Web cookies that allow advertisers to keep tabs on individual Internet users’ browsing habits are being co-opted by the National Security Agency to focus its cyberespionage – potentially reinvigorating the debate over consumer rights to online privacy, leaked documents show.
One particular cookie called Google PREF, which is almost ubiquitous in the online world, is of particular value to the NSA – acting as a kind of digital homing beacon for agency operatives to target individual computers and implant spyware inside them, according to the documents leaked by former NSA contractor Edward Snowden to The Washington Post.
“In addition to tracking Web visits, this cookie allows NSA to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer,” the newspaper said.
The Post report gave specific attention to GooglePREFID, an identifier number within the PREF cookie.
Cookies are digital files collected within the browser software of computers that typically contain data revealing the various websites visited by a particular browser. Such clues to consumer tastes are invaluable to companies seeking to calculate the types of products and services that might be the most compelling to each consumer – and to then advertise those items to that person while he or she surfs the Web.
The leaked documents also discuss separate features in the “apps” of smart phones and other mobile devices – especially involving GPS – that have enabled the agency to track and map with far greater precision the movements of the owners of those devices.
In such cases, cookies "enable remote exploitation," according to the documents, although specific attacks used by the agency are not detailed.
The utility of cookies in cyber exploitation and espionage comes as no surprise to some.
“It's a common practice to use a browser cookie to identify a tango's [target] computer or mobile device,” says John Bumgarner, a former cyberintelligence officer, in an online interview. “Cookies can be easily used to track someone's digital footprint and in some cases their physical travel patterns. In the exploitation realm a cookie is a targeting beacon, which can be tracked by a cyber attack team.”
In some situations, this team could secretly install customized malware on the target computer that could “covertly monitor and report everything that is happening on that computer," he says.
NSA officials maintain their practices are programmatic, practical, and legal.
"As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans," an NSA spokesman told the Post in a statement.
But such practices have put giant Internet companies in the hot seat, as concerns over privacy rights grow.
Google refused comment to the Post. But it was among eight Internet companies that this week unveiled Reform Government Surveillance, a group seeking to change government surveillance policies. AOL, Apple, Facebook, LinkedIn, Microsoft, Twitter, and Yahoo are also in the group.
Riled by fallout from the Snowden document leaks, several of those companies also recently announced plans to beef up encryption and other security, specifically to protect consumers from espionage by governments.
“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” Larry Page, CEO of Google, said in a statement on the Reform Government Surveillance website.
“This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world,” he wrote. “It’s time for reform and we urge the US government to lead the way.”
Such statements, however, fall short of what privacy experts say is a need for fundamental change in online privacy – and the data collection methods employed as part of advertising endeavors.
“The dots are being connected between the private-sector tracking and law-enforcement and intelligence-agency tracking,” says Chris Hoofnagle, a lecturer in residence at University of California’s Berkeley Center for Law & Technology.
“Law enforcement loves Facebook, Google, and all this tracking because any facts obtained by business can later be subpoenaed by law enforcement,” he says. “Both of these companies have tremendous power to track people online even once people have left the Facebook or Google platforms. So the problem becomes that law enforcement can piggyback on those platforms. The idea is: If you [the consumer] are willing to let Google track you, how can you object to law enforcement tracking you and accessing that data as well?”
In 2010, a Wall Street Journal series on online monitoring found that the “nation’s 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning.”
That same year, Congress began hearings into the matter. But online advertisers have resisted a “universal choice mechanism” to let consumers avoid tracking altogether. Bowing to pressure from the White House, advertisers did finally agree in principle to a universal “Do Not Track” mechanism – but with “key caveats that may render the mechanism ineffective,” concluded a Harvard Law & Policy Review article last year.
Mozilla has since added a feature to its Firefox browser that lets users proclaim that they do not want their activity tracked across the web for advertising purposes. Microsoft, Google, and Apple have put similar features into their browsers as well.
Still, in September, the Digital Advertising Alliance, a trade group representing advertisers, said efforts to craft a plan to further protect consumer online privacy were dead. That same month, California Gov. Jerry Brown (D) signed into law the state’s Do Not Track law.
The new revelations from the Snowden documents – that NSA is apparently grabbing hold of GooglePREFID – is likely to give a fresh impulse to the flagging effort to bolster online privacy, some say.
“This revelation is a big threat for these companies,” Mr. Hoofnagle says. “It’s going to drive public understanding of the linkage between commercial activities and the empowerment of government surveillance. It’s going to create pressure for new consumer privacy laws.”