NSA spied through Angry Birds, other apps: report (2014)

Original Article ↗ Hacker News Discussion ↗

Alleged NSA–Rovio Arrangement

  • One commenter recounts bar talk from a Rovio employee claiming NSA paid ~$10M to keep inter‑server Riak traffic unencrypted so it could be tapped off AWS fiber.
  • Others question credibility: could have been a joke, or really about ad networks or US-based analytics whose data NSA harvested indirectly.
  • Some note it would fit “business as usual”: buying access, working through US ad-tech and cloud providers, and exploiting plaintext metadata.
  • Comparison is made to a documented $10M NSA deal with a US crypto vendor, suggesting such sums are plausible for weakening security.
  • Regulatory interference is mentioned: an ISP engineer says routers could encrypt peering/customer links, but a government regulator blocked enabling it.

Strength of Modern Encryption vs Practical Attacks

  • Multiple comments emphasize that brute-forcing AES‑256 is physically impossible with any realistic energy or time budget (“boil the oceans”–style calculations).
  • Corrections refine the math (average of 2^255 trials, energy per AES block, AES‑128 vs AES‑256), but all agree brute force is infeasible.
  • Others stress the big caveat: this assumes no structural weakness is found and implementations/randomness are sound; history shows real systems often fail there.
  • DES history is cited: NSA strengthened it against differential cryptanalysis but forced a short key, making brute force tractable.
  • Discussion of covert entropy reduction and hardware backdoors (e.g., management engines, RNG bias, microcode) underlines that math can be perfect while implementations are subverted.
  • Several argue it’s cheaper and strategically safer for NSA to buy backdoors or induce bad practices than to reveal any truly spectacular cryptanalytic capability; parallel construction is mentioned as a way to hide sources.

Mass Surveillance, “Old News,” and Definitions

  • Some dismiss the article as old news about “who uses this app,” not mic/camera spying.
  • Others push back: why collect it at all, and on what constitutional basis?
  • NSA denials are called word games around “collection”: large-scale ingestion can be deemed not “collected” until selected for analysis, sidestepping formal limits.
  • Commenters distinguish ad-tech’s pervasive but commercial surveillance from state surveillance that can feed arrests, deportations, and long-term sabotage of security.

Ad-Tech, Analytics, and Data Flows

  • Multiple comments note it’s often easier to get data from third-party analytics and ad SDKs than from each app vendor.
  • Angry Birds is framed as an example: heavy use of US ad networks, AWS, and plentiful plaintext metadata pre‑“TLS everywhere.”
  • One participant tracks SDK usage across apps and argues that most include multiple trackers; proposes more self-hosted analytics and open tools so game/app data stays on first-party servers.

TikTok, Foreign Platforms, and Free Speech

  • The thread broadens into why states block foreign platforms (China blocking US tech; arguments that US “should” block TikTok).
  • One side sees banning a single foreign app as mainly a security/ownership issue; anything said there could be said on other platforms.
  • Others frame it as a speech issue: government selectively banning a major distribution channel (especially one that surfaced pro‑Palestine content more than US platforms) effectively shapes which viewpoints can reach mass audiences.
  • There’s debate over whether the TikTok ban is driven by security (Chinese espionage) or by political fear of a hostile, hard‑to‑pressure recommender system; some suggest “free speech” arguments are mostly PR cover.