ProPublica lay out more from its story about how the NSA and its British counterpart have been scouring smartphone apps
As we detailed on Monday, documents show the NSA and its British counterpart have been probing advertiser data on smartphone apps, which can include your gender, income, and even whether you’re a “swinger.”
Do you have questions? Post them in comments or tweet us.
What’s new here?
This article reveals how U.S. and British spy agencies have sought to intercept the information transmitted by the games and other apps that users download onto their smartphones. Previous stories have detailed how U.S. and British spies have been intercepting massive quantities of cellphone text messages and gathering the location of cellphones around the world.
How does it work?
Many people don’t realize that when they use a smartphone app – to play a game or listen to music – the app may transmit information back to the app maker and may contain tracking technology placed by advertisers.
The spy agencies call these “leaky apps.” The spies collect information from among others, Google Maps, Twitter, LinkedIn, Facebook, Yahoo's Flickr, which in turn can transmit location, buddy lists, browsing history and more, according to a 2010 NSA document.
A 2010 Wall Street Journal survey of 101 iPhone and Android apps showed that the majority of apps were transmitting the phone’s unique ID – a type of serial number assigned to the device – and the user’s location to advertisers.
Since then, advertisers have been building even more detailed profiles of app users.
By using the phone’s identifier, advertisers can often monitor the user’s behavior in multiple apps and when the user browses the Web from their smartphone. Advertisers can tie the information together in a dossier that can include a user’s location, income and preferences such as sexual orientation and political leanings.
How does the NSA get it?
The agencies can pick up much of this information as it travels through private cellphone networks around the world. And because the data includes a tag from your phone, the agencies may have the ability to know who you are.
Does this mean the NSA is watching me while I play Angry Birds?
It’s not clear. The documents show that spies have collected data from Google’s AdMob, which is largest mobile advertising network and is one of many advertisers whose ads have appeared in Angry Birds.
The agencies say that even if they collect the data, they don’t look at it unless it is relevant to an investigation.
The NSA also says that it “minimizes”– or throws away - the data it intercepts from people who live in the United States. However, its minimization rules allow it to keep information about U.S. residents if it is deemed suspicious or could be relevant to an investigation.
Do they really know if I’m a “swinger”?
Documents show that analysts at GCHQ in 2012 studied the possibility of collecting traffic from Millennial Media, which included advertising profiles that identified users by ‘sexual orientation’ including the category of swingers.
However, it is unclear whether the data has been used for intelligence purposes.
It is also not clear what type of app usage or Web browsing behavior would lead Millennial Media to characterize someone as a swinger. Millennial declined our request for comment.
Can I stop leaky apps from sending out data about me?
No, but you can make it harder for advertisers to track you on your phone.
Apple’s latest iPhone software, iOS 7, offers two options to limit ad tracking.
Google’s Android also offers users two options to limit ad tracking.
US President Obama, who delivered a speech on surveillance policy last week, has made a series of misleading statements about the NSA
Since the first disclosures based on documents provided by former National Security Agency (NSA) contractor Edward Snowden, US president Barack Obama has offered his own defenses of the programs. But not all of the president’s claims have stood up to scrutiny. Here are some of the misleading assertions he has made.
1. There have been no abuses.
And I think it's important to note that in all the reviews of this program [Section 215] that have been done, in fact, there have not been actual instances where it's been alleged that the NSA in some ways acted inappropriately in the use of this data … There had not been evidence and there continues not to be evidence that the particular program had been abused in how it was used. -- Dec. 20, 2013
At press conferences in June, August and December, Obama made assurances that two types of bulk surveillance had not been misused. In fact, the Foreign Intelligence Surveillance Court has reprimanded the NSA for abuses both in warrantless surveillance targeting people abroad, and in bulk domestic phone records collection.
In 2011, the FISA Court found that for three years, the NSA had been collecting tens of thousands of domestic emails and other communications in violation of the Fourth Amendment. The court ordered the NSA to do more to filter out those communications. In a footnote, Judge John D. Bates also chastised the NSA for repeatedly misleading the court about the extent of its surveillance. In 2009 – weeks after Obama took office – the court concluded the procedures designed to protect the privacy of American phone records had been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.”
The NSA told the court those violations were unintentional and a result of technological limitations. But the NSA’s own inspector general has also documented some “willful” abuses: About a dozen NSA employees have used government surveillance to spy on their lovers and exes, a practice reportedly called “LOVEINT.”
2. At least 50 terrorist threats have been averted.
We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany. So lives have been saved. -- June 19, 2013
The record is far less clear. Obama’s own review group concluded that the sweeping phone records collection program has not prevented any terrorist attacks. At this point, the only suspect the NSA says it identified using the phone records collection program is a San Diego cab driver later convicted of sending $8,500 to a terrorist group in his homeland of Somalia.
The NSA’s targeting of people abroad appears to have been more effective around counter-terrorism, as even surveillance skeptics in Congress acknowledge. But it’s impossible to assess the role the NSA played in each case because the list of thwarted attacks is classified. And what we do know about the few cases that have become public raises even more questions:
Contrary to what Obama suggested on the “Charlie Rose Show” in June, the AP has reported that the FBI did not need either program to identify Najibullah Zazi, later convicted of plotting to attack the New York subway system.
ProPublica has reported that one case began with a tip from British intelligence, not NSA surveillance.
In another case, no one has been charged related to the alleged plot.
3. The NSA does not do any domestic spying.
We put in some additional safeguards to make sure that there is federal court oversight as well as Congressional oversight that there is no spying on Americans. We don't have a domestic spying program. What we do have are some mechanisms where we can track a phone number or an e-mail address that we know is connected to some sort of terrorist threat, and that information is useful. -- Aug. 7, 2013
In fact, plenty of Americans’ communications get swept up. The government, of course, has the phone records of most Americans. And, as the FISA Court learned in 2011, the NSA was gathering tens of thousands of domestic emails and other communications.
Additionally, the NSA's minimization procedures, which are supposed to protect American privacy, allow the agency to keep and use purely domestic communications in some circumstances. If the NSA “inadvertently” vacuums up American communications that are encrypted, contain evidence of a crime, or relate to cybersecurity, the NSA can retain those communications.
The privacy standards suggest there is a “backdoor loophole” that allows the NSA to search for American communications. NSA critic Sen. Ron Wyden, D-Ore., has said, “Once Americans' communications are collected, a gap in the law that I call the 'back-door searches loophole' allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”It’s not clear whether the NSA has actually used this “backdoor.”
And while the NSA acknowledges that it intercepts communications between Americans and surveillance targets abroad, the agency also intercepts some domestic communications that mention information about foreigners who have been targeted. As a result, the NSA has sometimes searched communications from Americans who have not been suspected of wrongdoing – though an NSA official says the agency uses “very precise” searches to avoid those intercepts as much as possible.
4. Snowden failed to take advantage of whistleblower protections.
I signed an executive order well before Mr. Snowden leaked this information that provided whistleblower protection to the intelligence community – for the first time. So there were other avenues available for somebody whose conscience was stirred and thought that they needed to question government actions. -- Aug. 9, 2013
Obama’s presidential policy directive forbids agencies from retaliating against intelligence personnel who report waste, fraud and abuse. But the measure mentions only “employees,” not contractors. Whistleblower advocates say that means the order does not cover intelligence contractors.
“I often have contractors coming to me with whistleblower-type concerns and they are the least protected of them all,” attorney Mark Zaid told the Washington Post.
What’s more, the directive was not yet in effect at the time Snowden came forward.Since the leaks, the Office of the Director of National Intelligence has said “the Executive Branch is evaluating the scope” of the protections.
Former NSA employee Thomas Drake argues that even if Snowden were a government employee who went through the proper legal channels, he still wouldn’t have been safe from retaliation. Drake says while he reported his concerns about a 2001 surveillance program to his NSA superiors, Congress, and the Department of Defense, he was told the program was legal. Drake was later indicted for providing information to the Baltimore Sun. After years of legal wrangling, Drake pleaded guilty to a lesser charge and got no prison time.
As Medicare considers banning doctors who pose a "threat to the health or safety" of patients, it plans to consider an array of factors
When the agency that runs Medicare announced last week that it would take action against doctors who prescribe abusively in its massive drug program – perhaps banning them – it raised an interesting question.
What exactly constitutes “abusive” prescribing?
On this point, the Centers for Medicare and Medicare and Medicaid Services (CMS) is treading carefully, refusing to get pinned down by numerical thresholds for specific drugs. Instead Medicare will consider a variety of factors in deciding whether a physician’s drug choices pose a “threat to the health or safety” of seniors and the disabled.
“In our view, if a physician or eligible professional repeatedly and consistently fails to exercise reasonable judgment in his or her prescribing practices, we should have the ability to remove such individuals from the Medicare program,” officials wrote in the 678-page document proposing changes.
“Honest physicians and eligible professionals who engage in reasonable prescribing activities would not be impacted by our proposal,” they wrote.
In stories last year, ProPublica detailed lax oversight of the Medicare drug program, known as Part D. The series showed that federal regulators’ failure to keep watch over the program has enabled doctors to prescribe massive quantities of inappropriate medications, has wasted billions on needlessly expensive drugs and has exposed the program to rampant fraud. Part D cost taxpayers $62 billion in 2012.
In the “proposed rule,” CMS said it would weigh eight factors in determining whether a health professional poses a threat. These include:
Whether patients’ diagnoses support using the medications prescribed.
Whether providers wrote prescriptions to patients they could not have seen – such as those who are dead or were out of state at the time of billed office visits.
Whether providers prescribed excessive volumes of painkillers and other controlled substances linked to overdoses.
Whether disciplinary actions have been taken against providers by state regulators or Medicaid programs for the poor.
Whether providers have been sued for malpractice, including the number and type of such lawsuits, and whether those suits resulted in judgments or settlements.
Medicare said it would not base its decision on any single factor. “Nonetheless, there are certain criteria that, if met, would weigh heavily and perhaps decisively towards a finding that a revocation is justified,” the agency said.
Medicare’s case-by-case strategy is one ProPublica also determined was the best method when assessing Part D prescribing data it obtained from the program. The prescribing practices of doctors, reporters found, could not be judged by numbers alone – whether overall or concentrated on specific medications. Often what looked troubling in the data had a real-life explanation. For example, in some cases, when physicians’ annual tally of prescriptions topped 150,000 – an inconceivable amount – it turned out they specialized in nursing home care and their totals included prescriptions by others in their practices.
In order to identify physicians prescribing in unusual ways, ProPublica compared them to others in their specialty and state, looked at changes in their prescribing patterns from one year to the next, researched their backgrounds and disciplinary histories, and examined their preference for drugs with a high risk of abuse or misuse.
Reporters were able to spot the outliers. One Miami psychiatrist gave hundreds of elderly dementia patients antipsychotic drugs, despite a black-box warning against doing so. And an Oklahoma doctor gave an Alzheimer's medication to scores of autistic and developmentally disabled young adults, despite a lack of evidence that it would help them.
Neither doctor had ever been questioned by Medicare.
In submitting the proposed new rules, CMS said it lacked the legal authority to take action against physicians who prescribed improperly, unless they had been formally excluded from Medicare, a step typically taken only after a criminal conviction.
As a result, the document said, “This means, in many cases, that the prescriber can continue prescribing drugs that will be covered under Part D.”
Two senators pushing CMS to do more about abusive prescribing released statements praising the agency’s proposed new rules. Sen. Thomas Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Committee, called them “common sense reforms.”
Sen. Tom Coburn, R-Okla., the top Republican on the panel, said “the vast majority of physicians” want to help patients, but “where there is proof of abuse or fraud, CMS should take necessary actions to protect patients and taxpayers.”
Others greeted the proposals with more tempered reactions.
Dr. Ardis Dee Hoven, president of the American Medical Association, said the group is reviewing the proposal to ensure CMS “does not compromise appropriate prescribing or exceed its statutory authority.”
“Responsible prescribing of pharmaceutical drugs is a fundamental aspect of medical practice and the American Medical Association has zero tolerance for harming the health and safety of patients,” Hoven said in a statement.
Physicians who appropriately and safely prescribe medications “should not be targets of misguided government enforcement and driven out of practice,” she added
The agency will take comments on the proposed rules until March 7. They are slated to take effect on Jan. 1, 2015.