December 11, 2013 | By Adi Kamdar and rainey Reitman and Seth Schoen

NSA Turns Cookies (And More) Into Surveillance Beacons

Yesterday, we learned that the NSA is using Google cookies—the same cookies used for advertisements and search preferences—to track users for surveillance purposes.

These Google cookies—known as “PREF” cookies—last two years and can uniquely identify you. Sniffing one off the Internet as it goes past allows the NSA to recognize your browser whenever you interact with Google from any location or network. Every person who visits a Google site will receive a PREF cookie, regardless of whether they log in or even have an account with Google. Using Google Search without logging in tags you for two years, and that unique tag is sent over the network every time you search even if it’s on a different network (or in a different country).

According to documents just published by the Washington Post, the NSA is using this to “enable remote exploitation” (hacking into people’s computers)—an act aided by the ability to uniquely identify individuals on the Internet.

Google didn’t mean for its cookies to be used this way, but their popularity and pervasive use of cookies has turned their services into an enabling factor. This revelation should serve as a wakeup call for web sites on the steps they could have taken to prevent this from happening. This cookie surveillance is only possible when browsers make insecure connections to web servers. As part of our calls for ubiquitous web encryption, EFF has advocated both for HTTPS by default and for the use of secure cookies—cookies that are only transmitted over secure connections. Google already knows how to use secure cookies; they use them for the authentication of your Gmail accounts. However, Google has chosen not to use secure cookies for certain types of online activities—such as when you change your search preferences, browse YouTube, or load ads on Google sites. Google could have chosen to use secure cookies for all of the cookies it deposits on peoples’ computers, to prevent these cookies from ever being sent over insecure connections.

The Guardian previously reported on the use of intercepted advertising cookies to recognize individuals—it appears in the “Tor Stinks” presentation it posted in October, which talks about recognizing people from their DoubleClick cookies. DoubleClick is also owned by Google, but the use of DoubleClick cookies had no apparent connection to the use of PREF cookies. This goes to show that spy agencies are keen to find any available way to recognize a particular user by their devices’ behavior on the Internet, and that cookies sent with unencrypted web requests are one of the easiest and most straightforward ways of picking out an individual device even as it moves from network to network.

As Ed Felten explains, “The easiest way to protect users against this threat is to refrain from tracking.” But if tracking is to happen, the “approach that does work is for the tracking entity to use https, the secure web protocol, for its communication with the user’s computer.” When HTTPS is turned on, eavesdroppers recording Internet traffic can’t see the contents of cookies sent inside the secure connection. EFF’s HTTPS Everywhere software may provide a degree of protection against the measures reported by the Post because it makes a user’s browser use HTTPS exclusively on certain sites where it would otherwise be optional. But we can’t protect connections where servers don’t make HTTPS an option.

Anonymous User Tracking? The Fragility of Anonymity

The Google PREF cookie is typical of the tracking cookies used by many different Internet sites. (The PREF cookie stands out partly because Google’s services are so popular and so omnipresent, not because there aren’t a number of other cookies that might be used to track people in the same ways.) A typical one looks like


The value after the “ID” is a random number that Google makes up on the spot the first time you visit a Google service in a particular browser. This number is chosen by Google and isn’t derived from anything distinctive about you. But your web browser will remember it for two years, unless you’ve changed your browser settings, and send it out over the Internet every time you interact with any Google web service.

The advertising industry and many website operators have often suggested that cookies like Google’s PREF are “anonymous” or “non-personally-identifiable” if they don’t contain a person’s name or e-mail address. Unfortunately, a persistent cookie can easily become associated with a person’s identity, whether that’s by the website that set the cookie, by a third-party website, or by a spy agency.

For example, suppose you at some point put something in a Google search that allows an eavesdropper to figure out who you are (or do anything else from that same computer that the eavesdropper manages to link to your identity). If the eavesdropper also sees your Google PREF cookie, that eavesdropper knows the real-life identity that’s associated with that cookie, and can remember this association for as long as the cookie lasts, and recognize you wherever else you go. The supposed “anonymity” of any individual tracking cookie is incredibly fragile; it can be lost forever at a moment’s notice.

Fighting Nonconsensual Tracking

These revelations make it ever clearer that we need to fight back against nonconsensual tracking of web users, by deploying and adopting technology that allows users to block online tracking. In the past we’ve been concerned about the profiles that web companies could build up about users without their knowledge or consent. Now we’ve seen that this tracking technology is also being hijacked for government surveillance of Internet users.

NSA Overhears Mobile Apps Reporting Their Location

The Post also reported on other kinds of information that are being scooped up by NSA and used to track and identify individuals. A program called HAPPYFOOT listens to mobile apps that send geolocation information about the current whereabouts of a user’s device back to an app developer or service provider. Tapping these communications lets NSA find a user’s physical location by sitting back and letting the user’s own mobile device inform on their whereabouts. Some of these apps are transmitting this information solely for advertising purposes in ways that users may not even understand or expect. (As the Post reminds us, parts of the mobile app industry have been keen to collect user data for no user benefit: as the newspaper reported last week, even a mobile flashlight app actively gathered data on people’s whereabouts.) Yet if it’s sent unencrypted, NSA can scoop it up to figure out where people are at any moment, even by passively listening to distant Internet links.

Even when location information is sent for a purpose that the user actively understands and wants (say, to enable a location-based service like Yelp or Foursquare), it can still be intercepted and used for location tracking if a particular mobile app fails to encrypt it. Mobile app developers can address this kind of surveillance by encrypting any communications that include a user’s location details.

All of this goes to show that spy agencies have a vast array of tools for tracking people around the Internet and the physical world. As we discuss in an accompanying post, it's important that technology developers confront these privacy problems head-on.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Agreements that change how the Internet works should be made transparently, with input from users.

Feb 22 @ 4:17pm

Virginia Supreme Court should protect drivers from license plate surveillance.

Feb 22 @ 3:55pm

Sen. Wyden stands up for travelers, quizzing the Dept of Homeland Security about border searches of digital devices.

Feb 22 @ 2:54pm
JavaScript license information