Peek-a-boo, we spy you … again
by Tom Sullivan
Via a 2011 slide presentation leaked by Edward Snowden, The Intercept provides more details on how spy agencies are “building haystacks to search for needles.” By intercepting unencrypted data relayed from smartphone ads and apps to analytics firms and advertisers, British and Canadian spy agencies can compile detailed profiles of individual smart phone users. Advertisers typically collect this information to answer usage questions:
How often does a particular user open the app, and at what time of day? Where does the user live? Where does the user work? Where is the user right now? What’s the phone’s unique identifier? What version of Android or iOS is the device running? What’s the user’s IP address?
But since the data sent from apps is often unencrypted, it represents “a major privacy threat” exploitable by spy agencies. This particular spy program was/is code-named BADASS:
Analysts are able to write BADASS “rules” that look for specific types of tracking information as it travels across the internet.
For example, when someone opens an app that loads an ad, their phone normally sends an unencrypted web request (called an HTTP request) to the ad network’s servers. If this request gets intercepted by spy agencies and fed into the BADASS program, it then gets filtered through each rule to see if one applies to the request. If it finds a match, BADASS can then automatically pull out the juicy information.
And those privacy policies?
Companies that collect usage statistics about software often insist that the data is anonymous because they don’t include identifying information such as names, phone numbers, and email addresses of the users that they’re tracking. But in reality, sending unique device identifiers, IP addresses, IMEI numbers [a unique device identifier], and GPS coordinates of devices is far from anonymous.
In one slide, the phrase “anonymous usage statistics” appears in conspicuous quotation marks. The spies are well aware that despite not including specific types of information, the data they collect from leaky smartphone apps is enough for them to uniquely identify their targets.
It’s going to be tough on screenwriters for Hollywood spy thrillers. How are we suspend our disbelief when what used to be the stuff of fiction no longer is? At the end of the spy comedy, The President’s Analyst, androids from the shadowy TPC have the entire world under surveillance. In 1967, that knock on The Phone Company was a joke.