If you find yourself stuck in an Angry Birds’ level, call up the National Security Agency (NSA) or UK’s GCHQ and they might help you out. After all, based on the latest leaks from Edward Snowden, these agencies have been keeping a close eye on the games people play. Here’s what’s going on and why you should care.
How does the spying affect me?
Do you own a smartphone or tablet? Do you use it to connect to the internet? If yes, the Angry Birds saga directly affects you. Chances are you will get angrier than those birds when you realise how much of your personal life leaks out for any spy agency to tap into by just going online. This includes where you are, have been, the route you took to get there, your contact list, call history, what apps you use, when, how, and for how long.
In fact, there is a lot more that can be captured. For example, by merely updating an Android app, the user uploads about 500 lines of collectable data on to the network. As Ronald J. Deibert, author of Black Code: Inside the Battle for Cyberspace, writes in the book, “[We are] carrying around digital dog tags as we go about our daily lives.”
How is it different from computer surveillance?
The smartphone has been a boon for spy agencies. Tapping into hardware sensors and apps on tablets and phones yields far more intimate and real-time data than hacking into a computer. With advanced tools that agencies such as NSA and GCHQ have apparently built, your device’s microphone and cameras can be controlled remotely — effectively turning you into the agencies’ eyes and ears. Even the power management feature can be fiddled with, allowing them to remotely switch on a device.
Using mobile devices and apps to mine data has been nicknamed the Mobile Surge by spy agencies and, apparently, it has been going on since 2007.
By some estimates more than $1 billion (about Dh3.67 billion) has already been spent on this venture.
Does it only affect games?
The documents leaked by Snowden have thrown up names such as Rovio’s Angry Birds (downloaded 1.7 billion times), Candy Crush Saga, Pinterest bulletin boards, Google Plus, mobile versions of Facebook, Flickr, Twitter, and even YouTube. If an app is doing well, it’s not just users but also spooks who are interested in it. These are known as leaky apps, with golden nuggets of personal data.
Security firm BitDefender audited 836,021 apps in the Android Play Store. Turns out, more than a third can track your location, almost 10 per cent can read your contact list, more than 5 per cent can access and analyse your private photos, while a sizeable minority leak your email id, phone book, call history and other personal data. This information flows unencrypted over the internet, and is visible to anyone looking for it.
MetaIntell, which specialises in mobile risk management, analysed apps available on multiple app stores and discovered that more than 92 per cent of them used unsecure communication protocols. About 20 per cent could, without user consent or knowledge, load external applications either locally or remotely.
It would be a mistake to assume you will find a safe haven on the iPad. As security firm Zscaler discovered when it scanned the 25 most popular apps across five categories, 96 per cent of iOS apps ask for your email id, 92 per cent want to go through your address book, 84 per cent check your location, 52 per cent access the camera and 32 per cent go through your calendar.
What if I stick to business apps on my tablet?
HP’s security app Fortify on Demand recently examined more than 2,000 mobile apps from more than 600 companies to access the current state of mobile application security. “The results,” according to HP’s website, “revealed alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.”
An astounding nine out of ten of the mobile apps tested had some form of serious vulnerability. About 97 per cent of the apps “inappropriately accessed private information sources within a device”, while 86 per cent “lacked the means to protect themselves from common exploits”, stated the report.
Why do app developers want all this information?
Firstly, it is to better understand how you use an app and, if it crashes, to analyse what went wrong. This leads to fine-tuning and enhanced versions.
Secondly, while apps may be free for you, it does not mean developers don’t make money off them. They usually plug in ads, which, in turn, track user behaviour to better target potential customers. Developers can also make money by selling user information to advertisers and third parties. Some of these parties might have a more lenient understanding of privacy than what you originally signed up for. As Rovio’s CEO, Mikael Hed, says, “In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying.”
Thirdly, it is a combination of lazy coding and future-proofing — it is easier to just ask for all kinds of permissions than be selective about it. Besides, as the app evolves, it might need to access more of the tablet — so might as well ask for blanket permissions, just in case they are needed in future versions.
But I did not grant them so many permissions!
Chances are you did. It was in the fine print that you agreed to without reading. When you install an app you are told about the privacy settings and what the app will access, analyse or send out. But most people do not read such long, obtuse pieces of legalese. And, in many cases, they are designed not to be read. Most probably, if you were asked for permission in simple language, you would flatly refuse.
Are developers in cahoots with spy agencies?
That would be a fantastic conspiracy theory. But the key point here is that the agencies are riding piggyback on and repurposing what the apps track. Since the majority of data flows over an open network they don’t need to bribe developers. For example, when you upload a photo to Twitter or Facebook, metadata such as time and location is automatically removed. However, for the image to reach from your tablet to its online destination, it has to travel through a bunch of connected computers and networks — giving agencies enough opportunities to look over your shoulders en route.
