In a sense, the latest NSA revelation – that the agency and its partners tap into commercial “cookies” to track people’s web usage – isn’t that big a deal, compared with earlier leaks from former NSA contractor Edward Snowden. After all, this appears to be a technique employed to track specific targets that have already been identified. It’s not a tool of bulk, suspicionless surveillance.
Ed Felten, an eminent computer scientist and security researcher, has written a lengthy comment on the disclosures, exploring the different options companies have if they want to safeguard their tracking cookies from being hijacked by the NSA. His primary recommendation is that these cookies should only be sent over SSL.
Google assigns a unique PREF cookie anytime someone’s browser makes a connection to any of the company’s Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit Web sites that contain embedded “widgets” for the company’s social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users to “personalize ads” and measure how they use other Google products.
Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie even if they’ve never visited a Google property directly.
That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google’s PREF cookie. Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet’s backbone and from technology companies’ own systems. The slide indicates that SSO was sharing information containing “logins, cookies, and GooglePREFID” with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.
“This shows a link between the sort of tracking that’s done by Web sites for analytics and advertising and NSA exploitation activities,” says Ed Felten, a computer scientist at Princeton University. “By allowing themselves to be tracked for analytic or advertising at least some users are making themselves more vulnerable to exploitation.”