NSA taps tracking cookies used by Google, others, to monitor surveillance targets

Browser cookies used to serve targeted ads are a rich source of material for NSA, report says

The browser cookies that online companies use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.

The agency's use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, the Washington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.

Google's PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.

PREF cookies don't store any user identifying information such as user name or email address. But they contain information on a user's general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual's browser.

The Google cookie, and those used by other online companies, can be used by the NSA to track a target user's browsing habits and to enable remote exploitation of their computers, the Post said.

Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target's computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.

It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).

Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.

However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed "Happyfoot," allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.

An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.

An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency's commitment to fulfill its mission of protecting the country against those seeking to do it harm.

"As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies," the spokeswoman said.

The Post's latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.

Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.

But efforts to implement an effective, industrywide Do Not Track system remain elusive as a result of opposition by trade groups like the Digital Advertising Alliance which argues that self-regulation is a better approach.

This article, NSA taps tracking cookies used by Google, others, to monitor surveillance targets, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon