NSA spied through Angry Birds, other apps: report (2014)
165 comments
·May 6, 2025simonvc
adeon
Is there any reliable source for NSA paying Rovio other than this random bar discussion? Not that I don't believe you or that I'm naive about NSA and the power of money, but I looked around news in 2014 and the accusations against Rovio specifically are a bit different flavor. It seems that Rovio was oversharing data to ad networks (Millennial Media comes up a lot), and NSA likely slurped data from the advertising companies. This bar banter is suggesting that NSA had some kind of arrangement with Rovio directly instead, and Rovio willingly went along.
Or alternatively, do you feel the Rovio employee's blabbering was talking about an actual, real NSA deal with Rovio, or was it more like a bar joke and direct NSA co-operation was not really implied? (e.g. "we know our security is bad, but these ad companies pay us $XX million to not use encryption so it's sorta like NSA pays us to keep it that way sips beer").
I'm interested, because if that is an actual thing that happened, then that's an example of NSA paying a Finnish company $$$ to weaken their security, and the Finnish company willingly agreeing to that. Is it in NSA's Modus Operandi to approach and then pay foreign companies to do this sort of thing?
Your comment is describing it in few words, but to me it sounds like it maybe wasn't implying an actual NSA direct co-operation, more like someone doing bar banter and being entirely serious. But that's just me trying to guess tone.
(I'm Finnish. I want to know if Rovio has skeletons in their closet. So I can roast them.)
leftcenterright
from an intelligence perspective, this is business as usual.
- Rovio sold data to ad companies (ad companies primarily based in the US)
- They used AWS (to which of course NSA has legal access)
- Data is not end to end encrypted, all metadata sits on servers in plain text and within AWS even moves from server to server in plain text
How much insight metadata can grant to someone like NSA is still wildly underrated.
- https://www.propublica.org/article/spy-agencies-probe-angry-...
adeon
Ah yeah, I saw the propublica as well, it was one of the first articles I found when looking on the topic. I don't doubt at all that Angry Birds data was used by NSA, doesn't seem controversial.
The specific question I am interested in is: Did Rovio knowingly and willingly accept $$$ from NSA (directly or indirectly) to weaken their security? I.e. were they acting as a willing accomplice.
Because that part would be unusual for Finland (well, at least as far as I know). For US companies I wouldn't bat an eye at news like this.
belter
Misheard and it was RSA instead of Rovio? The numbers match... :-)
https://www.reuters.com/article/world/exclusive-secret-contr...
financetechbro
Perhaps $10M is the standard rate for this type of service?
adeon
Lol, yeah, I also learned yesterday that there is apparently, NSA, National Security Authority. No, not the NSA this article is talking about and everyone knows about.
I mean: National Security Authority, "Kansallinen turvallisuusviranomainen", which appears to be some office/people under Finnish foreign affairs: https://um.fi/national-security-authority-nsa-contact-inform...
I will say I got confused a moment yesterday when googling on the topic here because when you put NSA and Finland in the same search, it would get topics about this other NSA that just happens to exist which I had never heard of before, and just happens to be Finland-associated.
fiatpandas
I’m actually comforted by the fact that NSA needed encryption turned off to spy.
starspangled
On the other hand it would be a very cheap counter espionage measure if a small stream of such payments was enough to convince China et al that the NSA had not broken encryption.
danielheath
Or it was simply cheaper than cracking it.
hx8
I was comforted by the idea that it is more expensive than $10m to crack encryption, but this was in 2013.
emmelaich
You could leak the private key accidentally on purpose but that would be harder to plausibly deny involvement if that fact leaked.
deafpolygon
I'm reminded of a certain XKCD comic[1]. The US government probably doesn't need to crack the encryption to get what they want.
CrossVR
I once asked a VP of engineering at a major ISP why they don't add a layer of encryption to their peering and customer connections to prevent spy agencies from tapping their fibre cables. I was expecting him to say it would be too expensive to upgrade all their network hardware given the amount of traffic. Instead he said: "our routers can already do that, but the government regulator stepped in and prevented us from turning it on."
rdtsc
That's pretty wild. Was it an "investment" of some sort, and then the CEO got a hint with a wink, that there is more where it came from if they don't enable any encryption. Anyone from Rovio who got less than $10m in their pocket willing to tell us a story?
xori
"How do you get corporate secrets out of a software engineer? Sit them next to another engineer on a plane."
frollogaston
It's elegant. The other person can spill amazing secrets, but there's no way to prove it, so nobody will believe you second-hand.
arealaccount
Why wouldn’t they just give them DB access for the 10m? Id assume NSA would prefer the database to remain encrypted and have an admin account?
radicaldreamer
Deniability
bb88
If you're the NSA, you can tell Amazon, "Hey here's $1B. You're going to get some fiber outages, and we're also going to buy a bunch of compute from you at an exorbitantly high price you'll charge us. It's fine, we're the NSA. So when the outages happen, don't announce it. Also terrorism."
dylan604
Plausible. You can always deny anything. It just might not be so plausible under scrutiny.
bb88
10M sounds like a nice executive bonus. I'm not saying it's a bribe -- I would never, ever do that.
null
chrischen
This is exactly why adversarial countries like China want to block large multinational social media and technology companies from their market. India saw facebook try to meddle in their elections. This is probably why the US should block TikTok, although there are further repercussions on free speech and the free market (something China ideologically doesn’t care about).
frollogaston
And the speech repercussions are more like the entire point of the ban. It's not even about trade or security. I'd be fine if they just said, we're banning this because it's from China.
pas
I recommend reading the court's decision, it goes through all the relevant facts and statutes, how they apply, and more importantly it says that even if the higher standard of scrutiny would apply it would pass the test.
https://media.cadc.uscourts.gov/opinions/docs/2024/12/24-111...
page 40, "The problem for TikTok is that the Government exercised its considered judgment and concluded that mitigation efforts short of divestiture were insufficient, as a TikTok declarant puts it, to mitigate “risks to acceptable levels.” "
catlikesshrimp
>"I'd be fine if they just said, we're banning this because it's from China."
Some of us would understand that message, but that would be eternal fuel for a political fire. The Huawei debacle stumbled in serious opposition.
frollogaston
According to the bill's sponsor, this is exactly what happened. The bill was dead until the Oct 7 Hamas attacks, then suddenly lawmakers were supporting it for speech reasons.
null
_heimdall
I still don't quite understand the free speech issue with banning one particular foreign media outlet or platform.
Banning TikTok would do nothing to hinder Americans' ability to say (almost) whatever they want without fear of government retribution. Anything you would have said on TikTok can still be said on Facebook for example, or your own website.
frollogaston
Same reason they can't shut down a newspaper for its opinions. The ban is the government retribution. They also pressure Facebook etc to hide or downrank what they want.
stevenAthompson
>The ban is the government retribution.
No it isn't. China has already admitted they hacked us all the major US telecoms to spy on American citizens, and shown no indication that they intend to stop doing that sort of thing. We simply can't trust them to install applications on devices that store the most sensitive secrets of our politicians, military leaders, and citizens.
See Volt Typhoon and Salt Typhoon for more information. China admitted that Salt Typhoon was them, and Volt Typhoon is relatively obvious. It's worth also noting that they used the backdoors that were put in place for CISA requests, which is a perfect example of why government mandated backdoors are a bad idea.
JumpCrisscross
> Same reason they can't shut down a newspaper for its opinions
It’s about ownership, not speech. If Bytedance refuses to change TikTok’s ownership, it gets banned for that reason. (Same way a foreign radio station would get banned for violating our ownership rules.)
__MatrixMan__
If you're going to tamper with US elections, you should at least have to spend USD to do so?
_heimdall
So are you saying that the free speech issue related to a TikTok ban is based only on what currency is used?
umanwizard
TikTok is the main place pro-Palestine viewpoints went viral. I don't know whether this is because of the demographics of users, or because US platforms were putting their thumb on the scale, or because TikTok was putting its thumb on the scale, or just randomly, but it is in fact the case.
So that's one quite mainstream opinion that would be suppressed if the government banned TikTok. No, you wouldn't be arrested for posting pro-Palestine stuff to Facebook (at least not under Biden...) but that's not the only way for the government to curtail speech.
guappa
Just so you know, the whole world except USA is pro palestine.
_heimdall
But a ban on TikTok isn't a ban on pro-Palestine speech. How does banning TikTok stop people from being able to say something in support of Palestine?
dfedbeef
Probably because it TikTok is a video first platform? Text doesn't really do it justice.
colonCapitalDee
Could also just be a demographics thing
ycombobreaker
If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else? The whole thing is unverifiable because we have no test/control, but it seems implausible that the platform was the only avenue for this particular speech.
basilgohar
TikTok has different censorship than Meta and Google platforms. More news about the genocide Palestine reached people through TikTok than other platforms that actively banned activitists and journalists reporting on Israel's warcrimes over the past 18 months.
guelo
TikTok used to be one of the few big platforms that didn't censor Israel criticism, though that has changed since Trump imperially overrode the law and unbanned them. It's insane the levels of 1st amendment violation and corruption that is OK now.
dylan604
First amendment violations have always been accepted as long as they were inline with current administration. Since the administration has changed, so has the direction of those violations which just makes it appear like it is new now.
_heimdall
Any one company moderating speech isn't a first amendment violation though. The first amendment is entirely focused on the right to sleek freely without risk of government intervention, it says nothing of private corporation interventions.
vkou
> I still don't quite understand the free speech issue with banning one particular foreign media outlet or platform.
Half of America's exports is media to foreign countries, you're opening a can of worms.
ricochet11
if they can ban something then everyone else gets worried of being banned and everyone plays it safe.
gosub100
I don't defend the practice, but it's a lot easier to hide "adversarial" bot armies on a foreign social network. We have bot armies on US social networks but they are well known and controlled by US interests.
_heimdall
What do not armies have to do with the first amendment though? My right to free speech isn't impeded by someone else standing up a bunch of bots online.
dvngnt_
I'd rather have social media reform and stronger algorithm controls for users vs banning meta's biggest competitor that actually does everything people are afraid of tiktok doing https://www.techradar.com/computing/cyber-security/facebooks...
shadowgovt
If the US wants to stop meddling in their elections, they should block Facebook.
kjkjadksj
Makes me wonder if the best inroad into influencing china is just direct bribes to government officials. You can’t do it the old fashioned way of propagandizing the population directly given restrictions on third party content, but I’m sure there are plenty of palms for want of greasing in the east same as there are here. Usually such restrictions on action are specifically to force a greasing of a palm anyhow in order to achieve that action than any outright ban.
01HNNWZ0MV43FF
TBH the US should block Facebook it's just one party doesn't have the voter base and the other party is evil
alabastervlog
Engagement-driven personalized “algo” feeds need to be banned in general, by any countries that don’t want to continue swinging rightward. I would feel a lot more confident about the future of liberal democracy if this were under serious discussion in at least some countries, but, afaik, it’s still not even now (it should have been years ago!) which is worrisome.
ddxv
Rather than going through 1000s of app companies, why not go directly to the 100s of third party analytic companies?
From my research most all apps use some SDK which tracks users. Many apps use 3 or 4 for various marketing / product / business use cases. I've been tracking this on https://appgoblin.info/companies if anyone wants to check. Try looking at the "no analytics" found groups, which are just apps I haven't found evidence of 3rd party trackers, almost certainly they do use them.
I would like to see world where Angry Birds data at least stays on Angry Birds servers and have been working on building a part of that with OpenAttribution (https://openattribution.dev) to let app/game companies build their marketing pipeline with at least one less tracker in the app.
I think as compute is getting cheaper a lot of this should/can be self-hosted by at least larger companies so they have full control of their BI tools and the data underlying it.
engels_gibs
But remember folks: China is spying you!
nashashmi
“And that’s why we need to ban TikTok” but not so they can stop influencing you.
“And why we need to stop you from supporting terrorists” but not because we are against your freedom to speak.
fsckboy
2014? this is really old news, and there's no smoking gun in here. it's not like they are looking through your camera or listening to your mic, it's just "who is using this app" type stuff, and the NSA denies they target people who they are not seeking for other reasons
i'm not saying "believe the NSA" or the Five Eyes, but you already know how you think about that
alabastervlog
They deny they target people they aren’t seeking for other reasons (uh, duh? This basically doesn’t say anything at all) but don’t deny mass collection, nor using your data to try to target others (or you, if “other reasons” come up!) or to build a general spying-on-everyone surveillance system.
But sure, I do believe them that they don’t bother to look at it unless they want to. Like… yes, that’s how looking works.
simoncion
They absolutely did deny mass collection (among other things).
The most charitable interpretation of the claims would be that what NSA calls "collection", every other English-speaking human would call "analysis" (or -maybe- "post-collection preprocessing"). This horseshit was reported in many places at the time, but here's the first vaguely-reputable place I could find talking about this sort of thing today [0]:
> Take, for example, the definition of the term “collection.” What qualifies as intelligence collection is critical to the scope of intelligence activity because it determines when intelligence gathering begins. Although it never provides its own definition, EO 12333 repeatedly refers to collection as the beginning of the intelligence gathering cycle. The agencies themselves elaborate on EO 12333’s general guidance by defining collection in their internal procedures. As we chart in greater detail in our article, the Defense Department’s and the NSA’s definitions of collection vary significantly, even though the NSA is a subordinate agency of the Pentagon.
> The Defense Department defines collection as intelligence gathering at a much earlier point than the NSA’s. Under DoD 5240.01, the department’s current manual, “information is collected when it is received by a Defense Intelligence Component,” regardless of how that information is “obtained or acquired.” By contrast, the NSA’s current version of USSID 18 states that collection “means [the] intentional tasking or SELECTION of identified nonpublic communications for subsequent processing aimed at reporting or retention as a file record.” As a result, collection for the Defense Department’s purposes appears to involve no processing or action; information is collected as soon as it is received. For the NSA, however, collection begins only once the information has been “selected” and put to further use.
> ...Under the NSA’s attorney general guidelines, for example, vast amounts of intelligence could be gathered without technically being collected. This means that, on paper, none of the guidelines’ subsequent protections for or limitations on the use of that intelligence apply when the information is first received. In theory, the NSA’s guidelines might permit the agency to gather significant amounts of unprocessed intelligence and then store it indefinitely.
[0] <https://www.lawfaremedia.org/article/what-does-collection-me...>
__MatrixMan__
"who is using this app?" sounds like an innocent enough question until that person dies a moment later for reasons that surely had nothing to do with the app.
01HNNWZ0MV43FF
> old news
Vogon detected
"There's no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now."
kjkjadksj
What possible good is it to know who is using Angry Birds for an intelligence agency? Your explanation makes zero sense. The idea that they’d use it for spying is the only logical explanation.
froggertoaster
They call them "slippery slopes" for a reason. Why were they collecting this data at all, and why is it constitutional?
owlninja
That document seems like a useful tool to get elected and then throw in the trash when you are in power.
vrosas
My dude you can buy troves of data from Grindr, or really any popular “free” app. Advertisers eat this stuff up.
greenchair
[flagged]
gruez
>It wasn't clear precisely what information can be extracted from which apps, but one of the slides gave the example of a user who uploaded a photo using a social media app. Under the words, "Golden Nugget!" it said that the data generated by the app could be examined to determine a phone's settings, where it connected to, which websites it had visited, which documents it had downloaded, and who its users' friends were.
Sounds like those apps weren't using SSL, and NSA could eavesdrop on whatever API calls or telemetry it was sending? There's no real evidence that those apps are complicit, even though the article tries to imply that.
mrheosuper
SSL added and removed here ;-)
frollogaston
TikTok's CDNs also don't use SSL, unless that changed.
buyucu
not using SSL means the app devs were either stupid, or they were complicit.
zghst
Detasking, minimization, FAA/PAA incidents database, etc., yeah right!
bigbuppo
And don't forget that ad tech has grown more pervasive since then. The NSA is the least of your troubles these days.
OutOfHere
Ad-tech does not put people in prison or deport them. The NSA does, via parallel reconstruction.
kjkjadksj
No it just takes the money out of their pocket and makes them addicted to things so it is Ok.
OutOfHere
It is not okay, but it is not anywhere as bad as what the government does in the name of security.
Barracoon
The NSA does not do either of those things
OutOfHere
They do on occasion pass their intel to other domestic agencies which then do the field work of parallel reconstruction and locking people up.
Additionally, the NSA has been silently sabotaging computer security for decades with their exploitable backdoors, making things worse for everyone.
MartinGAugustin
[dead]
Calliope1
[flagged]
areyourllySorry
EMDASH DETECTED
EMDASH SPOTTED ON LINE 3
INITIALIZING GPTZERO.EXE
DETECTED STRING: “just a game — or a gateway ”
AI CONFIRMED
TOO COHERENT
DETECTION OFF THE CHARTS
johnisgood
LibreOffice automatically inserts emdash when I press space after typing "-". :P
MyPasswordSucks
[flagged]
Was drinking in a bar in Espoo in 2012 or 2013 and heard this from someone at rovio. At the time they used Riak db and basho were onsite and we asked why they didn't enable inter server encryption. "Because nsa pay us 10m not to". Guess nsa pulled the Riak cluster protocol off the aws fibre.