|

NSA uses online tracking ‘cookies’ to find spy targets

Files let agency home in on terrorism suspects; revelation may bring backlash by companies

The Washington Post

The National Security Agency is secretly using the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance.

The agency’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better tailor their advertising, the technique opens the door for similar tracking by the government.

According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files called cookies that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have made particular use of the “PREFID,” part of Google tracking software known as the “PREF” cookie.

This cookie typically doesn’t contain personal information, such as someone’s name or email address, but it does contain numeric codes that enable websites to uniquely identify a person’s browser.

In addition to tracking Web visits, the PREFID allows NSA to single out an individual’s communications among the sea of Internet data in order to send out software that can hack that person’s computer.

The NSA slides say the Internet cookies are used to “enable remote exploitation,” although the specific attacks used by the NSA against targets are not addressed in the documents.

The NSA’s use of cookies isn’t a technique for sifting through vast amounts of information to find suspicious behavior. Rather, it lets NSA home in on someone already under suspicion — akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.

Separately, the NSA is using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone’s owner. This information is more specific than the broader location data that the U.S. government is collecting from cellular phone networks, as reported by The Washington Post last week.

“On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere,’ ” said Chris Hoofnagle, a lecturer in residence at the University of California at Berkeley’s law school. “It’s hard to avoid.”

These slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by The Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data in that way, the companies know of it and are legally compelled to assist.

Google chief executive Larry Page joined the leaders of other major technology companies this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests. “The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” Page said in a statement on the coalition’s website. “This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world.”

For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify consumers and target them with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by showing them ads that are more likely to be of interest to them.

The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.

Internet companies store the small files called cookies on users’ computers to uniquely identify them for ad-targeting and other purposes across many different websites. This advertising-driven business model pays for many of the services, such as email accounts, that consumers have come to expect for free.

Yet few are aware of the full extent to which advertisers, services and websites track their activities across the Web and mobile devices. These data-collection mechanisms are invisible to all but the most sophisticated users, and the tools to opt out of their use or block them have limited effectiveness.

Privacy advocates have pushed to create a system called “do not track” allowing consumers to opt out of such tracking. But Jonathan Mayer of Stanford’s Center for Internet and Society, who has been active in that push, said that “do-not-track efforts are stalled out.” They ground to a halt when the Digital Advertising Alliance, a trade group representing online ad companies, abandoned the effort in September after clashes over the proposed policy. One of the primary issues was whether consumers would be able to opt out of all tracking or rather choose not to be shown advertisements based on tracking.

Some browsers, such as Apple’s Safari, automatically block a type of code known as “third-party cookies,” which are often placed by companies that advertise on a site being visited. Other browsers, such as Mozilla’s Firefox, are experimenting with that idea. But such settings won’t prevent users from receiving cookies directly from the primary sites they visit or services they use.

Google assigns a unique PREF cookie any time someone’s browser makes a connection to any of the company’s Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit websites that contain embedded “widgets” for the company’s social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users in order to “personalize ads” and measure how they use other Google products.

Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie on their computers even if they have never visited a Google property directly.

This isn’t the first time Google cookies have been highlighted in the NSA’s attempts to identify targets to hack. A presentation called “Tor Stinks,” released in October by the British newspaper The Guardian, indicates that the agency was using cookies for DoubleClick.net, Google’s third-party advertising service, in an attempt to identify users of the Internet anonymization tool Tor when they switched to regular browsing.

Another slide indicates that the NSA is collecting location data transmitted by mobile apps to support ad-targeting efforts in bulk. The NSA program, code-named HAPPYFOOT, helps the NSA map Internet addresses to physical locations more precisely than is possible with traditional Internet geo-location services.

Many mobile apps and operating systems use location-based services to help users find restaurants or other establishments. Even when GPS is disabled, most smartphones determine their location using signals from Wi-Fi networks or cellular towers.