A closer look at the issue of the NSA and building spyware into apps

Developers have to answer a lot of questions when building apps but one question that doesn’t have a clear answer is how do you build spyware or backdoors into your apps?

It may seem like a silly question but I think someone has to ask it.

Let’s say I’m building yet another self-destructing, highly-encrypted messaging application for mobile devices. We’re still a month or so away from our grand public debut so we’re operating in stealth mode. Now let’s say we release the application and it becomes an overnight success, particularly among government officials in foreign countries. Then three months down the road the NSA (or the FBI or whoever) shows up at our offices and says: "We need to be able to access all those messages in real time."

What do we do now? Do we try to deploy a patch somehow that gives the NSA full access? Do we release a whole new version? And what if we just licensed the encryption algorithm from someone else and don’t actually know how it works or how to crack it; do we tell the NSA to ask them for the keys or are we responsible?

We weren’t even thinking about making changes like that when we were developing the app (we were more worried about screen resolutions and interface design at the time).

So how do you prepare your apps so that they can easily be transformed into spyware? What sorts of backdoors does the NSA prefer? Are there sample code or APIs available from the NSA? Do we have to wait until after we deploy our apps to find out if the NSA even wants to hack whatever information we might gather? Are there any guidelines for this sort of stuff?

The NSA’s website is pretty vague about all this but in the FAQ section it recommends that companies wishing to work with the NSA, “first register with the NSA Acquisition Resource Center (ARC) at www.nsaarc.net [I've purposely removed the hyperlink] to highlight your company's capabilities and identify points of contact.”

Ironically when you click on the link it takes you to a site where Chrome doesn’t recognise the certification and gives you a warning that someone may be trying to hack your computer… how odd.

If you aren’t a giant company like Google or Microsoft or Facebook you may be flying just under the NSA radar until after your app hits the market, and then going back to try and retrofit your app with whatever spyware they might want could be expensive. Does the NSA reimburse you for those expenses?

Related: Got a Chinese smartphone? It could be packed with built-in spyware

But perhaps this is all moot. Perhaps the NSA doesn’t need a backdoor built into every messaging app. Perhaps they already have the necessary technology in place to intercept and decrypt every message sent by anyone around the world. Perhaps we’ll never hear that knock on the door.

But it sure would be nice to know ahead of time what the NSA might want us to do with our apps before we deploy them.

I propose the creation of a spyware clearing house website for developers who want to build in compliance with spy agencies, governments, courts and police requirements. It should have a news section, lots of sample code, a blog section, a place where you can post questions to other developers (or the spy agencies themselves) and of course it would need a download section where you can get code snippets in multiple languages and an assortment of APIs (clearly documented, please). And this needs to be an international effort because the Chinese government might want the data in XML but the NSA might prefer simple ASCII text.

Perhaps ISO should take up this matter and start defining some international spyware standards.