Canada and its spying partners exploited weaknesses in one of the world’s most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.
Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.
The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn’t alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals.
“All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk,” says the University of Ottawa’s Michael Geist, one of Canada’s foremost experts on internet law.
CBC News analysed the top secret document in collaboration with U.S. news site The Intercept, a website that is devoted in part to reporting on the classified documents leaked by U.S. whistleblower Edward Snowden.
The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung’s mobile app stores, according to the document obtained by Snowden.
Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.
Privy to huge amounts of data
The Five Eyes alliance targeted servers where smartphones get directed whenever users download or update an app from Google and Samsung stores.
Samsung and Google declined to comment.
The servers provide key access points to massive amounts of data flowing from millions of smartphones around the world.
“What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people’s internet use, and perhaps use bits and pieces of that to make correlations,” says Geist.
The spy agencies also sought to match their targets’ smartphone devices to their online activities, using databases of emails, chats and browsing histories kept in the Five Eyes’ powerful XKeyScore tool to help build profiles on the people they were tracking.
Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain.
Respecting agreements not to spy on each others’ citizens, the spying partners focused their attention on servers in non-Five Eyes countries, the document suggests. The agencies targeted mobile app servers in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia.
Canada’s electronic surveillance agency, the Communications Security Establishment, refused to comment on its capabilities, saying that would constitute a breach of the Security of Information Act.
“CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” the agency said in a written statement. “CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada.”
Britain’s counterpart, GCHQ, said all its work “is carried out in accordance with a strict legal and policy framework.” The U.S. National Security Agency and New Zealand surveillance agency did not respond to CBC News. Australia’s signals intelligence agency refused to comment.