Page 2 of 2

How Hackers and Software Companies are Beefing Up NSA Surveillance

Companies like Endgame Systems have for years sold information and digital loopholes to the NSA to help bolster spying.

| Fri Feb. 7, 2014 12:50 PM EST

Harvesting your Data

Among the Snowden documents was a 20-page 2012 report from the Government Communications Headquarters—the British equivalent of the NSA—that listed a Baltimore-based ad company, Millennial Media. According to the spy agency, it can provide "intrusive" profiles of users of smartphone applications and games. The New York Times has noted that the company offers data like whether individuals are single, married, divorced, engaged, or "swinger," as well as their sexual orientation ("straight, gay, bisexuall, and 'not sure'").

How does Millennial Media get this data? Simple. It happens to gather data from some of the most popular video game manufacturers in the world. That includes Activision in California which makes Call of Duty, a military war game that has sold over 100 million copies; Rovio of Finland, which has given away 1.7 billion copies of a game called Angry Birds that allows users to fire birds from a catapult at laughing pigs; and Zynga—also from California—which makes Farmville, a farming game with 240 million active monthly users.

In other words, we're talking about what is undoubtedly a significant percentage of the connected world unknowingly handing over personal data, including their location and search interests, when they download "free" apps after clicking on a licensing agreement that legally allows the manufacturer to capture and resell their personal information. Few bother to read the fine print or think twice about the actual purpose of the agreement.

The apps pay for themselves via a new business model called "real-time bidding" in which advertisers like Target and Walmart send you coupons and special offers for whatever branch of their store is closest to you. They do this by analyzing the personal data sent to them by the "free" apps to discover both where you are and what you might be in the market for.

When, for instance, you walk into a mall, your phone broadcasts your location and within a millisecond a data broker sets up a virtual auction to sell your data to the highest bidder. This rich and detailed data stream allows advertisers to tailor their ads to each individual customer. As a result, based on their personal histories, two people walking hand in hand down a street might get very different advertisements, even if they live in the same house.

This also has immense value to any organization that can match up the data from a device with an actual name and identity—such as the federal government. Indeed, the Guardian has highlighted an NSA document from 2010 in which the agency boasts that it can "collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, marital status…income, ethnicity, sexual orientation, education level, and number of children."

In Denial

It's increasingly clear that the online world is, for both government surveillance types and corporate sellers, a new Wild West where anything goes. This is especially true when it comes to spying on you and gathering every imaginable version of your "data."

Software companies, for their part, have denied helping the NSA and reacted with anger to the Snowden disclosures. "Our fans' trust is the most important thing for us and we take privacy extremely seriously," commented Mikael Hed, CEO of Rovio Entertainment, in a public statement. "We do not collaborate, collude, or share data with spy agencies anywhere in the world."

RSA has tried to deny that there are any flaws in its products. "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the company said in a statement on its website. "We categorically deny this allegation." (Nonetheless RSA has recently started advising clients to stop using the Dual Elliptical Curve.)

Other vendors like Endgame and Millennial Media have maintained a stoic silence. Vupen is one of the few that boasts about its ability to uncover software vulnerabilities.

And the NSA has issued a Pravda-like statement that neither confirms nor denies the revelations. "The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency," an NSA spokeswoman told the Guardian. "Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true."

The NSA has not, however, denied the existence of its Office of Tailored Access Operations (TAO), which Der Spiegel describes as "a squad of [high-tech] plumbers that can be called in when normal access to a target is blocked."

The Snowden documents indicate that TAO has a sophisticated set of tools at its disposal—that the NSA calls "Quantum Theory"—made up of backdoors and bugs that allow its software engineers to plant spy software on a target computer. One powerful and hard to detect example of this is TAO's ability to be notified when a target's computer visits certain websites like LinkedIn and to redirect it to an NSA server named "Foxacid" where the agency can upload spy software in a fraction of a second.

Which Way Out of the Walled Garden?

The simple truth of the matter is that most individuals are easy targets for both the government and corporations. They either pay for software products like Pages and Office from well known manufacturers like Apple and Microsoft or download them for free from game companies like Activision, Rovio, and Zynga for use inside "reputable" mobile devices like Blackberries and iPhones.

These manufacturers jealously guard access to the software that they make available, saying that they need to have quality control. Some go even further with what is known as the "walled garden" approach, only allowing pre-approved programs on their devices. Apple's iTunes, Amazon's Kindle, and Nintendo's Wii are examples of this.

But as the Snowden revelations have helped make clear, such devices and software are vulnerable both to manufacturer's mistakes, which open exploitable backdoors into their products, and to secret deals with the NSA.

So in a world where, increasingly, nothing is private, nothing is simply yours, what is an Internet user to do? As a start, there is an alternative to most major software programs for word processing, spreadsheets, and layout and design—the use of free and open source software like Linux and Open Office, where the underlying code is freely available to be examined for hacks and flaws. (Think of it this way: if the NSA cut a deal with Apple to copy everything on your iPhone, you would never know. If you bought an open-source phone—not an easy thing to do—that sort of thing would be quickly spotted.) You can also use encrypted browsers like Tor and search engines like Duck Duck Go that don't store your data.

Next, if you own and use a mobile device on a regular basis, you owe it yourself to turn off as many of the location settings and data-sharing options as you can. And last but hardly least, don't play Farmville, go out and do the real thing. As for Angry Birds and Call of Duty, honestly, instead of shooting pigs and people, it might be time to think about finding better ways to entertain yourself. Pick up a paintbrush, perhaps? Or join an activist group like the Electronic Frontier Foundation and fight back against Big Brother.

Pratap Chatterjee, a TomDispatch regular, is executive director of CorpWatch and a board member of Amnesty International USA. He is the author of Halliburton's Army and Iraq, Inc.

Follow TomDispatch on Twitter and join us on Facebook or Tumblr. Check out the newest Dispatch Book, Ann Jones's They Were Soldiers: How the Wounded Return From America's Wars—The Untold Story.href="">here.

Page 2 of 2