BEIJING—Western intelligence agencies explored tapping
Google Inc. and Samsung Electronics Co. mobile-software stores as
well as a mobile Web browser now owned by China's Alibaba Group
Holding Ltd., according to a document leaked by former U.S.
contractor Edward Snowden.
The news comes two years after Mr. Snowden's disclosures
prompted U.S. technology companies to call on Washington to reform
surveillance practices, while it has also fueled criticism from
U.S. allies such as Germany. With the mobile browser, called UC
Browser and popular in much of Asia, the disclosure comes as
cybersecurity becomes a source of increasing tensions between
Washington and Beijing.
Spokesmen for Google and Samsung declined to comment.
An Alibaba spokeswoman said the company hasn't seen the document
but that it had no evidence that any user information has been
taken. To address concerns, Alibaba's UCWeb mobile-browser arm has
asked UC Browser users to update their software to the latest
version, Alibaba said.
"We strongly object to anyone who might seek to target our
users' data or personal information," a spokeswoman said.
The document was reported on Thursday by the
Intercept—a news website that has been a conduit of leaks
from Mr. Snowden, a former U.S. National Security Agency
contractor—and Canada's CBC News. The NSA has said its
operations are "strictly conducted under the rule of law."
The document, a slide presentation describing work done in 2011
and 2012, showed that intelligence agencies including the NSA and
its peers in Canada, the U.K., Australia and New Zealand discovered
that they could tap connections between app servers in other
countries and their customers. The document said agency officials
saw the potential to launch what are called man in the middle
attacks, in which a person's electronic device is tricked into
thinking it is relaying data to a legitimate destination. It also
cited the potential for "harvesting data at rest" and "harvesting
data in transit."
The document cites "fingerprints deployed" in Samsung and
Android Marketplace servers, without explaining the term. Android
Marketplace is now called Google Play.
With UC Browser, the agencies also found that the app was
leaking information such as codes that could identify users of
cellular networks, their mobile phone numbers, SIM card numbers and
device details, the document indicated.
The agencies' spies found that unspecified operatives
responsible for covert activity in Western countries used the app
as a secret channel to discuss their operations, according to the
document. In it, this channel is described as providing a spying
opportunity "where potentially none may have existed before." In
the document, which both news outlets posted online, the details
about the operatives and their country of origin have been
redacted.
The governments and embassies of the U.S., Australia, New
Zealand and Canada didn't immediately respond to emailed requests
for comment. The U.K. embassy in Beijing said the government
doesn't comment on intelligence matters.
Besides China and India, UC Browser is also popular in Pakistan,
Indonesia and Russia, according to the website of the browser's
operator, UCWeb. The activity and weaknesses described in the
document predate Alibaba's acquisition of a majority stake in its
parent, UCWeb, in 2013. It now owns the entire company.
Citizen Lab, a Toronto-based human rights research group, in a
report Thursday said its researchers found that UC Browser poorly
secured data that was transmitted by the app. It said the app used
weak or no encryption, allowing for leaks of information that could
identify users, their locations, their devices, and the search
queries that they have made.
The group said it launched the analysis after being approached
by CBC News and the Intercept but that it didn't know whether the
problems it identified were the same as those referred to in the
document provided by Mr. Snowden.
Citizen Lab said it disclosed its findings to Alibaba and UCWeb
last month and that it tested the latest version of the app
downloaded from UCWeb's China site on Tuesday. It found that that
version of the app didn't appear to send location data insecurely
but that other issues remained, such as the lack of encryption on
search queries. Alibaba didn't immediately respond to a request for
comment about Citizen Lab's findings about the updated app.
Jonathan Cheng in Seoul contributed to this article.
Write to Gillian Wong at gillian.wong@wsj.com
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P5089
Access Investor Kit for Google, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US38259P7069
Subscribe to WSJ: http://online.wsj.com?mod=djnwires