NSA uses Google's tracking cookies to target and "exploit" their subjects

A new set of leaked NSA slides from the Snowden trove was published in the Washington Post today, detailing NSA/GCHQ's use of Web cookies (including Google's PREF cookie) to uniquely identify people as they move around the Web, in order to target them and compromise them.

They also report on an NSA program called HAPPYFOOT that uses mobile phones to do very fine-grained tracking of targets.

Ed Felten, an eminent computer scientist and security researcher, has written a lengthy comment on the disclosures, exploring the different options companies have if they want to safeguard their tracking cookies from being hijacked by the NSA. His primary recommendation is that these cookies should only be sent over SSL.

Google assigns a unique PREF cookie anytime someone's browser makes a connection to any of the company's Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit Web sites that contain embedded "widgets" for the company's social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users to "personalize ads" and measure how they use other Google products.

Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie even if they've never visited a Google property directly.

That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google's PREF cookie. Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet's backbone and from technology companies' own systems. The slide indicates that SSO was sharing information containing "logins, cookies, and GooglePREFID" with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.

"This shows a link between the sort of tracking that's done by Web sites for analytics and advertising and NSA exploitation activities," says Ed Felten, a computer scientist at Princeton University. "By allowing themselves to be tracked for analytic or advertising at least some users are making themselves more vulnerable to exploitation."

NSA uses Google cookies to pinpoint targets for hacking [Ashkan Soltani, Andrea Peterson, and Barton Gellman/Washington Post]

Notable Replies

  1. Surely "HAPPYFOOT" should have targeted Linux systems. The Geek is weak in the NSA.

    How come Bullrun and Edgehill are both named after major Civil War battles? I thought codenames were selected randomly to avoid giving away any info about the named projected. Bullrun and Edgehill imply a similarity of purpose.

  2. Look, if there's anything we've learned, it's that nothing can stop the instrument of the state from intruding into your affairs but the vigilance of the people. At the end of the day, I accept that for all of my skills and tools, I'm no match for the immense resources of the NSA. That's what I call the scary part. It's not unreasonable, however, to provide people with tools that may (and it's always been "may" long before NSA-gate) help them.

    Here's the thing, and say it with me, "There is no rock-solid shield against spying." Never has been, never will be. It doesn't make it right, but it is the reality of the world in which we live. Don't like it? By all means, fight the good fight- lord knows I'll back you up.

  3. bzishi says:

    Here's a better idea: someone at Google needs to post the NSLs and force the government to prosecute. Only when NSLs are tried in court can they be overturned on 1st Amendment grounds. I hope there is someone brave enough. And Google needs to use every legal resource they have as a multi-billion dollar corporation to obfuscate and interfere with this program. They need to intentionally give corrupted data. They need to delay giving information. They need to be a nuisance in every aspect possible (tow the cars of NSA employees, give the data in font too small to read, 'lose' the NSLs and request copies in rooms with streaming webcams, etc.).

  4. These are rather internal project names no one outside the Stasi NSA should ever stumble upon than code names for operations involving outside communications that might get compromised.
    Also, the guy who makes up the cool acronyms was sick.

Continue the discussion bbs.boingboing.net

4 more replies