A new top-secret intelligence document pulled from whistleblower Edward Snowden's trove of confidential material, details how CSE (Canada's cybersurveillance agency, the Communications Security Establishment) and GCHQ (Britain's cybersurveillance agency, the Government Communications Headquarters) can "exploit" tracking and advertising data sent from "leaky apps" to reveal information about surveillance targets.
Originally published by Der Spiegel, and first analyzed by Micah Lee at The Intercept, the document reveals a previously unknown program called BADASS that specifically targets smartphone apps.
Organizations such as NSA, CSE, and GCHQ have had a conundrum on their hands when it comes to the sheer amount of data that they collect. While they've been able to suck up internet traffic from all around the world, analyzing that data has proven challenging to these secretive agencies. BADASS can exploit advertising tracking data found in mobile apps, in order to determine a target's unique smartphone ID. This, ostensibly, helps to tie together spy data. The more information they can connect to someone's ID—what apps they use, what websites they go on, etc—the more they can learn from a target.
In CSE and GCHQ's presentation, Angry Birds is used as a prime example of an app that these agencies can exploit. In fact, they brag in that internal document that they "know how bad you are" at the popular animal-catapulting game.
However, it's hard to tell if CSE and GCHQ are serious about their Angry Birds exploit. In a recap of how little we learned about CSE in 2014, VICE reported on a CSE presentation in which the author joked about spying on a message board for hockey fans from the country of "Canuckistan." Der Spiegel missed the humour and reported it as factual that CSE was, in fact, taking on the hockey fans of the nation.
At the time, CSE media relations spokesman Ryan Foreman said in a comment to VICE that the hockey example uses an "obviously fictitious country name and obviously fictitious content."
So, is the agency joking about Angry Birds as well? VICE reached out to Rovio, the developer of Angry Birds, and they insist it's not possible that they're being spied on. In a series of emails, Blanca Juti at Rovio told VICE: "We take the privacy of our fans very seriously and use all legal and technical steps available to ensure their details are secure. Any data that we have is encrypted and all advertising networks providing services to Rovio are well-known and reputable companies."
When asked directly about CSE and GCHQ's reference to Angry Birds, Juti wrote that "the reference to Angry Birds in this case is puzzling and probably based on the popularity of the game. The data is strictly encrypted game related data and is not connected to personal profiles."
Given CSE's penchant for including weird jokes in their top-secret spy program presentations, Angry Birds could be a throwaway example of an app that these agencies could spy on. It's also possible that, in the time since the presentation was released (it's a four year old document) Rovio has upgraded their encryption standards. Juti did not immediately respond to a question from VICE about whether or not Angry Birds uses HTTPS, an ostensibly secure form of HTTP, for their tracking data, but they did insist that their privacy and security policies are sound.
The third possibility, however, is that Angry Birds is being exploited and Rovio is simply unaware. When reached for comment, Jonathan Zdziarski, a hacking and forensics expert who specializes in security holes found in mobile apps, told VICE: "It's very likely that developers of mobile applications are appropriately encrypting their traffic as per our current best practices AND that the government has found ways to intercept and decrypt that data for analysis like these slides demonstrate."
We have certainly seen tech companies in the recent past, when faced with revelations about the NSA snooping on their customers, admit they had no idea it was happening—even if those claims have been proven to be somewhat dubious.
Chris Parsons, a cybersecurity researcher at the University of Toronto's Citizen Lab, told me how important programs like BADASS are to agencies like CSE: "Unencrypted analytics and tracking information is essential for today's global surveillance operations. Companies have used it for profit. The NSA and its partners use it to know what sites we read, what kinds of phones we use, and to whom we communicate with."
For that very reason, the Citizen Lab is working closely with a non-profit Chrome extension called TrackerSSL to address this very issue. Its developer, Andrew Hilts, launched the extension yesterday and explained its mission to VICE: "Just like smartphones, the web has a huge problem of leaking personal information through insecure ad trackers. That's why we [my non-profit Open Effect, in collaboration with the Citizen Lab] developed a Google Chrome extension called TrackerSSL to start a conversation about this problem."
So, while it's unclear if Angry Birds is actually a target of CSE and GCHQ's BADASS program, the advertising tracking data within mobile apps are being exploited by these agencies to identify their targets' behaviour online. And they're doing so using the same advertising tracking data that app developers, like Rovio, use to profit from their free software.
When asked directly if the CSE targets Angry Birds to track their targets, VICE was given a standard response: "CSE is a foreign intelligence and cyber defence agency that works to protect Canada and Canadians against serious global threats, such as terrorism and foreign cyber threats. CSE's activities are carried out in support of the Government of Canada's intelligence priorities and are critical in keeping Canadians' safe at home and abroad.
For reasons of national security, CSE cannot comment on its methods, techniques or capabilities. CSE conducts foreign intelligence and cyber defence activities in compliance with Canadian law. The independent CSE Commissioner and his staff review CSE's activities. In 17 years, the CSE Commissioner has never found CSE to have acted unlawfully."
Follow Patrick McGuire on Twitter.