WASHINGTON — The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance.
The agency’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better tailor their advertising, the technique opens the door for similar tracking by the government.
According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files called “cookies” that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have made particular use of the “PREFID,” part of Google-specific tracking software known as the “PREF” cookie.
This cookie typically doesn’t contain personal information, such as someone’s name or email address, but it does contain numeric codes that enable Web sites to uniquely identify a person’s browser.
In addition to tracking Web visits, the PREFID allows NSA to single out an individual’s communications among the sea of Internet data in order to send out software that can hack that person’s computer.
The NSA slides say the Internet cookies are used to “enable remote exploitation,” although the specific attacks used by the NSA against targets are not addressed in the documents.
Separately, the NSA is using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone’s owner. This information is more specific than the broader location data the government is collecting from cellular phone networks, as reported by The Washington Post last week.
“On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere,’” said Chris Hoofnagle, a lecturer in residence at the University of California at Berkeley School of Law. “It’s hard to avoid.”
These slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by The Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data in that way, the companies know of it and are legally compelled to assist.
The NSA declined to comment on the specific tactics outlined in this article, but an NSA spokesperson sent The Washington Post a statement saying, “As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans.”
Google declined to comment for this article, but chief executive Larry Page joined the leaders of other major technology companies this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests. “The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” Page said in a statement on the coalition’s website. “This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world.”
For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify consumers and target them with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by showing them ads that are more likely to be of interest to them.
The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.
Internet companies store the small files called cookies on users’ computers to uniquely identify them for ad-targeting and other purposes across many different websites. This advertising-driven business model pays for many of the services, such as email accounts, that consumers have come to expect to have for free.
Yet few are aware of the full extent to which advertisers, services and Web sites track their activities across the Web and mobile devices. These data-collection mechanisms are invisible to all but the most sophisticated users, and the tools to opt out of their use or block them have limited effectiveness.
Privacy advocates have pushed to create a system called “do not track” allowing consumers to opt out of such tracking. But Jonathan Mayer of Stanford’s Center for Internet and Society, who has been active in that push, said that “do-not-track efforts are stalled out.” They ground to a halt when the Digital Advertising Alliance, a trade group representing online ad companies, abandoned the effort in September after clashes over the proposed policy. One of the primary issues of contention was whether consumers would be able to opt out of all tracking or rather choose not to be shown advertisements based on tracking.
Some browsers, such as Apple’s Safari, automatically block a type of code known as “third-party cookies,” which are often placed by companies that advertise on a site being visited. Other browsers such as Mozilla’s Firefox are experimenting with that idea. But such settings won’t prevent users from receiving cookies directly from the primary sites they visit or services they use.
Google assigns a unique PREF cookie any time someone’s browser makes a connection to any of the company’s Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit websites that contain embedded “widgets” for the company’s social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users in order to “personalize ads” and measure how they use other Google products.
Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie on their computers even if they’ve never visited a Google property directly.
The PREF cookie is specifically mentioned in an internal NSA slide that refers to the NSA using PREFID, its shorthand for the unique numeric identifier contained within Google’s PREF cookie.
Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet’s backbone and from technology companies’ own systems. The slide indicates that SSO was sharing information containing “logins, cookies, and GooglePREFID” with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.
“This shows a link between the sort of tracking that’s done by Web sites for analytics and advertising and NSA exploitation activities,” said Edward W. Felten, a professor of computer science and public affairs at Princeton University. “By allowing themselves to be tracked for analytics or advertising, at least some users are making themselves more vulnerable to exploitation.”
This isn’t the first time Google cookies have been highlighted in the NSA’s attempts to identify targets to hack. A presentation called “Tor Stinks,” released in October by the British newspaper The Guardian, indicates that the agency was using cookies for DoubleClick.net, Google’s third-party advertising service, in an attempt to identify users of the Internet anonymization tool Tor when they switched to regular browsing. “It’s similar, in the sense that you see the use of an unique ID in the cookie to allow an eavesdropper to connect the activities of a user over time,” said Felten.
Another slide indicates that the NSA is collecting location data transmitted by mobile apps to support ad-targeting efforts in bulk. The NSA program, code-named HAPPYFOOT, helps the NSA map Internet addresses to physical locations more precisely than is possible with traditional Internet geo-location services.
Many mobile apps and operating systems use location-based services to help users find restaurants or other establishments. Even when GPS is disabled, most smartphones determine their location using signals from Wi-Fi networks or cellular towers.
Also, apps that do not need geo-location data may collect it to share with third-party advertisers. Last week, the Federal Trade Commission announced a settlement involving a seemingly innocuous flashlight app that allegedly sent location information to advertisers without consumers’ knowledge.
Apps transmit their locations to Google and other Internet companies because ads tied to a precise physical location can be more lucrative than generic ads. But in the process, they appear to tip off the NSA to a mobile device’s precise physical location. That makes it easier for the spy agency to engage in the sophisticated tracking techniques that The Washington Post described in a Dec. 4 article.
The disclosures about NSA practices reveal the dilemma facing online companies, which have faced a backlash against both tracking for commercial purposes and their role in government surveillance.
“If data is used and it stops the next 9/11, our fellow citizens wouldn’t have any problem with it no matter what it is,” said Stuart Ingis, general counsel for the Digital Advertising Alliance. But he said it a balance must be struck to pursue those bad actors “while at the same time preserving the civil liberties.”
Other defenders of online advertising companies have argued that it is unfair to conflate private companies’ ad-tracking activities with the NSA activities revealed in the Snowden leaks. Marvin Ammori, a lawyer who advises technology companies including Google on surveillance issues, wrote in USA Today that “limiting bulk data collection by private companies — whether they advertise or not — would do little or nothing to limit the NSA.”
Felten disagrees, noting that the latest documents show that “the unique identifiers that are being placed on users’ computers are not only being used by analytic and advertising companies, but also being used by the NSA for targeting.” He said there are things those companies could do to protect their users from the type of attacks described in the slides, such as “not sending tracking IDs, or at least not sending them in the clear” without a layer of encryption.
Similarly, he says, “browser makers can help by giving users better control over the use of third-party tracking cookies and by making sure that their browsers are not sending unique IDs as a side effect of their safe-browsing behavior.”
Stanford’s Mayer said the revelations suggest the need for limits on the data that companies collect about consumers. “There’s increasingly a sense that giving consumers control over the information they share with companies is all the more important,” he said, “because you’re also giving them control over the information they share with government.”
- - -
Soltani is an independent security researcher and consultant.