NEW LEAK: Are Google Cookies used by the NSA To Pinpoint individual Targets ?

The National Security Agency (NSA) is stealthily using tools that permit Internet advertisers to track Onlineconsuming Users, getting hold of those "cookies" and location data, to ID targets for government hacking (e.g.) and to reinforce surveillance.

A slide from an internal NSA presentation indicating that the agency uses at least one Google cookie as a way to identify targets for exploitation. (Washington Post)

The NSA internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Web to better serve them advertising, the same Know-How opens the door for a similar bird-dogging by the government. The slides also suggest that the agency is using these same procedures to help identifing Hackers (and Terrorists....?).

Tracking-Microchips in Chocolatebars ? Will that someday be reality ?
For years, privacy defenders have raised concerns about this sort of commercial tracking, to ID and object consumers with advertisement publications. The online Advertising Businesses have said, its method are insipid and gains consumers by serving them ads, that are more likely custom-built.

This new Leak about the NSA using these same commercial technologies, could fuel this developing dispute, handing privacy advocates a new argument for repressing in commercial vigilance. According to the documents, the NSA and its British Doppelganger, GCHQ, are using these (same) "cookies", that advertising platforms place on CPUs to ID consumers browsing the WorlWideWeb.

The intelligence agencies have found distinct use for a part of the Google tracking mechanism known as the “PREF”-Cookie. These cookies typically don't contain personal information (or should not...), such as someone's name or e-mail address, but they do contain a numeric code that enables Web sites to individually identify & track a Users browsing-behaviour. Besides of tracking Internet visits, this cookie allows NSA to follow the User's communications among the endless Ocean of Internet information in order to send out software that can hack that person's computer, for the final act, gathering the data on any given PC. The cookie is the connecting part between you and the Web. The slides show, that the cookies are used to "enable remote exploitation," although the specific attack used by the NSA against individual targets are not addressed in these leaked documents.

Christmas & Cookies are coming soon...
The NSA's use of these cookies (see left Pic) is not a technique for filtering through endless amounts of data to find suspicious behavior. Comparatively, it lets the NSA concentrate on someone already under suspicion.

Separately, the NSA is also using commercially collected data to help locate mobile devices around the world, the documents point out. Many smartphone apps, running on Android & iPhones accessories, and the Apple and Google operating systems themselves, track the location of each device, mostly without a Warning to the mobile devices owner. This information is more specific than the large location-identification data the government is collecting from Cellphone networks (Towers), as reported by the Washington Post lately.

These slides do not demonstrate how the NSA obtains Google "PREF"-Cookies or whether the company cooperates in these programs, but other documents reviewed by the Washington Post indicate that the cookie data IS among the information the NSA can obtain with or through a so called Foreign Intelligence Surveillance Act Order. If the NSA gets the data that way, the involved companies seem to know and are legally enforced to assist.

(Of course) the NSA declined to comment on those specific tactics, but an NSA spokesman sent the Wahington Post a statement that says: "As we have said before, the NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign attacker and prevent them from bringing harm to innocent Americans."

Google declined as well to comment on the subject, but chief executive Larry Page joined the leaders of other technology companies earlier this week, in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests.

"The security of users' data is critical, which is why we've invested so much in encryption and fight for transparency around government requests for information," ...

...Page said in a statement on the coalition's Web site.

"This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many foreign governments around the globe."

Larry Page 2009

The way how consumers are tracked online 

Internet companies store small filed cookies on a users CPU to uniquely identify them. Few consumers are aware of the full mesure to which advertisers, services and any given Web sites (including Intelligence Agencies) track their activities through the Web and/or mobile devices. This data collection mechanism is most unseeable to all, except the most refined users. Including, the available tools to withdraw or block them, have a limited effectiveness.

The NSA program, named Program Happyfoot (not to be mixed up with Operation Happyfeet), helps the NSA to map Internet addresses to physical locations more precisely, than it is possible with traditional Internet geolocation services. Many mobile applications and operating systems (OS) use location-based services to help users find for instance, Gasstations or Restaurants and Hotels nearby. Fact is, even when the GPS is disabled, most mobile devices still silently determine a users location in the background, using Wi-Fi networks or cellular towers signals.

Cellphone Towers are a
must in tracking down mobile devices
Apps, that do not need geolocation-data may still collect it anyway to share with 3rd party advertisers. Last week, the Federal Trade Commission announced a settlement for a seemingly innocuous flashlight app that allegedly leaked user location information to advertisers without consumers' knowledge.

Applications transmit their locations (to Google e.g.) and/or other Internet businesses, because Advertisements, tied to a explicit physical location can be more fruitful than generic ads, depending on the circumstances, where you are at a given Moment. But in the process, they appear to tip off the NSA to a mobile device's precise physical location. That makes it easier for the involved spy agency to engage in the sophisticated tracking techniques the Washington Post described in a story.

Those Leaks about the NSA practices unmask the difficulty facing online businesses, which have faced a repercussion against tracking for commercial purposes and their obfuscated role in the governments surveillance Operations.

"If data is used and it stops the next 9/11 our fellow citizens wouldn't have any problem with it no matter what it is," says Stuart P. Ingis, General Counsel at the Digital Advertising Association. But he says that it is a sensitive act to pursue the bad guys "while at the same time preserving civil liberties." Other defenders of online advertising companies have argued that its unfair to unify private companies with ad-tracking activities, with the NSA activities revealed through the Snowden leaks. Marvin Ammori, a lawyer who advises technology companies including Google itself on surveillance issues, wrote in a USA Today article, that "limiting bulk data collection by private companies - whether they advertise or not - would do little or nothing to limit the NSA."

One noting that the latest documents show that the unique identifiers that are being placed on users' computers are not only being used by analytic and advertising companies, but also being used by the NSA for targeting. He also says that there are things those companies could do to protect their users from the type of attacks described in the slides, like "not sending tracking IDs, or at least not sending them in the clear without some layer of encryption."

Similarly, he says, "Browser companies can help by giving users better control over the use of third-party tracking cookies and by making sure that their browsers are not sending unique Cookie-IDs as a side effect of their safe-browsing behavior."

Stanford's Mayer says the revelations suggest the need for limits on the data that companies collect about consumers. "There's increasingly a sense that giving consumers control over the information they share with companies is all the more important, because you're also giving them control over the information they share with government."

Lets just wait the next upcoming: Leak...

Keine Kommentare:

Kommentar veröffentlichen