Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.
Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.
Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.
The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.
"All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk," says the University of Ottawa's Michael Geist, one of Canada's foremost experts on internet law.
CBC News analysed the top secret document in collaboration with U.S. news site The Intercept, a website that is devoted in part to reporting on the classified documents leaked by U.S. whistleblower Edward Snowden.
- CBC's coverage of Canada's Snowden files
- CBC News Investigates: Stories, videos, photos and more
- The Intercept story on mobile phone hacking
The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung's mobile app stores, according to the document obtained by Snowden.
Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.
Privy to huge amounts of data
The Five Eyes alliance targeted servers where smartphones get directed whenever users download or update an app from Google and Samsung stores.
Samsung and Google declined to comment.
2012 Five Eyes presentation
The servers provide key access points to massive amounts of data flowing from millions of smartphones around the world.
"What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people's internet use, and perhaps use bits and pieces of that to make correlations," says Geist.
Ultimately, the spy agencies wanted to implant spyware on certain smartphones to take control of a person's device or extract data from it, the document suggests.
The spy agencies also sought to match their targets' smartphone devices to their online activities, using databases of emails, chats and browsing histories kept in the Five Eyes' powerful XKeyScore tool to help build profiles on the people they were tracking.
Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain.
Respecting agreements not to spy on each others' citizens, the spying partners focused their attention on servers in non-Five Eyes countries, the document suggests. The agencies targeted mobile app servers in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia.
Canada's electronic surveillance agency, the Communications Security Establishment, refused to comment on its capabilities, saying that would constitute a breach of the Security of Information Act.
"CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," the agency said in a written statement. "CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada."
Britain's counterpart, GCHQ, said all its work "is carried out in accordance with a strict legal and policy framework." The U.S. National Security Agency and New Zealand surveillance agency did not respond to CBC News. Australia's signals intelligence agency refused to comment.
Millions of users have 'no idea'
As the Five Eyes team sought ways into the mobile app store servers, they also uncovered security gaps in the popular UC Browser, owned by the powerful Chinese tech giant Alibaba Group. It is the world's most popular mobile browser behind those pre-installed on smartphones.
As the team discovered, the UC Browser app leaked its users' phone numbers, SIM card numbers and details about the device to servers in China.
In that stream of data, Five Eyes analysts found one country's military unit using the app as a covert way to communicate about its operations in Western countries.
They touted this signals intelligence coup as providing an "opportunity where potentially none may have existed before," the document says.
Citizen Lab, a human rights and technology research group in Toronto, says that the UC Browser app was still leaking data until recently, and that was putting millions of users' data at risk.
"Of course, the user of this application has no idea that this is going on," says Ron Deibert, director of the Citizen Lab, which is based at the University of Toronto's Munk School of Global Affairs.
"They just assume when they open a browser that the browser's doing what it should do. But in fact, it's leaking all this information."
Citizen Lab analysed the Android version of the app and found "major security and privacy issues" in its English and Chinese editions.
National security vs. privacy
Secure apps typically encrypt a smartphone's communication with a server for such purposes as downloading or updating apps to prevent outsiders from gaining access to sensitive details about a user.
The app may be unfamiliar to many Canadians, but it's well known in China, India and emerging markets.
Users like it because it compresses data to help pages load faster. Earlier this year, Facebook teamed up with UC Browser to allow Facebook notifications in the Chinese app. It was the first time the social media giant offered such a service outside its own app.
In 2014, e-commerce giant Alibaba Group acquired the owner of the mobile browser, UCWeb, in what was described as the biggest merger in Chinese internet history.
But Citizen Lab recently found Android versions of UC Browser leaking search queries, SIM card numbers and device IDs without any such protection. Some of it leaks even when the app is at rest.
Also, the app was transmitting the smartphone's location with encryption that the Citizen Lab says is easy to hack with publicly available tools.
All these details allow a government agency, hacker or criminal to track a person's movements and find out their habits, their relationships and even their interests.
Citizen Lab alerted Alibaba to the security gaps in mid-April, giving the company time to fix the problems. On May 15, after CBC News contacted the company, it released an update of the browser that fixed the issues identified by the Toronto research lab.
"We take security very seriously and we do everything possible to protect our users," said Alibaba in a written statement. "We have no evidence that any user information has been taken.
An Alibaba source familiar with the file said that spy agencies never alerted the company to vulnerabilities in the app and stressed that the app's leaks were not intentional.
Citizen Lab reviewed the update and found that the Chinese language version of the app — which leaked more data than the English one — still doesn't encrypt search terms.
The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they've unearthed in devices, operating systems and online infrastructure.
Taking advantage of weaknesses in apps like UC Browser "may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide," says Deibert.
"Of course, the security agencies don't [disclose the information]," says Deibert. "Instead, they harbour the vulnerability. They essentially weaponize it."
For his part, Geist argues that there is an expectation that the federal government will protect Canadians.
"We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using," said Geist.
"That feels in many respects like a significant abdication of what I think most would expect from our government."
But not everyone agrees. "The fact that certain channels and devices are vulnerable is not ultimately the problem of signals intelligence," says Christian Leuprecht, a Royal Military College professor and fellow at Queen's University's Centre for International and Defence Policy.
If Canadians are concerned with encryption standards and privacy issues, he says, they can lobby governments to crack down on network operators, manufacturers and developers.
"Because the same way that our signals intelligence agency can follow data, devices and servers in other countries, remember that our adversaries are trying to do the exact same thing here."
- How CSE's existence was first revealed by CBC TV
- How to safely send sensitive files to CBC News
- CBC's coverage of Canada's Snowden files
- CBC News Investigates: Stories, videos, photos and more
CBC is working with U.S. news site The Intercept to shed light on Canada-related files in the cache of documents obtained by U.S. whistleblower Edward Snowden.
For a complete list of the past stories done by CBC on the Snowden revelations, see our topics page.