US and British spies 'get personal data from Angry Birds'
US and British spy agencies routinely try to gain access to personal data from Angry Birds and other mobile applications, a report says.
A National Security Agency (NSA) document shows location, websites visited and contacts are among the data targeted from mobile applications.
It is the latest revelation from documents leaked by Edward Snowden.
In a statement, the NSA said it was not interested in data beyond "valid foreign intelligence targets".
"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true," the statement said.
From the very start, the Snowden revelations have thrown a spotlight on the tech sector as well as the intelligence agencies.
In some cases, it was clear they were complying with laws - for instance providing metadata - but having to do so secretly. That is something they have now won the right to disclose at least a little more.
In other cases, it appears that some companies might have been doing more than they strictly had to leading to awkward questions.
And in other cases, the intelligence agencies appear to have been hacking into the companies - for instance their internal data links - without knowledge or permission.
The more publicity that this has all attracted the more the companies have distanced themselves from government with expressions of anger and calls for more transparency.
In the case of the latest Angry Birds and Squeaky Dolphin revelations, it appears that NSA/GCHQ are effectively piggybacking off customer data that companies designing software - whether Rovio or Google - collect themselves and without the companies knowing.
This will anger the companies, not least because it may throw a spotlight on just how much personal information they collect from ordinary people who may not have known about it in the past.
The report, published by the New York Times, ProPublica and the Guardian, says the NSA and Britain's GCHQ have worked together since 2007 to develop ways to gain access to information from applications for mobile phones and tablets.
The scale of data gathering is unclear.
But the reports suggest data is gained from a variety of mapping, gaming and social networking applications, using techniques similar to the ones used to intercept mobile internet traffic and text message data.
The documents also reveal the two agencies are increasingly convinced of the importance of mobile applications data.
The joint spying programme "effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system" one 2008 document from the British intelligence agency is quoted as saying.
Another GCHQ report, in 2012, laid out how to extract information from Angry Birds user information from phones on the Android operating system. The game has been downloaded 1.7 billion times across the world.
The British spy agency said it would not comment on intelligence matters, but insisted that all of its activities were "authorised, necessary and proportionate".
Another NSA document described a "golden nugget" - a perfect scenario where NSA analysts could get broad selections of information from the applications, including networks the phone had connected to, documents downloaded, websites visited and "buddy lists".
Other applications mentioned by the documents include the photo-sharing site Flickr, movie-based social network Flixster and applications that connect to Facebook.
Developers are responsible for the information generated from each application, but there was no suggestion firms were actively agreeing to give the spy agencies data.Two-year rule
On Monday, the justice department announced it had reached agreement with five major internet firms over their request to share information about how they responded to orders from the NSA and other agencies.
Google, Microsoft, Yahoo, Facebook and LinkedIn had previously sued the US government over being able to disclose to the public more information on what they have released to intelligence agencies.
Under the compromise announced, the firms will be able to release:
- the number of criminal-related orders from the government
- the number of secret national security-related orders from government investigators, rounded to the nearest thousand
- how many national security-related orders came from the foreign service intelligence and the number of customers those orders affected
- whether those orders were for just email addresses or covered additional information
- alternatively they can opt to issue a report that provides less detail but lets them state the number of national security and intelligence orders in batches of 250
As part of the deal, the firms will delay releases of the number of national security orders by six months.
But tech firms cannot reveal government surveillance of new technology or new ways to communicate that they create for up to two years.
This caveat has been criticised by Ladar Levison - the founder of Lavabit, the secure email service that Edward Snowden used - who said the provision would undermine confidence in start-ups.
"While our courts are allowed to keep ethically dubious court order secret, it will remain impossible to trust private data to American companies," he told the New York Times.
Apple was quick to take advantage of the new rules.
It has revealed that it received between zero and 249 national security orders between 1 January and 30 June affecting between zero and 249 accounts.