By Ashkan Soltani, Andrea Peterson, and Barton Gellman December 10 at 8:50 pm A slide from an internal NSA presentation indicating that the agency uses at least one Google cookie as a way to identify targets for exploitation. (Washington Post) EXCERPTS: The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance. The agency's internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations. For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance. According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or "cookies" that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don't contain personal information, such as someone's name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person's browser. ..... Separately, the NSA is also using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone's owner. ..... How consumers are tracked online Internet companies store small files called cookies on users' computers to uniquely identify them for ad-targeting and other purposes across many different Web sites. This advertising-driven business model pays for many of the services, like e-mail accounts, that consumers have come to expect to have for free. Yet few are aware of the full extent to which advertisers, services and Web sites track their activities across the Web and mobile devices. These data collection mechanisms are invisible to all but the most sophisticated users -- and the tools to opt-out or block them have limited effectiveness. ..... Google's PREF Cookie Google assigns a unique PREF cookie anytime someone's browser makes a connection to any of the company's Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit Web sites that contain embedded "widgets" for the company's social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users to "personalize ads" and measure how they use other Google products. Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie even if they've never visited a Google property directly. That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google's PREF cookie. ..... This snippet of an internal NSA presentation reveals the existence of a program that utilizes leaked location-based information from mobile apps and services. (Washington Post) Leaked location data Another slide indicates that the NSA is collecting location data transmitted by mobile apps to support ad-targeting efforts in bulk. The NSA program, code-named HAPPYFOOT, helps the NSA to map Internet addresses to physical locations more precisely than is possible with traditional Internet geolocation services. Many mobile apps and operating systems use location-based services to help users find restaurants or establishments nearby. In fact, even when GPS is disabled, most smart phones silently determine their location in the background using signals from Wi-Fi networks or cellular towers. And apps that do not need geo-location data may still collect it anyway to share with third-party advertisers. Just last week, the Federal Trade Commission announced a settlement for a seemingly innocuous flashlight app that allegedly leaked user location information to advertisers without consumers' knowledge. Apps transmit their locations to Google and other Internet companies because ads tied to a precise physical location can be more lucrative than generic ads. But in the process, they appear to tip off the NSA to a mobile device's precise physical location. That makes it easier for the spy agency to engage in the sophisticated tracking techniques the Post described in a story Dec. 4. ..... NSA uses Google cookies to pinpoint targets for hacking
