NSA Tracks People Using Google Cookies

The Washington Post has a detailed article on how the NSA uses cookie data to track individuals. The EFF also has a good post on this.

I have been writing and saying that surveillance is the business model of the Internet, and that government surveillance largely piggy backs on corporate capabilities. This is an example of that. The NSA doesn't need the cooperation of any Internet company to use their cookies for surveillance purposes, but they do need their capabilities. And because the Internet is largely unencrypted, they can use those capabilities for their own purposes.

Reforming the NSA is not just about government surveillance. It has to address the public-private surveillance partnership. Even as a group of large Internet companies have come together to demand government surveillance reform, they are ignoring their own surveillance activities. But you can't reform one without the other. The Free Software Foundation has written about this as well.

Little has been written about how QUANTUM interacts with cookie surveillance. QUANTUM is the NSA's program for real-time responses to passive Internet monitoring. It's what allows them to do packet injection attacks. The NSA's Tor Stinks presentation talks about a subprogram called QUANTUMCOOKIE: "forces clients to divulge stored cookies." My guess is that the NSA uses frame injection to surreptitiously force anonymous users to visit common sites like Google and Facebook and reveal their identifying cookies. Combined with the rest of their cookie surveillance activities, this can de-anonymize Tor users if they use Tor from the same browser they use for other Internet activities.

Posted on December 12, 2013 at 6:21 AM • 33 Comments

Comments

SvenDecember 12, 2013 8:23 AM

My apologies I don't have an English version ready...

op een universiteit ergens op deze aardkloot
leeft protest
maar het merendeel van de mensheid
vind het best

dat op het internet de privacy
een natuurlijke dood
gestorven is
niemand die er wat om geeft

de ICT-ers hebben het voor altijd bedorven
big data, data retention en het kapitalisme
doen de rest
het is een en al droevenis

bedrijven die doen aan informatieverzameling
zeggen pakken wat je pakken kan
een nuchtere boer uit de polder zegt
daar komt alleen maar heibel van

en een enkeling waartoe het doordringt
beseft het is onbegonnen werk
aan deze wereldwijde massaverzameling en analyse
stelt men nooit paal en perk

Spaceman SpiffDecember 12, 2013 8:29 AM

Any comments about using a virtual machine w/ browser for Tor activities? Does that provide another level of isolation from identification?

GweihirDecember 12, 2013 8:39 AM

The Tor docu is pretty clear that anonymity does not come cheap and what you should never do.
- Don't browse the clearnet with the same browser as Tor.
- Don't log in or give away your identity in any way with the browser that you use for Tor.
- Don't use any applications that may leak your identity over Tor.

There are other things. Even just using the same browser can identify you by a browser fingerprint (fonts, plug-ins, etc.)

On some things, Tor does a trade-off. For example, the Tor browser bundle comes with JavaScript turned on. As we have seen recently, that can be a severe threat to your anonymity. In the other hand, many sites do not work without JavaScript.

Hence these limitations are neither new or surprising. If you want to stay anonymous, you cannot do a lot of things that you ordinarily can do and you need to make sure you understand what you are doing.

Brian M.December 12, 2013 9:37 AM

I browse with self-destructing cookies and NoScript. When a site must have JavaScript, I enable just enough for the site to work, and I only enable it temporarily. No problem.

Brian M.December 12, 2013 10:00 AM

@Sven:

at a university somewhere on this earth lives protest but the majority of the human find the best

that on the internet privacy
a natural death
died
nobody gives a shit

ICT specialists have spoiled forever
big data, data retention and Capitalism
do the rest
it is all sadness

companies involved in information gathering
say take what you can grab
a sober farmer from the polder says
there is only a fuss of

and a few which it penetrates
realizes it is impossible
these global mass collection and analysis
allows one never clamped

And now time for a little reality.
The "free" services we use are a front, a gimmick. They are there to entice us to use those services, so we, as a product, can be sold as a packaged item to somebody. Producer companies want us to buy their stuff. So if I look at a jacket maker's website, if I don't destroy all the cookies, I get jacket ads all over my other browsed web sites. Same thing with car companies.

Otherwise, we all have to pay our share of dimes to get the content we want, and stop using Google, et al, entirely, and use something else.

Another facet is that there aren't that many people who understand technology. I'll use my landlord as an example. When he recently bought a new laptop, I set it up for him. And he called me, saying that he couldn't get on the Internet. I looked at it, and the browser worked just fine, connectivity all over the place, etc. But for him it wasn't working, because Yahoo! wasn't the home page. He equated the Internet to Yahoo!. I have to walk him through deleting his browser cookies when he goes shopping for airline tickets.

So that's life as we know it.

jacksonDecember 12, 2013 10:07 AM

Cookies are not the only way to de-anonymize users, they can also use machine signatures. You wrote about that previously.

WinterDecember 12, 2013 12:14 PM

@Jackson
"Cookies are not the only way to de-anonymize users, they can also use machine signatures. You wrote about that previously."

The Tor browser bundle tries to present a single, uniform browser and machine fingerprint. I do not know how successful they are in preventing browser fingerprinting.

SkepticalDecember 12, 2013 12:49 PM

Wasn't this method already reported by Laura Poitras and others in a German publication?

This paragraph caught my eye:

The NSA's use of cookies isn't a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion - akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.

Noteworthy is the incredibly tendentious analogy from using cookies to identify computers for surveillance to lighting a target for air strike. It's melodramatic and silly.

But it's also noteworthy that the article isn't reporting on a bulk collection effort, but rather a technique used to enable more targeted surveillance. That's not necessarily a bad thing.

Finally, the apparent justification for the newsworthiness of the story (I have no idea what it was for the WoW story - I'm not sure they even tried to state one) is:

The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. ...The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.

That the government can use commercial technology to track and identify isn't new news, nor is it a new argument for privacy advocates. In fact it's an old argument (and not necessarily a bad argument either).

The self-interested reason for publishing articles like this is of course attention and page-views (and maybe even new or retained subscriptions). One of the political reasons for articles like this is to keep the NSA story alive, even when it has become essentially background noise to the public. Another political reason, perhaps more important, is to solidify the narrative of an omnipresent, intrusive NSA in the minds of the public (most of whom will never read the details of stories like this - it will be something they vaguely heard about, or saw referenced in a joke). For libertarians who think the most important issue of our time is excessive government power, and who think that the US is among the worst offenders, these articles are great. For any non-profit even vaguely connected to online privacy or civil liberties, these articles are great.

Meanwhile, though, actual commercial theft and actual political oppression continue daily from nations like China and Russia. Remarkably, the cyber activities of these nations seem to have dropped from the headlines. And so, as those real abuses continue and even expand, and despite the fact that Snowden, in his years of "research," apparently could not unearth a single instance of actual commercial theft or actual political misuse of the NSA's activities, we're all treated to stories about the NSA's speculations about online gaming as a communication line, or their use of a specific commercial cookie to focus their surveillance.

I'm not sure if Snowden was driven by the volume of Manning's leak to compile something similarly large. Perhaps it was simply obsessiveness; perhaps he wanted to postpone the decision to actually release it. But whatever the case, he collected too much and released too much (this charge sounds so familiar to me...). This stream of "an insider view of the NSA's surveillance techniques!" stories now frequently fails to add significant new information to public discussion. Instead it enriches a few persons, and a few organizations, and distracts the public from more important online security threats.

He would have done far better by this issue, and the public, to collect less items of more targeted importance. People like Glenn Greenwald often confuse getting attention with political progress, and they're really not. Release a few stories targeted on the actual practice you think goes too far - the telephone metadata program, or an internet bulk collection program. Those are susceptible to actual policy solutions that can be credibly backed. Release many stories, more than a few of which are trivial, incorrect, or, worst of all, merely report on what sounds to most people like legitimate activities by a signals intelligence agency, and you've merely diluted the impact of those initial stories. The telephone metadata story becomes that NSA story buried in a landfill teeming with other NSA stories - it becomes part of the background noise that this stream of stories has created.

SinounDecember 12, 2013 1:08 PM

re: All the helpful technical suggestions:

Methods of fixing this continuing mess are going to have to work for the average consumer. Last week, a friend of mine purchased a new notebook system and asked me to help set it up. (I work in the industry, have the academic creds, blah, blah, blah.) After an exhausting all-day session, I remember wondering how typical users ever manage to get anything done with even a small measure of security.

AnuraDecember 12, 2013 1:44 PM

Unfortunately, fixing this means two things: 1) Rethinking HTTP and web applications and 2) convincing businesses to adopt it.

The whole idea of the cookie was to add state to a stateless protocol. I'll be the last to advocate making HTTP stateful, so we need to think of what our requirements are, and what users typically want. They want to be able to visit websites, they want to be able to log into those websites , and they want to be able to stay logged into those websites.

Improperly implemented cookies have been a cause of security issues in the past (UserID=123 - hooray! You're logged in! What happens if I set this to 1? $10 bucks says it's an admin account.), so maybe the solution is to build a new authentication protocol into HTTP. Instead of the popup window that exists today, allow it to be submitted via special form inputs, and let the application handle the authentication rather than the server itself. Now your authentication token is separate from cookies. Now we can make permanent log-in an option that the browser needs to enforce, and we can reject all third party cookies and make first-party cookies session-only by default.

The question is this: Let's say that login and cookies were now two separate things, would you as a business implement it, knowing that the more widespread it is, the more likely browsers are going to be to restrict cookies to being session-only? You sure aren't going to spend money changing your existing website to do so.

Herein lies the problem with fixing the web to be more private: we need to rely on the markets to drive it, but most websites are funded by advertisements or specifically by selling information to advertisors. The market will not fix it for us, so any solution will have to involve getting an entity more powerful than the markets to drive it, e.g. privacy groups allied with government, but government is not an organization that is there to help the public, they are there to help the ruling class, and the ruling class wants what's best for their businesses. If anything, new standards and protocols are going to provide less privacy, not more privacy.

CallMeLateForSupperDecember 12, 2013 2:30 PM

@ Sinoun
"... I remember wondering how typical users ever manage to get anything done with even a small measure of security."

I think security is not a pressing issue to the average user of comm. technology (desktop; laptop; tablet; phablet; cell phone). Personally I'm all over it, but none of my four siblings is... nor wants to be, despite on-going nudges from me. All but one of my friends and aquaintances don't know enough about even common browser vulnerabilities or Snowden revelations to form an educated appraisal of how they are affected. They won't spend the time to become educated.

One of those clueless friends no longer allows me even a casual quip about the latest surveillance shag-nasty or zero-day exploit; he shuts me right down. This guy runs XP and won't upgrade; he won't boot my *nix CD to have a free look at that alternative on his hardware. And he does all his financials online. I would expect him to care about the attack surface he presents, but clearly he does not.

Abe was right: you can lead a horse to water but you can't make it drink.

Nicholas WeaverDecember 12, 2013 2:32 PM

Some more on how frame injection can work, and what can be done with it:

https://medium.com/p/bb8816e88d86

The basic idea is the packet injector (QUANTUM) causes the victim to load a script which causes the victim's browser to load a bunch of hidden iframes, each to a site where the request has cookies, and the response's HTML includes the logged in user information.

Any site where the logged in user appears in the clear will do. Thus, although google.com doesn't (its ssl-only), youtube works: it shows the user in the clear. The wiretap by seeing both the cookie and the response can now assert that "This cookie value means this user".

Thus the universe of exploitable sites is very large: Slashdot, Linkedin, Youtube, Amazon, and tons of others all have username/userID in the HTTP traffic.

Also, if they already know a mapping of cookie to user, as long as the cookie itself is sent in the clear (such as the Google PREF cookie), they can use that as well.

Once they have the mapping of Cookie to User, then its just whatever they want to do with it: monitor users as they go along the net or, more likely, use the now known cookie mapping to "tip" the victim over to a FOXACID server which will "shoot" them with an appropriate exploit.

So what they could do is use this to identify a bunch of users by name, and then shoot just the desired victims with an exploit.

As a bonus, the same technique can be used by any foreign intelligence service to target, by name, anybody who is visiting the foreign country. Or, if they wanted to install a little hardware, anyone visiting a DC area starbucks.

BryanDecember 12, 2013 2:39 PM

Meanwhile, though, actual commercial theft and actual political oppression continue daily from nations like China and Russia. Remarkably, the cyber activities of these nations seem to have dropped from the headlines. And so, as those real abuses continue and even expand, and despite the fact that Snowden, in his years of "research," apparently could not unearth a single instance of actual commercial theft or actual political misuse of the NSA's activities, we're all treated to stories about the NSA's speculations about online gaming as a communication line, or their use of a specific commercial cookie to focus their surveillance.
If the hardware/OS/application is secure against the NSA, etc., then it will likely be secure against the script kitties and professional malware organizations.

anonyLurkingDecember 12, 2013 2:58 PM

Here is a good one for changing your machine signature.
I think everyone should mod their browser sig to show as the Tor browser bundle. If everyone did this, it would really choke the pipes.
http://guiconfig.freedig.org/

Change your location to your local library
https://github.com/rldhont/geolocater

to help keep security handshaking from going down

https://calomel.org/firefox_ssl_validation.html


clear the visited website sql database in firefox
You also need the one to clean the download database,
havn't found that yet

https://code.google.com/p/placescleaner/

BryanDecember 12, 2013 2:59 PM

PS: The user is a different story. We all should know how fallible and prone to exploit they are.

3.14December 12, 2013 4:09 PM

The capabilities for further eh "integration with the end users" that are present in HTML5 will likely make NSA drool.

Nicholas weaverDecember 12, 2013 4:19 PM

One other thing to remember: advertising cookies are somewhat less useful to the NSA than user-identifying cookies.

Without user identification/matching, cookies are good to track how users/systems move through the network. But if you don't know who the users ARE, its not that useful.

But you can not only use identifying pages (like LinkedIn etc) to bind cookie to user identity, you can also passively chain cookies for other sites.

E.g. if you see a request for site X, with cookies Cx identifying user U, and then see a request for site Y, with cookies Cy and a referrer from X, you can now bind Cy as belonging to U as well.

Thus, e.g. the NSA could see a user log into LinkedIn (identifying the user name) and his LinkedIn cookies. Then since the LinkedIn page loads a doubleclick add, the NSA now also is able to associate the doubleclick tracking cookie (the DART cookie) to the user.

So even if, in the future, the user never logs into LinkedIn again, the NSA can use the DoubleClick cookie to identify that particular user and find all his surfing habits, launch targeted attacks, etc, anytime in the futuer.

Mike AmlingDecember 12, 2013 5:36 PM

@Skeptical
"He would have done far better by this issue, and the public, to collect less items of more targeted importance."

But he was trained at NSA.

BryanDecember 12, 2013 6:10 PM

One other thing to remember: advertising cookies are somewhat less useful to the NSA than user-identifying cookies.
Without user identification/matching, cookies are good to track how users/systems move through the network. But if you don't know who the users ARE, its not that useful
I guess you missed the message on figuring out who people are from metadata comparisons. Here is something simple. You web surf with your computer in New York City. Take a flight to Minneapolis, MN and web surf there two days later. There are maybe at maximum of 2000 people that computer could belong to. Web surf back home again in NYC a few days later. You are now in the subset that traveled back and forth in those time frames. Use it again at a coffee shop. I hope you paid cash, because if you paid with a credit card or bank card there is a transaction with your name on it and your computer was used at that rough time at the coffee shop. Yes, metadata matters. They know who you are. Have a nice day!!!

Dirk PraetDecember 12, 2013 7:57 PM

@ Skeptical

Meanwhile, though, actual commercial theft and actual political oppression continue daily from nations like China and Russia. Remarkably, the cyber activities of these nations seem to have dropped from the headlines.

Although there is no doubt in my mind that nations like China, Russia, Israel and quite some others with the capabilities of doing so indeed engage in such activities, the actual proof of Chinese APT's and IP theft primarily comes from one organisation, i.e. Mandiant. Their evidence is mostly based on IP blocks originating in China and from a technical point of view is hardly the smoking gun some people make of it. For years now, politicians like Mike Rogers have been accusing Huawei and others of backdooring their equipment, to the point that Huawei has recently decided to exit the US market. Never have they come up with any substantial proof whatsoever. Actually, to me it makes perfect sense that journalists report much more on stuff they can corroborate with first-hand evidence than writing articles on theories for which the proof is either ultra-thin or non-existant.

Just to be clear: I don't approve of IP theft, but I object to narrowing down the issue to that single element just because alledgedly the US does not do it. And for what it's worth: absence of proof does not equal proof of absence. IMHO, the political consequences of the massive world-wide NSA surveillance dragnet Edward Snowden has revealed are much more important. As are the articles on the technical methods the NSA is using. They give everybody in the security industry a better idea of the methods spooks, gangsters and other adversaries are using to compromise the availability, integrity and confidentiality of our infrastructure, communications and data. And how we can defend against them.

As for political oppression, the US is in no place whatsoever to lecture anyone about democracy and human rights. For decades, Washington has been and still is supporting murderous regimes all over the planet as long as it suits its political or economic interests. With regards to its disposition towards domestic protests, I refer to what we've seen with OWS or in a more distant past the civil rights movement.

WDecember 13, 2013 3:10 AM

Here's a google.com PREF cookie for everyone to use, using for example the Firefox CookieManager add-on:
ID=3f1fc844cb79a145:FF=0:TM=1386925581:LM=1386925581:S=YqXq_ZK4wkEZ1-Lj

Tyco BassDecember 13, 2013 10:06 AM

Re plethora of Snowden info: much of it is being unfolded locally around the world, country by country. And: quantity is part of the story.

BJPDecember 13, 2013 10:39 AM

@BrianM

You get that too, huh? Love the story about the landlord claiming the Internet wasn't working because Yahoo wasn't his home page. I've had similar as well.

"I need you to get my Hotmail out of the Internet" was the most befuddling request I received when helping a neighbor (a retired teacher) with her machine.

After a few hours it eventually boiled down to:

1) She had an icon for Hotmail
2) She had an icon for Internet Explorer
3) Hotmail was her homepage in IE
4) Therefore her Hotmail is in the Internet
5) Therefore broken

This was the same user that had a 1 year trial of some antivirus that came with their machine and was absolutely aghast to the point she swore she was going to contact her Senator because it popped something up on every boot saying her trial has expired and "how can they just take that away?" If I were to remove the useless expired application "but what will that change?" "It won't bitch at you every time you turn it on" "Why is it bitching?" "Your free trial is expired and they want money" "But they can't DO that! I hate seeing this warning!" "I can make it go away" "But what will that change?"

Head. Desk.

AaarghDecember 13, 2013 2:04 PM

@BJP

Then there's the clueless IT professionals.

A user had problems with their password (forgot it), and the password had to be reset. The IT guy helping him out did the following:

1) Reset Windows password to new, simple password (a word you can easily remember, e.g. your name).
2) Reset GoogleDocs/GMail password to the same password as the Windows password.
3) Suggest that user should use same password for every single online service.

Reasoning given: "This is safer than multiple complicated passwords because the user cannot be locked out of the system by typing in the wrong password."

At this point I took a break to avoid some serious headdesking. Unfortunately when I came back 10 minutes later the guy was explaining the same thing to another user. Sigh.

The guy never suggested to pick a complicated password/phrase, and write it down on a piece of paper...

VinnyGDecember 13, 2013 2:20 PM

Like some other posters, I allow scripts only by exception. I use NoScript, RequestPolicy, and BetterPrivacy, all in pretty much full lock down mode. Httpseverywhere is also enabled. I nuke my browser cookies several times per browsing session (Mozilla Data Manager is my buddy). Does this make browsing somewhat inconvenient typically, and very inconvenient on occasion? Certainly, but privacy is the probable price of convenience, so pick your poison. Frankly, I'm astonished that anyone else who understands how these mechanisms work and has privacy in mind would fail to take similar precautions. My concern is that there could be shadow copies of cookies stored locally in undocumented locations. There are some apparent anomalies that I observed regarding cookie and permissions behavior in Mozilla. More than likely this is attributable to run-of-the-mill bugs, but, post-Snowden, my tin-hatted alter ego wonders if any bugs that negatively impact privacy _are_ run-of-the-mill...

@W - is that John Clapper's PREF cookie? That would be sweet.

Paul FillmanDecember 15, 2013 8:29 PM

On the positive side to the NSA spying capabilities, at least they get an idea of just how much the American People disapprove, and/or want the NSA, CIA, et al, to get drastically more oversight, if not then replacement with another that is held to constitutional standards of privacy, aka search and seizure rules. If so, that means that internet users must be even more vocal about their outraqe

BarneyDecember 16, 2013 5:21 AM

I've been hoping for a long time to see people start getting internet services like email and social networking from smaller companies, with perhaps just a few hundred thousand users per company or less. It would make it much harder to run a centralized surveillance operation than the current system where most of us are using services with billions of users. Unfortunately I'm not seeing thousands of local application services providers giving much competition to the likes of gmail and facebook.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..