Operating System Software For Android Mobile Devices Includes NSA Code
Monday, July 15, 2013
While you have probably been busy during the past couple weeks with work, vacation, and/or celebrating the July 4th Independence Day holiday, there have been some interesting developments regarding government surveillance programs and familiar high-tech firms. BusinessWeek reported on July 3 that:
"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."
The explanation the NSA gave for its code in the Android operating system (OS):
"Improve our understanding of Android security."
Experts say the NSA code has been reviewed by peers and is not devious in any manner. Is this accurate? There don't seem to be any rules that the code will remain unchanged, or that Android device users will be notified of any changes.
Really? That's all? Nothing else? Are we to believe the NSA at its word? I find this explanation difficult to believe given some less than truthful statements recently by an NSA representative to the U.S. Congress. When they lie, you break the trust with the public. If they will lie to the U.S. Congress, they will definitely lie to journalists and to citizens. I expect the NSA will continue to do what it does: spy. As a wise person once said, "a leopard does not change his spots."
Like any other consumer (who is not a computer programmer), I am trying to make sense of these revelations and understand what is happening. New disclosures and revelations about government spying seem to happen weekly, like peeling layers off an onion. Perhaps, some programming experts will weigh in on this blog post about the technical aspects. That Google decided to do business with the NSA and include NSA code in the operating system software for its mobile devices, I found very interesting for several reasons:
1. Back in June, we learned the the NSA PRISM program taps into the computing and network systems of several high-tech companies, including Google. At that time, Google said in a statement:
"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
I guess one could argue about the meaning of what a "back door" is. They seem to have another back door now.
2. As the article highlights, any devices running the Android operating system (OS) will include this NSA code: smart phones, tables, televisions, automobiles, and any or mobile devices. I assume the NSA code is also in the new Google Glass devices too, albeit that new device has a customized OS. So, that shiny new mobile device you just bought -- the HTC One, the Samsung Galaxy S4, and others -- all include programming code written by the National Security Agency (NSA). I didn't know that. Did you?
3. So, the NSA decided to "enhance the security of Android mobile devices (that is what the NSA labeled its own code). And, since the NSA gets its funding from your and my tax dollars, it is using public money to enhance the security of the devices by a private manufacturer. Is this how you want your hard-earned tax dollars spent?
It' was really nice of the NSA to donate programming code without asking for any payments or royalties in return. Given the huge federal government deficits and debt, some payments would have been great, but I guess we'll just have to look elsewhere for financial solutions.
4. Vermont Senator Sanders asked what else the government is doing that they haven't told us. Well, we now know that, besides spying, the NSA is also in the mobile device software development business. Is this NSA code in any other companies' mobile devices? And if not, why only Google Android?
While the Google-NSA partnership was explored some in 2010, we now know more. A simple online search found this CNN news story form 1999:
"Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it. The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000."
Reportedly, Microsoft assisted the NSA and the FBI with breaking encryption codes, and collecting data from cloud storage severs and Skype phone calls. So, the NSA has been in the commercial software development business for a while.
5. Let's take the NSA at its word, that the code in Android devices is benign and it will help the agency better understand the security of those mobile devices. What exactly might the NSA want to better understand or learn? They could easily buy (if they haven't done already) usage reports about Android users from Google, or from any number of market research firms.
In my business experience, I reviewed, managed, and executed data licensing agreements -- contracts -- with other organizations to share data. Companies enter into these types of contracts to generate revenues and/or to learn more about an industry or groups of users. In some instances, other companies wanted to learn more about my prior employer's industry. Those contracts specified usage reports with a certain frequency (e.g., monthly, quarterly, daily) and certain data elements (e.g., customer name, location, amounts purchased, items purchased, etc.). I must assume that the folks at the NSA are smart and have already purchased usage reports about mobile users directly from market research firms and/or directly from Google. For whatever reasons the NSA has decided to go the next step beyond usage reports to modify OS code to obtain more data directly.
And that data includes everyone who uses Android mobile devices, not just foreign people communicating with U.S. citizens whom the NSA is supposed to target. Readers who are unclear on the scope of geolocation data collected about your by your mobile devices, should read this blog post.
In my business experience, that initial contract (e.g., often 5 to 7 years in duration) is usually followed by a more detailed and extensive contract. Simply, after you learn more you can execute a better contract with more data reporting. So, one could conclude that the NSA has even bigger, more extensive plans for Google Android OS mobile devices and other high-tech firms.
6. Given the BYOD ("Bring Your Own Device") trend during the past few years, I'll bet that plenty of CIO, CTO, and C-Suite executives in companies worldwide are now wondering what to do next. Both their companies' servers (e.g., NSA code is embedded in Linux servers, too) and their employees' mobile devices are embedded with NSA programming code. As the BusinessWeek article reported:
"... an information technology consultant in Dublin, says his clients in European governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently... With Prism, the same accusations can be laid against the U.S. government...”
One wonders what the unintended consequences will be. How much revenue will Google lose as a result of corporations (and/or governments) rejecting or limiting Android OS usage in their countries? How much revenue will the online and high-tech industries lose because foreign governments and corporations conclude that the NSA has compromised the products and services produced by those industries? Along with the revenue loss, what might other consequences be, such as employment cutbacks and fewer jobs?
And, it no longer seems so surprising that Android smart phones sold in China include a stripped down OS without several Google services (e.g., search, map, Gmail). The Chinese did this partly to promote the growth of the mobile app development and online industries in their country, but you still have to wonder given all of the claims and denials flying back and forth about hacking and spying.
The limitations on Google services with Android OS in China limit Google's revenues. Given the NSA code revelations, what other countries will place tighter controls or bans? Where else might there be negative affects on Google's revenues?
7. There have been plenty of articles in the news media about the really smart, innovative engineers at Google. But, maybe Google really does need beefed-up security given its (poor) history of data beaches, privacy incursions, and reported vulnerabilities:
- March, 2009 data breach: Google Docs. An undisclosed number of records
- April 2007 data breach: Google Ads. Malware affecting an undisclosed number of records
- September 2010: unauthorized access by a Google employee of consumers' personal information
- June 2011 data breach: Gmail
- June 2013: after an investigation, Google was found to have breached privacy law in France
- June 2013: an investigation in Spain for alleged privacy breaches
- July 2012: Google breached UK privacy rules by not deleting personal data collected by Street View
- July 2013: vulnerability discovered by Bluebox Labs affecting 99% of mobile devices running the Android OS
Overall, there seem to be two over-arching issues:
- 4th Amendment of the U.S. Constitution
Lies break the public's trust. Lies break customers' trust. When a government forces corporations to lie, it breaks the public's trust with both. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Do you trust the NSA? Do you trust Google? Do you trust your government? And, is this NSA code okay with you? Really?
A worthy, important item to read:
The Crux Of The NSA Story in One Phrase: "Collect It All"
Posted by: George | Monday, July 15, 2013 at 12:45 PM
Dear Mr. Jenkins: This is an excellent piece. But let me just add one more thing which shows that the NSA is dubious in its stated reasons for adding code to Android. Android is a selectively open operating system. Among the openness that Google permits is that it allows others to see and review Android's code. So the NSA could have learned all that it wanted about security in Android by simply reviewing and experimenting with its code without inserting any code into Android.
And a word about Android being open. It isn't open, for Google has arranged by contract and IP rights a set of restrictions on the use and distribution of Android that can only be breached by firms with the resources to fork Android, as Amazon has done, and then develop and enhance that forked version of Android. Otherwise, those who don't comply with Google's terms for Android may not, inter alia, use Google and/or Android's trademarks, receive updated version of Android, have access to Google's Google Play app store, etc.
Posted by: Chanson de Roland | Monday, July 15, 2013 at 02:18 PM
The Marine Corps. informal motto is: Kill'em all, and let God sort'em out. The NSA has rephrased that motto to read: Collect it all, and let the Director of the CIA, one Gen. Keith B. Alexander, sort it out, according to his discretion. While that motto may well be appropriate when directed outside the U.S., it is wholly inappropriate when directed against U.S. citizens who are in the U.S., as it is repugnant to the Fourth Amendment of the U.S. Constitution and to democratic government.
Posted by: Chanson de Roland | Monday, July 15, 2013 at 05:58 PM
And... here comes the first wave of the backlash from our allies:
Pro-privacy groups in Germany to protest US surveillance
The anti-PRISM protest is scheduled for Saturday, July 27.
Posted by: George | Friday, July 26, 2013 at 01:42 PM
this is a very scary development indeed, considering that i have just bought a samsung ... hmmm i have read some fo the articles that have been posted here. - not very good bed time reading
Posted by: DCSLsoftware | Monday, August 26, 2013 at 10:46 AM
It saddens me when I read stories like this, Google needs to review what is it doing and not allow this sort of thing to happen , there is very little trust now over these matters -
Posted by: Sebastian Beaton | Thursday, September 12, 2013 at 07:46 AM