Analysis Finds Blurry Lines Between Rovio, Advertisers

Rovio, the maker of the massively popular Angry Birds, makes no secret about collecting personal data from those who download and play its games. But an analysis from the advanced threat detection firm FireEye is helping to expose the extend of data harvesting, and also to sketch out the blurry line that separates Rovio and third-party advertising networks it contracts with.

In a blog post on Thursday, FireEye analysts Jimmy Suo and Tao Wei described the findings of an investigation into the interaction between Rovio’s mobile applications, including the latest version of Angry Birds, and third party ad networks such as Jumptap and Millenial Media.

Using FireEye’s Mobile Threat Prevention (MTP), the two gathered and analyzed network packet capture (PCap) information and analyzed the workings of Angry Birds and its communications with third-party ad networks. The two were able to reveal a multi-stage information sharing operation, tracking code paths from the reverse-engineered source code of both the ad platforms and Rovio’s applications.

AngryBirds_illustration_v8
FireEye found a web of ties between Rovio games and third party ad networks and cloud-based data aggregators.

Rovio came under fire after documents absconded with by former NSA contractor Edward Snowden and made public by The Guardian revealed that the mobile game maker’s “leaky” applications were being used by U.S. intelligence agencies including the National Security Agency and British GCHQ to gather information on persons of interest.

Rovio, based in Espoo Finland, forcefully denied those charges. “Rovio Entertainment Ltd…does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world,” the company said. However, the company did allow that surveillance “may be conducted through third-party advertising networks used by millions of commercial web sites and mobile applications across all industries.” And “if advertising networks are indeed targeted, it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance,” the company warned, saying it does not allow any third-party network to use or hand over personal end-user data from Rovio’s apps.

FireEye’s analysis concludes that drawing a line between Rovio and its third-party ad network partners may be a distinction without much of a difference.

Angry Birds’ data management service, “ad-x.co.uk,” was observed sharing information with third-party networks through Version 4.0.0 of Angry Birds. And some data sharing was observed in version 4.1.0, which was released on March 4. Data shared includes a wide range of personal information. Those who download a game and register may only surrender their e-mail, birthday and a password. Sign up for a newsletter, and Rovio collects your first and last name, email address, date of birth, country of residence, and gender. The aggregated information is sent to Rovio’s cloud back end and compiled with other information based on the registered email address.

Among the companies using that data are Rovio partner Burstly, which makes an ad library embedded in Angry Birds and which Rovio uses as an ad adapter to link it to other third-party ad clouds including Jumptap and Millennial Media. The company also links to Skyrocket.com, an app monetization service provided by Burstly and uses players’ personal data to target ads.

Rovio’s Privacy Policy makes clear that the company reserves the right to collect and resell a vast amount of data it collects through its apps including – but not limited to – geographic location, information on the kind of device its customers own and personally identifying information.  However, the recent revelations about how detailed those portraits of users are becoming, as well as how that information might be abused by governments and private firms has raised concerns about the lack of privacy protections available to consumers.

Spread the word!

Comments are closed.