has 2.5 times the number of prisoners as Russia, with 1.2 times as many
per capita.

The US has 27.5 times the number of prisoners as the UK, with 5.0 times as
many per capita. (Interestingly, China has less prisoners per capita than the
UK.)

So you can make a lot of points about the relative quality of those prison
experiences (and they might be valid points), but in terms of sheer volume of
people that are incarcerated by their own government, the US outstrips both
China and Russia by a wide margin - in both absolute and per capita terms.

------
winslow
I'm sure they are finding and identifying tons of "terrosim threats" by
looking at angry birds data... /s

If anything they are just making it harder to find the needle (terrorist
threat) in the haystack (their dragnet of data). At the end of the day maybe
they don't care about finding the needle anymore.

~~~
JoeAltmaier
All kinds of data are interesting. You've seen episodes of CSI. Position data
scraped from some app, any app, can come in useful but only when you want to
track somebody. Who to track is a different problem.

Its not all about finding criminals. But when you've found one, you want to
know where he's at, who he's associating with etc.

~~~
winslow
Absolutely data is interesting. However, just because it is interesting
doesn't mean it is useful to catch a terrorist. The US Government / NSA is
creating more enemies then it is "catching" right now. Since when did the
American citizen become the default criminal especially one that commits act
of terrorism?

------
fredgrott
Curious, how many app devs are doing security/permissions audits?

On Android java side we have a tool called:

sable/soot

Which I am recently learning to use..

~~~
pydave
You mean this: [https://github.com/Sable/soot](https://github.com/Sable/soot)
?

> Soot is a Java optimization framework

Seems to be a Java static analysis tool and not related to Android permissions
(although maybe related to security).

------
ommunist
Hmmm.... I can see how open source app can exist on githib and in your iTunes
if you have Developer Account. But can you be sure it is 100% open source once
it went through the AppStore gates? I am just asking.

~~~
rimantas
Can you be sure about that for any binary you did not compile yourself? And if
being more paranoid: can you be sure about that for any binary you did not
compile yourself using compiler you compiled yourself?

~~~
ommunist
That is exactly my point. Thank you for understanding.

------
username223
Between this and the recent credit card and identity leaks by Target and
others, I really wish people would connect the dots. If companies are grabbing
and storing incredible amounts of information about millions of people, that
information will inevitably get the attention of spammers, scammers, stalkers,
criminals, governments, and anyone else who could possibly put it to use. The
solution is to limit what companies collect in the first place.

------
nly
AFWall+ doesn't hurt, if you can get the damn thing to work (I seem to have
issues with loads of apps that require root on my Nexus 4)

[https://play.google.com/store/apps/details?id=dev.ukanth.ufi...](https://play.google.com/store/apps/details?id=dev.ukanth.ufirewall)

------
CryptcWriter
Is any of this really a surprise to any of you?

------
seanr
There ought to be more emphasis that these documents are circa 07/08\. HTTPS
websites were an oddity back then.

~~~
Karunamon
Indeed! 2008 is 5+ years ago. 5 years in tech is a couple of eternities.

~~~
thematt
On both sides. You should assume they have broader and deeper capabilities
now.

