This photo provided by The Guardian Newspaper in
London shows Edward Snowden, who worked as a contract employee at the
National Security Agency, on Sunday, June 9, 2013, in Hong Kong.
Documents leaked by Snowden suggest that spy agencies have a powerful
ally in the apps installed on smartphones across the globe. (AP
Photo/The Guardian)
LONDON • Documents leaked by former NSA contactor Edward Snowden suggest that spy agencies have a powerful ally in the apps installed on smartphones across the globe.
The documents, published by The New York Times, the Guardian, and ProPublica, suggest that the mapping, gaming, and social networking apps which are a common feature of the world's estimated 1 billion smartphones can feed America's National Security Agency and Britain's GCHQ with huge amounts of personal data, including location information and details such as political affiliation or sexual orientation.
The size and scope of the program aren't publicly known, but the reports suggest that U.S. and British intelligence easily get routine access to data generated by apps such as the Angry Birds game franchise or the Google Maps navigation service.
The joint spying program "effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system," one 2008 document from the British eavesdropping agency is quoted as saying. Another document — a hand-drawn picture of a smirking fairy conjuring up a tottering pile of papers over a table marked "LEAVE TRAFFIC HERE" — suggests that gathering the data doesn't take much effort.
The NSA did not directly comment on the reports but said in a statement Monday that the communications of those who were not "valid foreign intelligence targets" were not of interest to the spy agency.
"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true," the statement said. "We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes — regardless of the technical means used by the targets."
GCHQ said it did not comment on intelligence matters, but insisted that all of its activity was "authorized, necessary and proportionate."
Intelligence agencies' interest in mobile phones and the networks they run on has been documented in several of Snowden's previous disclosures, but the focus on apps shows how everyday, innocuous-looking pieces of software can be turned into instruments of espionage.
Angry Birds, an addictive birds-versus-pigs game which has been downloaded more than 1.7 billion times worldwide, was one of the most eye-catching examples. The Times and ProPublica said a 2012 British intelligence report laid out how to extract Angry Bird users' information from phones running the Android operating system.
Another document, a 14-page-long NSA slideshow published to the Web, listed a host of other mobile apps, including those made by social networking giant Facebook, photo sharing site Flickr, and the film-oriented Flixster.
It wasn't clear precisely what information can be extracted from which apps, but one of the slides gave the example of a user who uploaded a photo using a social media app. Under the words, "Golden Nugget!" it said that the data generated by the app could be examined to determine a phone's settings, where it connected to, which websites it had visited, which documents it had downloaded, and who its users' friends were. One of the documents said that apps could even be mined for information about users' political alignment or sexual orientation.
Google Inc. and Rovio Entertainment Ltd., the maker of Angry Birds, did not immediately return messages seeking comment on the reports.
Michael Liedtke in San Francisco contributed to this report.
According to a source knowledgeable about the agency’s operations, the NSA does analysis of social media similar to that in the GCHQ demonstration.
National security experts say that both the U.S. and British operations are within the scope of their respective national laws. When the Washington Post reported on the MUSCULAR program, the NSA said in a statement that it is “focused on discovering and developing intelligence about valid foreign intelligence targets only” and that it uses “Attorney General-approved processes to protect the privacy of U.S. persons.”
But privacy experts and former government officials say the lack of disclosure by the intelligence agencies inspires public fear that rights of privacy, free speech and dissent have been infringed.
“Governments have no business knowing which YouTube videos everyone in the world is watching,” said Chris Soghoian, chief technologist for the ACLU. “It’s one thing to spy on a particular person who has done something to warrant a government investigation but governments have no business monitoring the Facebook likes or YouTube views of hundreds of millions of people.”
It might also have a chilling effect on companies like Google. Jason Healey, former White House cyber czar under George W. Bush, says U.S. and British intelligence encroachment on the internet is a threat to everyone, including social media companies.
According to the documents obtained by NBC News, intelligence officers from GCHQ gave a demonstration in August 2012 that spelled out to their U.S. colleagues how the agency’s “Squeaky Dolphin” program could collect, analyze and utilize YouTube, Facebook and Blogger data in specific situations in real time.
The demonstration showed that by using tools including a version of commercially available analytic software called Splunk, GCHQ could extract information from the torrent of electronic data that moves across fiber optic cable and display it graphically on a computer dashboard. The presentation showed that analysts could determine which videos were popular among residents of specific cities, but did not provide information on individual social media users.
The presenters gave an example of their real-time monitoring capability, showing the Americans how they pulled trend information from YouTube, Facebook and blog posts on Feb. 13, 2012, in advance of an anti-government protest in Bahrain the following day.
More than a year prior to the demonstration, in a 2012 annual report, members of Parliament had complained that the U.K.’s intelligence agencies had missed the warning signs of the uprisings that became the Arab Spring of 2011, and had expressed the wish to improve “global” intelligence collection.
During the presentation, according to a note on the documents, the presenters noted for their audience that “Squeaky Dolphin” was not intended for spying on specific people and their internet behavior. The note reads, “Not interested in individuals just broad trends!”
But cyber-security experts told NBC News that once the information has been collected, intelligence agencies have the ability to extract some user information as well. In 2010, according to other Snowden documents obtained by NBC News, GCHQ exploited unencrypted data from Twitter to identify specific users around the world and target them with propaganda.
The experts also said that the only way that GCHQ would be able to do real-time analysis of trends would be to tap the cables directly and store the data or use a third party, like a private company, to extract and collect the raw data. As much as 11 percent of global internet bandwidth travels through U.K. internet exchanges, according to Bill Woodcock, president of PCH, a non-profit internet organization that tracks and measures and documents fiber infrastructure around the world.
In the case of the YouTube video information, the surveillance of the unencrypted material was done not only without the knowledge of the public but without the knowledge or permission of Google, the U.S. company that owns the video sharing service.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links,” said a Google spokesperson. “We do not provide any government, including the UK government, with access to our systems. These allegations underscore the urgent need for reform of government surveillance practices."
A source close to Google added that Google was “shocked” because the company had pushed back against British legislation that would have required Google to store its metadata and other information for U.K. government use. The legislation, introduced by Home Secretary Theresa May in 2012, was publicly repudiated by Deputy Prime Minister Nick Clegg in 2013 and has never become law. May hopes to reintroduce a modified version this spring.
“It’s extremely surprising,” said the source, “that while they were pushing for the data via the law, they might have simultaneously been using their capability to grab it anyway.”
Encryption would prevent simple collection of the data by an outside entity like the government. Google has not yet encrypted YouTube or Blogger. Facebook and Twitter have now fully encrypted all their data.
Facebook confirmed to NBC News that while its “like” data was unencrypted, the company never gave it to the U.K. government and was unaware that GCHQ might have been siphoning the data. The company assumes the data was taken somewhere outside its networks and data centers.
“Network security is an important part of the way we protect user information,” said Facebook spokesman Jay Nancarrow, “which is why we finished moving our site traffic to HTTPS by default last year, implemented Perfect Forward Secrecy, and continue to strengthen all aspects of our network.”
GCHQ would not confirm or deny the existence of the Squeaky Dolphin program or anything else connected with this report. The agency declined to answer questions about the scope of its data collection or how it accessed the datastream.
In a statement, a GCHQ spokesperson emphasized that that the agency operated within the law.
“All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”
A spokesperson for the NSA said in a statement that the U.S. agency is not interested in “the communications of people who are not valid foreign intelligence targets.”
“Any implication that NSA's foreign intelligence collection is focused on the social media communications of everyday Americans is not true,” said the statement. “We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets. Because some data of U.S. persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for U.S. persons exist across the entire process concerning the use, handling, retention, and dissemination of data.” The spokesperson also said that working with foreign intelligence services “strengthens the national security of both nations,” but that NSA can’t “use those relationships to circumvent U.S. legal restrictions.”
Both U.S. and British officials assert that while their passive collection of electronic communications might have great breadth, the actual use of the data collected is very targeted, and is dictated by specific missions. Sources familiar with GCHQ operations state firmly that this is the case in each of the agency’s operations.
Journalist Glenn Greenwald was formerly a columnist at Salon and the Guardian. In late 2012 he was contacted by NSA contractor Edward Snowden, who later provided him with thousands of sensitive documents, and he was the first to report on Snowden’s documents in June 2013 while on the staff of the Guardian. Greenwald has since reported on the documents with multiple media outlets around the world, and has won several journalism awards for his NSA reporting both in the U.S. and abroad. He is now helping launch, and will write for, a new, non-profit media outlet known as First Look Media that will “encourage, support and empower … independent, adversarial journalists.”
LONDON • Documents leaked by former NSA contactor Edward Snowden suggest that spy agencies have a powerful ally in the apps installed on smartphones across the globe.
The documents, published by The New York Times, the Guardian, and ProPublica, suggest that the mapping, gaming, and social networking apps which are a common feature of the world's estimated 1 billion smartphones can feed America's National Security Agency and Britain's GCHQ with huge amounts of personal data, including location information and details such as political affiliation or sexual orientation.
The size and scope of the program aren't publicly known, but the reports suggest that U.S. and British intelligence easily get routine access to data generated by apps such as the Angry Birds game franchise or the Google Maps navigation service.
The joint spying program "effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system," one 2008 document from the British eavesdropping agency is quoted as saying. Another document — a hand-drawn picture of a smirking fairy conjuring up a tottering pile of papers over a table marked "LEAVE TRAFFIC HERE" — suggests that gathering the data doesn't take much effort.
The NSA did not directly comment on the reports but said in a statement Monday that the communications of those who were not "valid foreign intelligence targets" were not of interest to the spy agency.
"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true," the statement said. "We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes — regardless of the technical means used by the targets."
GCHQ said it did not comment on intelligence matters, but insisted that all of its activity was "authorized, necessary and proportionate."
Intelligence agencies' interest in mobile phones and the networks they run on has been documented in several of Snowden's previous disclosures, but the focus on apps shows how everyday, innocuous-looking pieces of software can be turned into instruments of espionage.
Angry Birds, an addictive birds-versus-pigs game which has been downloaded more than 1.7 billion times worldwide, was one of the most eye-catching examples. The Times and ProPublica said a 2012 British intelligence report laid out how to extract Angry Bird users' information from phones running the Android operating system.
Another document, a 14-page-long NSA slideshow published to the Web, listed a host of other mobile apps, including those made by social networking giant Facebook, photo sharing site Flickr, and the film-oriented Flixster.
It wasn't clear precisely what information can be extracted from which apps, but one of the slides gave the example of a user who uploaded a photo using a social media app. Under the words, "Golden Nugget!" it said that the data generated by the app could be examined to determine a phone's settings, where it connected to, which websites it had visited, which documents it had downloaded, and who its users' friends were. One of the documents said that apps could even be mined for information about users' political alignment or sexual orientation.
Google Inc. and Rovio Entertainment Ltd., the maker of Angry Birds, did not immediately return messages seeking comment on the reports.
Michael Liedtke in San Francisco contributed to this report.
According to a source knowledgeable about the agency’s operations, the NSA does analysis of social media similar to that in the GCHQ demonstration.
National security experts say that both the U.S. and British operations are within the scope of their respective national laws. When the Washington Post reported on the MUSCULAR program, the NSA said in a statement that it is “focused on discovering and developing intelligence about valid foreign intelligence targets only” and that it uses “Attorney General-approved processes to protect the privacy of U.S. persons.”
But privacy experts and former government officials say the lack of disclosure by the intelligence agencies inspires public fear that rights of privacy, free speech and dissent have been infringed.
“Governments have no business knowing which YouTube videos everyone in the world is watching,” said Chris Soghoian, chief technologist for the ACLU. “It’s one thing to spy on a particular person who has done something to warrant a government investigation but governments have no business monitoring the Facebook likes or YouTube views of hundreds of millions of people.”
It might also have a chilling effect on companies like Google. Jason Healey, former White House cyber czar under George W. Bush, says U.S. and British intelligence encroachment on the internet is a threat to everyone, including social media companies.
According to the documents obtained by NBC News, intelligence officers from GCHQ gave a demonstration in August 2012 that spelled out to their U.S. colleagues how the agency’s “Squeaky Dolphin” program could collect, analyze and utilize YouTube, Facebook and Blogger data in specific situations in real time.
The demonstration showed that by using tools including a version of commercially available analytic software called Splunk, GCHQ could extract information from the torrent of electronic data that moves across fiber optic cable and display it graphically on a computer dashboard. The presentation showed that analysts could determine which videos were popular among residents of specific cities, but did not provide information on individual social media users.
The presenters gave an example of their real-time monitoring capability, showing the Americans how they pulled trend information from YouTube, Facebook and blog posts on Feb. 13, 2012, in advance of an anti-government protest in Bahrain the following day.
More than a year prior to the demonstration, in a 2012 annual report, members of Parliament had complained that the U.K.’s intelligence agencies had missed the warning signs of the uprisings that became the Arab Spring of 2011, and had expressed the wish to improve “global” intelligence collection.
During the presentation, according to a note on the documents, the presenters noted for their audience that “Squeaky Dolphin” was not intended for spying on specific people and their internet behavior. The note reads, “Not interested in individuals just broad trends!”
But cyber-security experts told NBC News that once the information has been collected, intelligence agencies have the ability to extract some user information as well. In 2010, according to other Snowden documents obtained by NBC News, GCHQ exploited unencrypted data from Twitter to identify specific users around the world and target them with propaganda.
The experts also said that the only way that GCHQ would be able to do real-time analysis of trends would be to tap the cables directly and store the data or use a third party, like a private company, to extract and collect the raw data. As much as 11 percent of global internet bandwidth travels through U.K. internet exchanges, according to Bill Woodcock, president of PCH, a non-profit internet organization that tracks and measures and documents fiber infrastructure around the world.
In the case of the YouTube video information, the surveillance of the unencrypted material was done not only without the knowledge of the public but without the knowledge or permission of Google, the U.S. company that owns the video sharing service.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links,” said a Google spokesperson. “We do not provide any government, including the UK government, with access to our systems. These allegations underscore the urgent need for reform of government surveillance practices."
A source close to Google added that Google was “shocked” because the company had pushed back against British legislation that would have required Google to store its metadata and other information for U.K. government use. The legislation, introduced by Home Secretary Theresa May in 2012, was publicly repudiated by Deputy Prime Minister Nick Clegg in 2013 and has never become law. May hopes to reintroduce a modified version this spring.
“It’s extremely surprising,” said the source, “that while they were pushing for the data via the law, they might have simultaneously been using their capability to grab it anyway.”
Encryption would prevent simple collection of the data by an outside entity like the government. Google has not yet encrypted YouTube or Blogger. Facebook and Twitter have now fully encrypted all their data.
Facebook confirmed to NBC News that while its “like” data was unencrypted, the company never gave it to the U.K. government and was unaware that GCHQ might have been siphoning the data. The company assumes the data was taken somewhere outside its networks and data centers.
“Network security is an important part of the way we protect user information,” said Facebook spokesman Jay Nancarrow, “which is why we finished moving our site traffic to HTTPS by default last year, implemented Perfect Forward Secrecy, and continue to strengthen all aspects of our network.”
GCHQ would not confirm or deny the existence of the Squeaky Dolphin program or anything else connected with this report. The agency declined to answer questions about the scope of its data collection or how it accessed the datastream.
In a statement, a GCHQ spokesperson emphasized that that the agency operated within the law.
“All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”
A spokesperson for the NSA said in a statement that the U.S. agency is not interested in “the communications of people who are not valid foreign intelligence targets.”
“Any implication that NSA's foreign intelligence collection is focused on the social media communications of everyday Americans is not true,” said the statement. “We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets. Because some data of U.S. persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for U.S. persons exist across the entire process concerning the use, handling, retention, and dissemination of data.” The spokesperson also said that working with foreign intelligence services “strengthens the national security of both nations,” but that NSA can’t “use those relationships to circumvent U.S. legal restrictions.”
Both U.S. and British officials assert that while their passive collection of electronic communications might have great breadth, the actual use of the data collected is very targeted, and is dictated by specific missions. Sources familiar with GCHQ operations state firmly that this is the case in each of the agency’s operations.
Journalist Glenn Greenwald was formerly a columnist at Salon and the Guardian. In late 2012 he was contacted by NSA contractor Edward Snowden, who later provided him with thousands of sensitive documents, and he was the first to report on Snowden’s documents in June 2013 while on the staff of the Guardian. Greenwald has since reported on the documents with multiple media outlets around the world, and has won several journalism awards for his NSA reporting both in the U.S. and abroad. He is now helping launch, and will write for, a new, non-profit media outlet known as First Look Media that will “encourage, support and empower … independent, adversarial journalists.”
Comments