A new top-secret document obtained from Edward Snowden shows that intelligence agencies from the US, Canada, the UK, New Zealand, and Australia (the “Five Eyes” alliance) targeted weaknesses in a mobile phone browser and other smartphone apps.
The main app that the NSA, CSIS and other organizations were able to harvest user data from is the popular UC Browser app, widely used in China and India. Furthermore, other apps were probed for weaknesses and if an exploit was found, neither the companies who developed those apps nor the general public were informed that their personal data was at risk.
“All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk,” says the University of Ottawa’s Michael Geist, one of Canada’s foremost experts on internet law.
Workshops held in 2011 and 2012 consisted of a “joint Five Eyes tradecraft team” who specifically targeted servers used to provide app updates from the Google Play and Samsung App stores to users.
“What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people’s internet use, and perhaps use bits and pieces of that to make correlations,” says Geist.
The end goal of the intelligence agencies was to plant spyware on specific user devices in order to monitor their online activities and track their emails, chats, and browsing histories. In order to get around agreements in place not to spy on citizens of member countries, mobile app servers were targeted in other countries including Cuba, Morocco, the Netherlands, Russia, France, Switzerland, and the Bahamas.
Statements provided to the CBC by Canada’s Communications Security Establishment (CSE) and Britain’s GCHQ stated that these activities were undertaken in compliance with local laws.
CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” the agency said in a written statement. “CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada.”
Britain’s counterpart, GCHQ, said all its work “is carried out in accordance with a strict legal and policy framework.”
A Canadian human rights and technology research group, Citizen Lab, uncovered vulnerabilities in UC Browser as recently as this past April and the Android app has since been patched by parent company Alibaba.
As Geist points out, citizens should be troubled that intelligence agencies are using exploits in apps to harvest data as opposed to reporting them to the appropriate developer.
“We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using,” said Geist.
You can check out a short overview of the CBC story in the video below.
Let us know what you think about the latest Edward Snowden revelations regarding spy agencies targeting mobile devices and app stores in the comments below, or on Google+, Twitter, or Facebook.
Featured image courtesy Twitter