Following last week’s revelations that the National Security Agency harvests users’ contact lists to widen its surveillance dragnet, comes news that Apple may be making this task even easier.
It turns out Apple’s Address Book app, the default tool by which Macs maintain email contact lists, doesn’t use secure HTTPS encryption when syncing contacts to Google’s Gmail. This means anyone with the ability to monitor a Wi-Fi network or other type of Internet connection would be able to collect that contact information without decrypting the data first.
As the Washington Post‘s Ashkan Soltani points out, Gmail has long been in the habit of securing user data, but it doesn’t work when that information is being communicated from a non-compatible Apple device.
“Even when SSL [a type of secure connection] is available for webmail, other software may transmit the information without in encryption,” Soltani writes. “For example, when the Address Book Application on Apple computers syncs with Google Contacts, the information is transmitted ‘in the clear,’ making it vulnerable to third-party snooping. This is often the case with legacy devices and non-webmail clients.”
It’s unclear why Apple hasn’t made the switch to HTTPS. As Ars Technica points out, this may simply be a glitch: Google changed HTTP to HTTPS in its contacts programming guidelines in April 2012, and Apple developers may simply have missed the memo. A forthcoming version of Mac OS X may correct this problem with a simple “three line fix,” according to Ars.
Further study by Soltani revealed that when the current version of Address Book is configured to sync with Gmail, the Apple app checks in about once an hour. Whenever Address Book contains a contact not found in Gmail, it will send that contact to Gmail unencrypted. Address Book uses HTTPS to securely log into Gmail servers, but the app goes on to send addresses plainly over an unencrypted HTTP connection.
It’s an unfortunate oversight, or perhaps error, for Apple. Like other tech giants, Apple is eager to restore the confidence of its consumers that information gathered by the tech giant won’t end up in hands of the federal government.
All of this comes hot on the heels of further domestic spying revelations courtesy of NSA whistleblower Edward Snowden. According to recently publicized reports, the “NSA collects, on a representative day, ~500,000 buddylists and inboxes.” On a single day in 2012, for instance, the agency collected “444,743 email address books for Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from miscellaneous others.”
It’s part of an NSA practice to harvest of the contact list of persons of interest to identify other contacts they may have in common. This practice of “contact-chaining” allows the NSA to snoop on anyone within 3 degrees of separation from the target of an investigation.
Photo by Tom Brown/Flickr