NSA taps tracking cookies used by Google, others, to monitor surveillance targets
Browser cookies used to serve targeted ads are a rich source of material for NSA, report says
Computerworld - The browser cookies that online companies use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.
The agency's use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, the Washington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.
Google's PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.
PREF cookies don't store any user identifying information such as user name or email address. But they contain information on a user's general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual's browser.
The Google cookie, and those used by other online companies, can be used by the NSA to track a target user's browsing habits and to enable remote exploitation of their computers, the Post said.
Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target's computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.
It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).
Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.
However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed "Happyfoot," allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.
An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.
An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency's commitment to fulfill its mission of protecting the country against those seeking to do it harm.
"As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies," the spokeswoman said.
The Post's latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.
Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.
But efforts to implement an effective, industrywide Do Not Track system remain elusive as a result of opposition by trade groups like the Digital Advertising Alliance which argues that self-regulation is a better approach.
This article, NSA taps tracking cookies used by Google, others, to monitor surveillance targets, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Mobile Security in Computerworld's Mobile Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Survey Report: Mobile Content Security and Productivity Read this report to learn how important mobile access is to users, how likely they are to by-pass authorized systems, how compliant current...
- Enterprise Mobility Management: A Data Security Checklist This document presents a checklist of features organizations should review when evaluating a data security solution as part of an enterprise mobility management...
- BYOD File Sharing - Go Private Cloud to Mitigate Data Risks Read this whitepaper to learn the security risks associated with not having an IT endorsed file sharing solution, and why your organization should...
- Mobile Device Management Buyers Guide Mobile device management (MDM) solutions allow IT organizations to centrally manage, monitor and support mobile devices. In this guide, you'll learn what you...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Mobile Security White Papers | Webcasts