Spy agencies target mobile phones, app stores to implant spyware

CBC

Updated May 21, 2015 at 5:00 a.m.

Business Insider/Michael Seto AOL CEO Tim Armstrong Ever since the dawn of the mass-market web in 1995 or so, the saying “content is king” has moved in and out of fashion. With Verizon’s $4 billion purchase of AOL, and Facebook’s new Instant Articles initiative, which embeds content from other media sources directly into Facebook, it looks like it’s back in vogue. Here’s the thinking. There are only a few things that people want to really do online. Buy and sell. Communicate. Play. And look at content — news articles, TV shows, games, cat videos, porn, and so on. Over the years, tech companies went through periods of urgency where they all seemed to realize that the technology they were building wouldn’t amount to much if they didn’t have something that people wanted to <em>do</em> with it. So they’d hire, buy, or partner with people who create content. The peak of “content is king” came when AOL bought Time-Warner for $146 billion in stock at peak-dot-com prices in 2000. Now, mobile devices have replaced the PC -based web browser as the number-one place where people consume content online, and tech companies are making sure they are poised to profit from that habit. Verizon and the fear of a dumb pipe At the dawn of the smartphone era, Verizon (and other telcos) thought they were going to be able to add all sorts of new revenue streams — you’d download music, video, and games directly from their stores. But Apple’s iTunes and later Google Play put an end to that dream, and most paid and subscription content now comes through these platform providers or third party apps like Netflix and Hulu. Not the carriers. Texting, meanwhile, has diminished in importance thanks to social networking and chat apps like WhatsApp. McKinsey So once again Verizon is forced to confront its worst fear: becoming a “dumb pipe” that is only there to carry an ever-increasing amount of data at ever-faster speeds. That’s a bad business because customers expect prices to go down and service to get better over time — it happens with every other tech product! The only way to win is to cut expenses faster than prices. So, it bought a content business. Or at least a way to make money from content. There’s some debate about whether Verizon is really interested in the content properties like the Huffington Post and TechCrunch — one report suggested the company may spin them off — or if Verizon is mainly interested in the advertising platforms that AOL has built to make money from those properties. But either way, Verizon is clearly interested in profiting from the consumption of content on mobile devices. Specifically mobile video. As a recent McKinsey presentation showed, video consumption is growing faster on mobile devices than on any other medium. Verizon owns the pipes today; with AOL it can also own, or at least profit from, more of the stuff traveling over those pipes. Facebook’s mobile ad mastery Facebook is an interesting case study in “content is king.” The Internet company looks a lot like a media business, making nearly all its money from advertising, yet it doesn’t actually own or produce any content. All the content is produced or shared by the nearly 1.5 billion people now using the service. This has been a pretty good strategy. Facebook booked $11.5 billion in ad revenue last year, with a growth rate of 65%. It’s been able to do this by showing fewer ads (down 40% in 2014) and charging a lot more for those ads (up 173% in 2014). This is what you can do when people spend more and more time on your site — average time spent tripled from 6 minutes to 21 minutes between 2010 and 2014, according to Statista. More important, Facebook’s mobile ad business has grown from zero at the time it went public in May 2012 to make up 65% of its total ad revenue last year — about $7.5 billion. Basically, all of Facebook’s growth is coming from mobile. Via BI Intelligence But one thing people love to do on Facebook is share content. If people leave Facebook to view that content, and then view or click on an ad on a media company’s website, Facebook makes no money from that transaction (unless the media company is showing the article in an app that happens uses Facebook’s year-old mobile app ad network, the Audience Network). And who knows when that person will come back to Facebook? So with Instant Articles, media companies publish their content directly within the Facebook app on mobile phones, where Facebook at least has a chance of selling an ad against it and earning 30% of the revenue from that ad. (Often left unsaid in this equation is the fact that more great content on Facebook keeps people on Facebook longer, where they’re more likely to stay and see ads that Facebook sells and earns 100% of the revenue from.) Facebook A Facebook Instant Article by National Geographic, embedded within the Facebook iPhone app The bait for this hook? Facebook says that outbound links to news articles can take up to eight seconds to load — notice how that “eight seconds” figure appears in every story about the new feature? — which creates a subpar experience for readers. It’s true: Instant Articles are beautiful and load fast. Over time, perhaps, users will prefer those articles over the old-fashioned link-off-to-another-site kind of article, and will share them more, giving publishers a bigger pie of advertising dollars to take their cut from. Meanwhile, Facebook inserts itself more directly into the mobile value chain. So what happens next? History doesn’t repeat itself, but sometimes there are echoes. The last tech boom turned out to be a bubble as valuations outstripped reality. The AOL-Time Warner deal ended in tears in 2003, when the combined company took a huge writeoff on the value of AOL’s online business, leading to a $99 billion loss in 2003 — the largest annual loss ever. Other tech companies who had made big content bets also started to unwind those bets — for instance, Microsoft sold its online magazine Slate, shuttered plans to make original video programs for MSN and eventually dissolved most aspects of its MSNBC partnership with NBC. For a few years, tech companies went back to being tech companies, and media companies went back to being media companies. But the underlying shift that drove those dot-com investments in the first place — the movement offline to online — turned out to be real, and a lot of new companies came to profit from it. Google and Facebook are the biggest, with combined market caps of about $600 billion, but there are many other tech companies that survived the dot-com crash or emerged from its ashes and remain strong and thriving today. The current tech boom has been driven by the shift from PC to mobile devices. It may get into the same kind of bubble territory or not, but eventually that boom will end. Look for the tech industry’s infatuation with content to end then, too. NOW WATCH: REVEALED: Here are all the incredible perks for Facebook employees Please enable Javascript to watch this video Read more stories on Business Insider, Malaysian edition of the world’s fastest-growing business and technology news website.

Spy agencies target mobile phones, app stores to implant spyware

PM's office won't say if it knew of bridge corporation appointee's expenses

Verizon and Facebook agree: Content is king again

Business Insider/Michael Seto AOL CEO Tim Armstrong Ever since the dawn of the mass-market web in 1995 or so, the saying “content is king” has moved in and out of fashion. With Verizon’s $4 billion purchase of AOL, and Facebook’s new Instant Articles initiative, which embeds content from other media sources directly into Facebook, it looks like it’s back in vogue. Here’s the thinking. There are only a few things that people want to really do online. Buy and sell. Communicate. Play. And look at content — news articles, TV shows, games, cat videos, porn, and so on. Over the years, tech companies went through periods of urgency where they all seemed to realize that the technology they were building wouldn’t amount to much if they didn’t have something that people wanted to do with it. So they’d hire, buy, or partner with people who create content. The peak of “content is king” came when AOL bought Time-Warner for $146 billion in stock at peak-dot-com prices in 2000. Now, mobile devices have replaced the PC -based web browser as the number-one place where people consume content online, and tech companies are making sure they are poised to profit from that habit. Verizon and the fear of a dumb pipe At the dawn of the smartphone era, Verizon (and other telcos) thought they were going to be able to add all sorts of new revenue streams — you’d download music, video, and games directly from their stores. But Apple’s iTunes and later Google Play put an end to that dream, and most paid and subscription content now comes through these platform providers or third party apps like Netflix and Hulu. Not the carriers. Texting, meanwhile, has diminished in importance thanks to social networking and chat apps like WhatsApp. McKinsey So once again Verizon is forced to confront its worst fear: becoming a “dumb pipe” that is only there to carry an ever-increasing amount of data at ever-faster speeds. That’s a bad business because customers expect prices to go down and service to get better over time — it happens with every other tech product! The only way to win is to cut expenses faster than prices. So, it bought a content business. Or at least a way to make money from content. There’s some debate about whether Verizon is really interested in the content properties like the Huffington Post and TechCrunch — one report suggested the company may spin them off — or if Verizon is mainly interested in the advertising platforms that AOL has built to make money from those properties. But either way, Verizon is clearly interested in profiting from the consumption of content on mobile devices. Specifically mobile video. As a recent McKinsey presentation showed, video consumption is growing faster on mobile devices than on any other medium. Verizon owns the pipes today; with AOL it can also own, or at least profit from, more of the stuff traveling over those pipes. Facebook’s mobile ad mastery Facebook is an interesting case study in “content is king.” The Internet company looks a lot like a media business, making nearly all its money from advertising, yet it doesn’t actually own or produce any content. All the content is produced or shared by the nearly 1.5 billion people now using the service. This has been a pretty good strategy. Facebook booked $11.5 billion in ad revenue last year, with a growth rate of 65%. It’s been able to do this by showing fewer ads (down 40% in 2014) and charging a lot more for those ads (up 173% in 2014). This is what you can do when people spend more and more time on your site — average time spent tripled from 6 minutes to 21 minutes between 2010 and 2014, according to Statista. More important, Facebook’s mobile ad business has grown from zero at the time it went public in May 2012 to make up 65% of its total ad revenue last year — about $7.5 billion. Basically, all of Facebook’s growth is coming from mobile. Via BI Intelligence But one thing people love to do on Facebook is share content. If people leave Facebook to view that content, and then view or click on an ad on a media company’s website, Facebook makes no money from that transaction (unless the media company is showing the article in an app that happens uses Facebook’s year-old mobile app ad network, the Audience Network). And who knows when that person will come back to Facebook? So with Instant Articles, media companies publish their content directly within the Facebook app on mobile phones, where Facebook at least has a chance of selling an ad against it and earning 30% of the revenue from that ad. (Often left unsaid in this equation is the fact that more great content on Facebook keeps people on Facebook longer, where they’re more likely to stay and see ads that Facebook sells and earns 100% of the revenue from.) Facebook A Facebook Instant Article by National Geographic, embedded within the Facebook iPhone app The bait for this hook? Facebook says that outbound links to news articles can take up to eight seconds to load — notice how that “eight seconds” figure appears in every story about the new feature? — which creates a subpar experience for readers. It’s true: Instant Articles are beautiful and load fast. Over time, perhaps, users will prefer those articles over the old-fashioned link-off-to-another-site kind of article, and will share them more, giving publishers a bigger pie of advertising dollars to take their cut from. Meanwhile, Facebook inserts itself more directly into the mobile value chain. So what happens next? History doesn’t repeat itself, but sometimes there are echoes. The last tech boom turned out to be a bubble as valuations outstripped reality. The AOL-Time Warner deal ended in tears in 2003, when the combined company took a huge writeoff on the value of AOL’s online business, leading to a $99 billion loss in 2003 — the largest annual loss ever. Other tech companies who had made big content bets also started to unwind those bets — for instance, Microsoft sold its online magazine Slate, shuttered plans to make original video programs for MSN and eventually dissolved most aspects of its MSNBC partnership with NBC. For a few years, tech companies went back to being tech companies, and media companies went back to being media companies. But the underlying shift that drove those dot-com investments in the first place — the movement offline to online — turned out to be real, and a lot of new companies came to profit from it. Google and Facebook are the biggest, with combined market caps of about $600 billion, but there are many other tech companies that survived the dot-com crash or emerged from its ashes and remain strong and thriving today. The current tech boom has been driven by the shift from PC to mobile devices. It may get into the same kind of bubble territory or not, but eventually that boom will end. Look for the tech industry’s infatuation with content to end then, too. NOW WATCH: REVEALED: Here are all the incredible perks for Facebook employees Please enable Javascript to watch this video Read more stories on Business Insider, Malaysian edition of the world’s fastest-growing business and technology news website.

Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.

"All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk," says the University of Ottawa's Michael Geist, one of Canada's foremost experts on internet law.

CBC News analysed the top secret document in collaboration with U.S. news site The Intercept, a website that is devoted in part to reporting on the classified documents leaked by U.S. whistleblower Edward Snowden.

The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung's mobile app stores, according to the document obtained by Snowden.

Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.

Privy to huge amounts of data

The Five Eyes alliance targeted servers where smartphones get directed whenever users download or update an app from Google and Samsung stores.

Samsung and Google declined to comment.

The servers provide key access points to massive amounts of data flowing from millions of smartphones around the world.

"What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people's internet use, and perhaps use bits and pieces of that to make correlations," says Geist.

Ultimately, the spy agencies wanted to implant spyware on certain smartphones to take control of a person's device or extract data from it, the document suggests.

The spy agencies also sought to match their targets' smartphone devices to their online activities, using databases of emails, chats and browsing histories kept in the Five Eyes' powerful XKeyScore tool to help build profiles on the people they were tracking.

Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain.

Respecting agreements not to spy on each others' citizens, the spying partners focused their attention on servers in non-Five Eyes countries, the document suggests. The agencies targeted mobile app servers in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia.

Canada's electronic surveillance agency, the Communications Security Establishment, refused to comment on its capabilities, saying that would constitute a breach of the Security of Information Act.

"CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," the agency said in a written statement. "CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada."

Britain's counterpart, GCHQ, said all its work "is carried out in accordance with a strict legal and policy framework." The U.S. National Security Agency and New Zealand surveillance agency did not respond to CBC News. Australia's signals intelligence agency refused to comment.

Millions of users have 'no idea'

As the Five Eyes team sought ways into the mobile app store servers, they also uncovered security gaps in the popular UC Browser, owned by the powerful Chinese tech giant Alibaba Group. It is the world's most popular mobile browser behind those pre-installed on smartphones.

As the team discovered, the UC Browser app leaked its users' phone numbers, SIM card numbers and details about the device to servers in China.

In that stream of data, Five Eyes analysts found one country's military unit using the app as a covert way to communicate about its operations in Western countries.

They touted this signals intelligence coup as providing an "opportunity where potentially none may have existed before," the document says.

Citizen Lab, a human rights and technology research group in Toronto, says that the UC Browser app was still leaking data until recently, and that was putting millions of users' data at risk.

"Of course, the user of this application has no idea that this is going on," says Ron Deibert, director of the Citizen Lab, which is based at the University of Toronto's Munk School of Global Affairs.

"They just assume when they open a browser that the browser's doing what it should do. But in fact, it's leaking all this information."

Citizen Lab analysed the Android version of the app and found "major security and privacy issues" in its English and Chinese editions.

National security vs. privacy

Secure apps typically encrypt a smartphone's communication with a server for such purposes as downloading or updating apps to prevent outsiders from gaining access to sensitive details about a user.

But Citizen Lab recently found Android versions of UC Browser leaking search queries, SIM card numbers and device IDs without any such protection. Some of it leaks even when the app is at rest.

Also, the app was transmitting the smartphone's location with encryption that the Citizen Lab says is easy to hack with publicly available tools.

All these details allow a government agency, hacker or criminal to track a person's movements and find out their habits, their relationships and even their interests.

Citizen Lab alerted Alibaba to the security gaps in mid-April, giving the company time to fix the problems. On May 15, after CBC News contacted the company, it released an update of the browser that fixed the issues identified by the Toronto research lab.

"We take security very seriously and we do everything possible to protect our users," said Alibaba in a written statement. "We have no evidence that any user information has been taken.

An Alibaba source familiar with the file said that spy agencies never alerted the company to vulnerabilities in the app and stressed that the app's leaks were not intentional.

Citizen Lab reviewed the update and found that the Chinese language version of the app — which leaked more data than the English one — still doesn't encrypt search terms.

The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they've unearthed in devices, operating systems and online infrastructure.

Taking advantage of weaknesses in apps like UC Browser "may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide," says Deibert.

"Of course, the security agencies don't [disclose the information]," says Deibert. "Instead, they harbour the vulnerability. They essentially weaponize it."

For his part, Geist argues that there is an expectation that the federal government will protect Canadians.

"We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using," said Geist.

"That feels in many respects like a significant abdication of what I think most would expect from our government."

But not everyone agrees. "The fact that certain channels and devices are vulnerable is not ultimately the problem of signals intelligence," says Christian Leuprecht, a Royal Military College professor and fellow at Queen's University's Centre for International and Defence Policy.

If Canadians are concerned with encryption standards and privacy issues, he says, they can lobby governments to crack down on network operators, manufacturers and developers.

"Because the same way that our signals intelligence agency can follow data, devices and servers in other countries, remember that our adversaries are trying to do the exact same thing here."

CBC is working with U.S. news site The Intercept to shed light on Canada-related files in the cache of documents obtained by U.S. whistleblower Edward Snowden.

The CBC News team — Amber Hildebrandt (email, PGP) and Dave Seglins (email, PGP)— collaborated with The Intercept's Glenn Greenwald and Ryan Gallagher to analyze the documents.

For a complete list of the past stories done by CBC on the Snowden revelations, see our topics page.

CBC
Mississauga man dead after road rage leads to multiple vehicle crash: OPP
A 21-year-old man from Mississauga is dead after crashing into another car during a road rage incident Friday evening, Ontario Provincial Police say. Provincial police responded to the call around 5:30 p.m. Friday for a six vehicle collision on Highway 400 near Simcoe Road 89 in Innisfil, Ont.Police say two vehicles were "road raging" while travelling southbound. Then, the 21-year-old driver crossed the centre median of the highway and hit a pickup truck travelling north, according to OPP, causi
4 hours ago
People
O.J. Simpson's Cause of Death Revealed
O.J. Simpson died at the age of 76 in his Las Vegas, Nev., home on April 10, his family announced
a day ago
BANG Showbiz
Britney Spears snapped cracking her windscreen with heels ahead of being ‘ordered to pay dad millions’
Before news broke the pop star had been ordered to pay her dad $2 million in legal fees after their battle over her controversial conservatorship. Britney Spears was snapped cracking the windscreen of her SUV with her heels.
2 hours ago
Hello!
Elizabeth Hurley, 58, wows in daring latex dress with sheer lace bodice
Elizabeth Hurley floored fans as she posed in a jaw-dropping lace mini dress with a red latex skirt – and the 58-year-old looked better than ever. See photo.
10 hours ago
The Daily Beast
Barr: Trump Brought Up ‘Things Like’ Executing Rivals a Lot
CNNBill Barr, Donald Trump’s former attorney general who once said that voting for the indicted ex-president would be “playing Russian roulette with the country,” stood by his decision to vote for Trump in November while also suggesting that Trump used to regularly float the idea of executing his political rivals while in office.Barr made the nonchalant admission Friday during a CNN interview when anchor Kaitlan Collins mentioned former Trump White House communications director Alyssa Farah Grif
16 hours ago
CNN
Secret Service says agent on Harris’ detail was removed from assignment after distressing behavior
A Secret Service agent assigned to Vice President Kamala Harris’ detail was removed from their assignment after displaying behavior that colleagues found “distressing,” the agency said.
2 days ago
Snopes
Fact Check: Rumor Says Biden Finished 76th Academically in a Class of 85 at Syracuse University College of Law in '68. Here Are the Facts
"The Democrats literally pick from the bottom of the barrel," a user on X (formerly Twitter) claimed.
6 hours ago
People
Millie Bobby Brown Pairs Tiny Bikini with Denim Hotpants on Vacation: See the Cheeky Pic!
The 'Stranger Things' star rocked a pair of denim shorts from her fashion brand, Florence by Mills
18 hours ago
The Daily Beast
Prosecutors Reveal Who’s Paying the Lawyers for Trump’s Longtime Assistant
Photo by Michael M. Santiago/Getty ImagesWhen Manhattan District Attorney prosecutors called their second witness in Donald Trump’s criminal case on Friday, they wanted the jury to note who is paying for the lawyers for this prosecution witness: Trump.Rhona Graff, who served as Donald Trump’s executive assistant and so-called gatekeeper for 34 years, was called by prosecutors on Friday to testify in her former boss’ criminal hush-money trial. And almost immediately, Assistant District Attorney S
a day ago
Hello!
Joan Collins, 90, looks unrecognisable as a teenager in incredible throwback photo
Joan Collins surprised fans with an incredible throwback photo from her first magazine cover when she was 17 years old – and the Dynasty star is unrecognisable. See photo.
4 hours ago
GOBankingRates
7 Ways People Destroy the Value of Their Homes, According to a Real Estate Agent
Josh Dotoli founded Dotoli Group in 2013, and the Fort Lauderdale, Florida-based real estate firm now consistently ranks among the top 1% for sales production nationwide. With over 100 transactions...
6 hours ago
The New York Times
Echoing Their Client, Trump’s Lawyers Pursue an Absolutist Defense
NEW YORK — Donald Trump is a thrice-married man accused of covering up a sex scandal with an adult film actor after the world heard him brag about grabbing women by their genitals. But when Trump’s lawyers introduced him to a jury at his Manhattan criminal trial this past week, they dwelt on a different dimension: “He’s a husband. He’s a father. And he’s a person, just like you and just like me.” That half-hour opening statement encapsulated the former president’s influence over his lawyers and
4 hours ago
Yahoo News UK
Pensioner who worked at Clarks for 68 years given boot with two days' notice
Jill Cornick, 82, is out of work for the first time in her life after being told the Clarks shop she worked in since 1956 in Dorset was closing.
a day ago
HuffPost UK
Buckingham Palace Gives New Update On King Charles Following Cancer Diagnosis
The palace previously announced the king's cancer diagnosis on February 5.
a day ago
People
King Charles' New Portrait Has a Close Connection to Kate Middleton and Prince William's Kids
Prince George, Princess Charlotte and Prince Louis may have inspired their grandfather's latest photo choice to mark the first anniversary of his coronation
a day ago
Cosmo
Kylie Jenner just revived the naked brow trend and she looks like a woodland fairy
Kylie Jenner shares Instagram selfies of her new bleached eyebrow look for 2024. She looks so different, with the ash-blonde look.
a day ago
People
Mary Jo Eustace Says Drama Around Ex-Husband Dean McDermott's Divorce from Tori Spelling Is 'Pathetic' (Exclusive)
"The same drama, the same plea for press," Eustace, who split from McDermott in 2006, tells PEOPLE
a day ago
HuffPost
Emma Stone Says It Would Be ‘Nice’ If People Would ‘Just Call Me’ By Her Real Name
The Oscar winner said she actually “freaked out a couple of years ago” because everyone knows her by her stage name.
2 days ago
HuffPost
Harvard Law Professor Offers Scathing Summary Of SCOTUS-Trump Arguments
Laurence Tribe pulled no punches over what he described as a “shameful performance by the court.”
a day ago
Miami Herald
Wanted man walks past Florida cops dressed as woman, report says. They weren’t fooled
He wore a blonde wig, blue dress and sunglasses, photos show.
a day ago

Latest Stories