How NSA reportedly uses Google cookies could be next privacy flash point

The utility of Google cookies in cyber exploitation and espionage comes as no surprise to some. NSA officials maintain their practices are practical and legal.

Connie Zhou/Google/AP/File
In this undated file photo made available by Google shows the campus-network room at a data center in Council Bluffs, Iowa.

Web cookies that allow advertisers to keep tabs on individual Internet users’ browsing habits are being co-opted by the National Security Agency to focus its cyberespionage – potentially reinvigorating the debate over consumer rights to online privacy, leaked documents show.

One particular cookie called Google PREF, which is almost ubiquitous in the online world, is of particular value to the NSA – acting as a kind of digital homing beacon for agency operatives to target individual computers and implant spyware inside them, according to the documents leaked by former NSA contractor Edward Snowden to The Washington Post.

“In addition to tracking Web visits, this cookie allows NSA to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer,” the newspaper said.

The Post report gave specific attention to GooglePREFID, an identifier number within the PREF cookie.

Cookies are digital files collected within the browser software of computers that typically contain data revealing the various websites visited by a particular browser. Such clues to consumer tastes are invaluable to companies seeking to calculate the types of products and services that might be the most compelling to each consumer – and to then advertise those items to that person while he or she surfs the Web.

The leaked documents also discuss separate features in the “apps” of smart phones and other mobile devices – especially involving GPS – that have enabled the agency to track and map with far greater precision the movements of the owners of those devices.

In such cases, cookies "enable remote exploitation," according to the documents, although specific attacks used by the agency are not detailed.

The utility of cookies in cyber exploitation and espionage comes as no surprise to some.

“It's a common practice to use a browser cookie to identify a tango's [target] computer or mobile device,” says John Bumgarner, a former cyberintelligence officer, in an online interview. “Cookies can be easily used to track someone's digital footprint and in some cases their physical travel patterns. In the exploitation realm a cookie is a targeting beacon, which can be tracked by a cyber attack team.”

In some situations, this team could secretly install customized malware on the target computer that could “covertly monitor and report everything that is happening on that computer," he says.

NSA officials maintain their practices are programmatic, practical, and legal.

"As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans," an NSA spokesman told the Post in a statement.

But such practices have put giant Internet companies in the hot seat, as concerns over privacy rights grow.

Google refused comment to the Post. But it was among eight Internet companies that this week unveiled Reform Government Surveillance, a group seeking to change government surveillance policies. AOL, Apple, Facebook, LinkedIn, Microsoft, Twitter, and Yahoo are also in the group.

Riled by fallout from the Snowden document leaks, several of those companies also recently announced plans to beef up encryption and other security, specifically to protect consumers from espionage by governments.

“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” Larry Page, CEO of Google, said in a statement on the Reform Government Surveillance website.

“This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world,” he wrote. “It’s time for reform and we urge the US government to lead the way.”

Such statements, however, fall short of what privacy experts say is a need for fundamental change in online privacy – and the data collection methods employed as part of advertising endeavors.

“The dots are being connected between the private-sector tracking and law-enforcement and intelligence-agency tracking,” says Chris Hoofnagle, a lecturer in residence at University of California’s Berkeley Center for Law & Technology.

“Law enforcement loves Facebook, Google, and all this tracking because any facts obtained by business can later be subpoenaed by law enforcement,” he says. “Both of these companies have tremendous power to track people online even once people have left the Facebook or Google platforms. So the problem becomes that law enforcement can piggyback on those platforms. The idea is: If you [the consumer] are willing to let Google track you, how can you object to law enforcement tracking you and accessing that data as well?”

In 2010, a Wall Street Journal series on online monitoring found that the “nation’s 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning.”

That same year, Congress began hearings into the matter. But online advertisers have resisted a “universal choice mechanism” to let consumers avoid tracking altogether. Bowing to pressure from the White House, advertisers did finally agree in principle to a universal “Do Not Track” mechanism – but with “key caveats that may render the mechanism ineffective,” concluded a Harvard Law & Policy Review article last year.

Mozilla has since added a feature to its Firefox browser that lets users proclaim that they do not want their activity tracked across the web for advertising purposes. Microsoft, Google, and Apple have put similar features into their browsers as well.

Still, in September, the Digital Advertising Alliance, a trade group representing advertisers, said efforts to craft a plan to further protect consumer online privacy were dead. That same month, California Gov. Jerry Brown (D) signed into law the state’s Do Not Track law.

The new revelations from the Snowden documents – that NSA is apparently grabbing hold of GooglePREFID – is likely to give a fresh impulse to the flagging effort to bolster online privacy, some say.

“This revelation is a big threat for these companies,” Mr. Hoofnagle says. “It’s going to drive public understanding of the linkage between commercial activities and the empowerment of government surveillance. It’s going to create pressure for new consumer privacy laws.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to How NSA reportedly uses Google cookies could be next privacy flash point
Read this article in
QR Code to Subscription page
Start your subscription today