New Snowden doc: NSA targeted mobile phones, app stores

The Intercept and the CBC combined on a new report today from the Snowden cache of purloined documents that reveals the efforts by the US and its allies to penetrate cell phones and mobile devices. Not only were intelligence agencies hoping to cull new information, they also hoped to use the program to plant misinformation. But does this merit a new round of outrage directed at the NSA, or at Snowden?

Canada and its spying partners exploited weaknesses in one of the world’s most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn’t alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals.

The program’s name was “IRRITANT HORN,” a rather amusing code name given the nature of the Snowden revelations to the NSA for the past two years. The NSA and its “Five Eyes” partners in Canada, Australia, the UK, and New Zealand penetrated the app stores for these devices. That allowed them to have permanent connections to those devices that connected to it, and to deliver spyware for data collection and dissemination. But from whom, and to where?

But the agencies wanted to do more than just use app stores as a launching pad to infect phones with spyware. They were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

The project was motivated in part by concerns about the possibility of “another Arab Spring,” which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.

The agencies were particularly interested in the African region, focusing on Senegal, Sudan and the Congo. But the app stores targeted were located in a range of countries, including a Google app store server located in France and other companies’ app download servers in Cuba, Morocco, Switzerland, Bahamas, the Netherlands and Russia. (At the time, the Google app store was called the “Android Market”; it is now named Google Play.)

The project seemed to be effective, too:

According to the top-secret document, the agencies discovered that the UC Browser app was leaking a gold mine of identifying information about its users’ phones. Some of the leaking information apparently helped the agencies uncover a communication channel linked to a foreign military unit believed to be plotting “covert activities” in Western countries. The discovery was celebrated by the spies as an “opportunity where potentially none may have existed before.”

This is where the issue gets murky. If the NSA and the other agencies conducted surveillance and covert operations on foreign users of these systems, then they didn’t do anything illegal in the US or their other countries. The Intercept’s Ryan Gallagher tries to make the issue less about legality and more about tech ethics:

The case strikes at the heart of a debate about whether spy agencies are putting ordinary people at risk by secretly exploiting security flaws in popular software instead of reporting them so that they can be fixed.

There’s an actual debate about this? That’s the issue driving this disclosure? Yes, criminal hackers can exploit these weaknesses, and some intel agencies actually defend against industrial espionage for that reason. However, the mission of US intelligence is national security, not improving the quality of private-sector tech products. The main mission is to keep ordinary people from the risk of attack — these days, more by terrorists than other nations — and they exploit lots of vulnerabilities to accomplish that, not just in tech.

This is another example where the Snowden exposure has crossed the line from whistleblowing to nihilism for nihilism’s sake. If the NSA conducted this kind of surveillance on US persons (a legal term), then this is a big story. If they didn’t, then all this does is expose an avenue of intel collection that appears legal and useful, not to mention non-fatal. Nothing at The Intercept suggests that it’s the former, which makes this disclosure incredibly irresponsible.