NSA using 'leaky apps' like Angry Birds, Google Maps to siphon user data

According to the latest documents from Edward Snowden, the NSA and its British counterpart see smartphones and the data being pulled from popular apps as a "golden nugget" of spy resources.

Nick Statt Former Staff Reporter / News
Nick Statt was a staff reporter for CNET News covering Microsoft, gaming, and technology you sometimes wear. He previously wrote for ReadWrite, was a news associate at the social-news app Flipboard, and his work has appeared in Popular Science and Newsweek. When not complaining about Bay Area bagel quality, he can be found spending a questionable amount of time contemplating his relationship with video games.
Nick Statt
4 min read
Screenshot by Jason Parker/CNET

Relying on data scooped up from so-called leaky apps -- everything from Angry Birds and Google Maps to applications with photo- and location-sharing abilities like Facebook, Flickr, and Twitter -- the NSA and Britain's Government Communications Headquarters have been secretly collecting swaths of personal data about users' age, daily whereabouts, address books, and much more, according to documents provided by Edward Snowden and published in The New York Times, The Guardian, and ProPublica on Monday.

While the existence and extent of the US and British governments' mobile data collection have surfaced in previous reports, the latest documents shed new light on just how far-reaching that collection is and the specific apps the NSA and GCHQ have most found useful in what is referred to as "the mobile surge," an unofficial name for the initiative according to a 2011 British document that compares the operation to that of troop movements in Afghanistan and Iraq.

The mobile app initiative between the two spy agencies has been up and running since 2007, the year the NSA saw its budget balloon from $204 million to $767 million, and was piggybacking on the larger sweeps of phone data for text messages and metadata. The New York Times reports:

Since then, the agencies have traded recipes for grabbing location and planning data when a target uses Google Maps, and for vacuuming up address books, buddy lists, phone logs and the geographic data embedded in photos when someone sends a post to the mobile versions of Facebook, Flickr, LinkedIn, Twitter and other services.

And thanks to the rate of smartphone adoption, more and more data each year is flowing out from devices and up for grabs; just by updating Android software, the documents revealed, a user uploads nearly 500 lines of collectable data onto the network. While it is unclear the scope of data collection using smartphone apps, it is believed that apps introduced earlier to smartphones have proved more fruitful to the spy agencies. This led one NSA analyst to label a 2010 slide, "Golden Nugget!", in reference to iPhones and Android devices as prime data resources.

Data of this nature is regularly collected by the makers of these apps with specific opt-in terms of service agreements that many users haphazardly tap through, allowing for things like user location, age, and phone identification codes to be used for advertising purposes.

For instance, Angry Birds creator Rovio has reportedly worked with Baltimore, Md.-based company Millennial Media to help embed ad services that allow the app to generate user profiles, though the Finland app-maker whose original smartphone game has been downloaded upwards of a billion times, claims that it collects user data with discretion, exempting those 12 years old and under.

The fact that apps existing, at one time or another, on more than a billion devices are collecting such info hands the NSA a treasure trove of information to scoop up, store, and analyze in an effort to cross-reference the information with other intelligence.

Though the specifics of the NSA and GCHQ app data collection methods are not outlined in the documents, it's now abundantly clear that many aspects of our real-world lives can be pieced together using combinations of this leaky app data -- including phone identifiers and triangulating data -- with publicly available information, shared items like tweets and Facebook status updates and uploads, as well as the numerous other geolocating and personal data-hungry services smartphone owners willingly use everyday.

These most recent documents do reveal that cookies in particular -- the tracing tool that follows users from one Web location to the next -- are "gathered in bulk, and are currently our single largest type of events," one document reads.

It is not yet known whether any mobile app companies, like Angry Birds creator Rovio, were aware of the operation. "Nothing in the secret reports indicates that the companies cooperate with the spy agencies to share the information; the topic is not addressed," The New York Times reports.

"Rovio doesn't have any previous knowledge of this matter, and have not been aware of such activity in third-party advertising networks," Saara Bergström, Rovio's VP of marketing and communications, told The Guardian. "Nor do we have any involvement with the organizations you mentioned [NSA and GCHQ]."

President Obama earlier this month addressed the NSA spy programs, saying that "the work has begun" on crafting reforms, though focused mainly on the collection of phone metadata, that particular program's constitutionality, and the perils of such programs in general. Nowhere in his speech did Obama mention the use of smartphone applications. And he did little to address Web data collection and the NSA's relationships with the country's largest tech companies beyond conceding a need for more transparency, as well as calling for measures to allow "communications providers to make public more information than ever before about the orders they have received to provide data to the government."

Despite the multiyear effort and supposed value of smartphone data, the documents outlined the agencies' struggle to make use of it all; apparently crunching one month of NSA cell phone data yielded 8,615,650 "actors," or people of interest, and required 120 computers. The New York Times concluded that the report found nothing suspicious or noteworthy.