May 21, 2015 · 2 minutes

New reports from CBC News and the Intercept show that intelligence agencies in Canada, the United States, Australia, the United Kingdom, and New Zealand exploited vulnerabilities in Alibaba's UC Browser to surveil 500 million people. The agencies also planned to use various app stores to distribute their spyware.

The reports indicate that UC Browser offered up all kinds of information about its users. This is notable because it's the most popular Web browser in China and has an estimated 500 million users, making it a valuable target for spying. The problems are said to be limited to the Android version of the Web browser.

Citizen Lab has studied the browser, and it says that a device's identifier, its users' location, their search queries, and other information aren't encrypted when they're sent to various services. Other personally identifiable information is sent via "easily circumvented encryption" that these agencies could bypass.

Yet these reports don't only cover these agencies' efforts to spy on UC Browser. They also reveal that the agencies planned to exploit issues in several software marketplaces, including those offered by Google and Samsung, to distribute their spyware to Android smartphone users in Senegal, the Congo, and Sudan.

Here's what the Intercept says about the motivation behind this program:

The project was motivated in part by concerns about the possibility of 'another Arab Spring,' which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.

The agencies were particularly interested in the African region, focusing on Senegal, Sudan and the Congo. But the app stores targeted were located in a range of countries, including a Google app store server located in France and other companies’ app download servers in Cuba, Morocco, Switzerland, Bahamas, the Netherlands and Russia.

Both efforts highlight the risks posed by intelligence agencies keeping information about vulnerabilities in popular products to themselves. Allowing these issues to remain in the products might benefit surveillance operations, but it also undermines the security and privacy of many innocent people.

Alibaba told CBC News that it was unaware of the problems with UC Browser and that the app didn't leak this information on purpose. Others could easily have exploited this vulnerability and learned all kinds of things about the half-billion people who have the Web browser installed on their smartphones.

The same might be said of the vulnerabilities that could have allowed these agencies to distribute spyware via numerous software marketplaces. Again, none of these problems remain exclusive to intelligence agencies for long -- there is always the chance that others will exploit them for their own gain.

[illustration by Brad Jonas]