Google tracking cookies give the NSA a helping hand in identifying Tor users

Latest revelations from National Security Agency documents from former NSA contractor and whistleblower Edward Snowden renew focus on the need for online companies to provide users with better controls so “unique identifiers” do not aid the government in warrantless surveillance.

The Washington Post’s Barton Gellman and Ashkan Soltani reported yesterday that a slide from an NSA presentation shows the NSA is “collecting location data transmitted by mobile apps to support ad-targeting efforts in bulk.”

A program, which is code-named HAPPYFOOT, is an analytic tool that uses Wi-Fi, GPS and the Global System of Mobile Communications (GSM). It, according to a Post description, “aggregates location-based service data to map physical locations of IP addresses” (which identifies devices connecting to the Internet).

Mobile apps on “smart phones” can switch off location services, however, the Post points out that this will not necessarily stop the phone from being able to determine location by “using signals from Wi-Fi networks or cellular towers.”

Furthermore:

…[A]pps that do not need geo-location data may still collect it anyway to share with third-party advertisers. Just last week, the Federal Trade Commission announced a settlement for a seemingly innocuous flashlight app that allegedly leaked user location information to advertisers without consumers’ knowledge.

Apps transmit their locations to Google and other Internet companies because ads tied to a precise physical location can be more lucrative than generic ads. But in the process, they appear to tip off the NSA to a mobile device’s precise physical location…

The tool expressly goes after consumers who do not know how to secure their data, and, in fact, it recognizes that there is data that the companies are either intentionally or unintentionally exposing for collection to benefit the companies themselves.

Gellman and Soltani further report that the NSA is “exploiting” a Google cookie, PREF, in order to pinpoint a target’s location. (Cookies are small pieces of data stored from websites that are stored in web browsers.)

A slide from an NSA presentation shows that Special Source Operations is “sharing information containing ‘logins, cookies, and GooglePREFID’ with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.”

Apparently, cookies are data the NSA can obtain with a Foreign Intelligence Surveillance Court order. This would mean “companies know” the NSA is collecting this data and “are legally compelled to assist.” (Transparency reports from Internet companies currently do not contain data on requests for data on cookies.)

Julia Angwin and Jennifer Valentino-Devries investigated Google’s iPhone tracking for The Wall Street Journal in February 2012. They found that Google and other advertising companies had bypassed “privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” (Soltani was actually a technical adviser for WSJ, who helped do research for the story.)

The code the journalists were looking into was apparently the PREF cookie.

When the story ran, Google put out a statement: “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.” But, the Post story explains that the cookie does “contain numeric codes that enable web sites to uniquely identify a person’s browser.”

Communications of an individual can be singled out and software could be used to hack into a person’s device.

Previously, the Post reported that the NSA was using cookies from DoubleClick.net, a third-party advertising service owned by Google, to identify individuals who use the anonymity tool, Tor.

The fact that data is being sent to third-party services is hugely problematic because, as the Electronic Frontier Foundation explains, these services become “convenient and attractive targets” for data from “vast swaths of the web.” The data is no longer in the control of the companies that made the collection of this data possible and, therefore, cannot oppose “unconstitutional government requests for that data.”

The EFF contends, “We need to work towards a long-term technical ecosystem that will better protect the privacy of who visits what websites. We also need strong privacy laws that protect user data from unconstitutional surveillance, and the transparency necessary to ensure these laws cannot be bypassed in secret.”

Even though the Post’s story suggest that the NSA may have specific suspicion for a user that gives it the authority to target the person and exploit his or her communications, the legal standard for collecting this data should be more transparent to Americans.

Stuart P. Ingis, General Counsel at the Digital Advertising Association, told the Post, in reaction to this story, “If data is used and it stops the next 9/11, our fellow citizens wouldn’t have any problem with it no matter what it is.”

That seems to be the only standard that can be cited to justify the NSA’s hoarding complex, however, the extension of tentacles into all communication networks of the world without regard for impact on privacy has yet to be defended with incontrovertible proof that the NSA has specifically thwarted terrorism.

All this seems to do is give Director for National Intelligence James Clapper, who lied to Congress, “peace of mind.” It helps him and Gen. Keith Alexander and other intelligence agency officials sleep at night. They feel in control. And, somehow, that is supposed to excuse any operations, programs or policies that clearly infringe upon the privacy rights of Americans and foreigners for no good reason at all.

Graphic by TigerPixel via Flickr