A report yesterday by The New York Times and other news organizations has provided yet another unsettling glimpse into the NSA’s wide-ranging surveillance practices.
The speculation, based on information from documents provided by the NSA leaker Edward Snowden, suggests that the NSA and its British counterpart GCHQ have been collecting private user data from mobile apps, in real time, as it travels across the Internet.
Profile data being collected from popular games such as Rovio’s Angry Birds typically includes age, location and gender, the allegations go. And with games that show ads, the agencies are also able to intercept users’ surprisingly detailed advertising profiles, mining it for new information…
The New York Times cited one secret report showing that just by updating Android software, a user sent more than 500 lines of data about the phone’s history and use onto the network.
Such information helps mobile advertising companies, for example, create detailed profiles of people based on how they use their mobile device, where they travel, what apps and websites they open, and other factors.
Advertising firms might triangulate web shopping data and browsing history to guess whether someone is wealthy or has children.
The snooping agencies collect these user profiles from the cookies saved when a user visits a website and by intercepting app traffic as it travels over the Internet.
A secret 20-page British report from 2012 reportedly included the computer code needed for “plucking the profiles generated when Android users play Angry Birds”.
Responding to these allegations, the Finnish developer issued a blog post to ensure spooked fans it does not willingly provide user data to surveillance agencies, denying any voluntary cooperation with governments.
Rovio Entertainment Ltd, which is headquartered in Finland, does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world.
It then added:
The alleged surveillance may be conducted through third party advertising networks used by millions of commercial web sites and mobile applications across all industries. Rovio does not allow any third party network to use or hand over personal end-user data from Rovio’s apps.
However, Rovio then contradicts itself by asserting that if ad networks are indeed targeted, it would appear that “no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance”.
Unfortunately, this cleans nothing up.
They are collecting data and allowing third-parties to access it, period.
The biggest problem with Rovio’s defensive statement: back in 2012, researchers discovered that Angry Birds was tracking users’ locations and gathering other data.
And what did Rovio do with that data?
That’s right, they passed it straight to mobile ad companies!
When that story blew up, Rovio said in a written statement that some data its games gather from computers and mobile devices is used for “integrating different ad networks into Rovio games” and ad targeting, akin to how websites use browsing data.
The data gathered includes scores, playing times, aggregated device model, carrier and firmware version data. “All data is anonymized, and Rovio does not track or store any single person’s personal data,” the firm insisted.
On iOS, Rovio games don’t use any specific data, unless explicitly asking for permission to do so, with the exception of coarse location based on metadata, such as network IP address, used to target ads.
On Android, different Rovio games may request permissions to access a user’s coarse location based on network data, full Internet access, access to device storage and phone status/ID, which is then “hashed to create an anonymous identifier”.
The real nemesis is ad firms.
The NYT article notes that Baltimore headquartered Millennial Media creates far more intrusive profiles that even the snooping agencies can retrieve.
In securities filings, Millennial documented how it began working with Rovio in 2011 to embed ad services in Angry Birds apps running on iPhones, Android phones and other devices.
According to the report, the profiles created by Millennial contain much of the same information as others, but several categories that are listed as “optional,” including ethnicity, marital status and sexual orientation, suggest that much wider sweeps of personal data may take place.
Marital status?
Sexual orientation?
Possible categories for marital status, the secret report said, include single, married, divorced, engaged and “swinger”; those for sexual orientation are straight, gay, bisexual and “not sure.” It is unclear whether the “not sure” category exists because so many phone apps are used by children, or because insufficient data may be available.
There is no explanation of precisely how the ad company defined the categories, whether users volunteered the information or whether the company inferred it by other means. Nor is there any discussion of why all that information would be useful for marketing — or intelligence.
At the time, Rovio denied any wrongdoing by maintaining that using data for optimizing user experience and targetted advertising in an anonymous and secure way is a “completely standard practice in online media and games”.
Most Rovio games incorporate analytics services by Flurry Analytics.
In Rovio’s defense, its Privacy policy ensures that the company “does not knowingly collect personal information from children under 13 years of age”.
Not that any of this will make you sleep better.
It’s just unacceptable that these companies are taking advantage of paying customers by gathering intelligence on us and then sharing it with, or in some instances even selling it to, third-parties.
And when I come to think of it, no one beats Google at this game.