
NSA uses Google cookies to pinpoint targets for hacking - mikecane
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/
======
Smerity
There are two primary issues here: the prevalence of Google Analytics and the
unencrypted nature of the majority of websites.

Google Analytics is on a substantial proportion of the Internet. 65% of the
top 10k sites, 63.9% of the top 100k, and 50.5% of the top million[1]. My own
partial results from a research project I'm doing using Common Crawl estimates
approximately 39.7% of the 535 million pages processed so far have GA on
them[2].

That means that you're basically either on a site that has Google Analytics or
you've likely just left one that did.

If the page you're on has Google Analytics and isn't encrypted, the Javascript
request and response is in the clear. That JS request to GA also has your
referrer in it, in the clear.

The aim of my research project is to end with understanding what proportion of
links either start or end in a page with Google Analytics. If it starts with
Google Analytics, your present "location" is known. If the link ends with
Google Analytics, but doesn't start with it, then when you reach that end
page, the referrer sent to GA in the clear will state where you came from. All
of this is then tied to your identity.

If people are interested when I get the results of my research, ping me. I'll
also write it up and submit it to HN as it would seem to be of interest.

[1]: [http://trends.builtwith.com/analytics/Google-
Analytics](http://trends.builtwith.com/analytics/Google-Analytics)

[2]:
[http://www.youtube.com/watch?v=pkoIUmP5ma8](http://www.youtube.com/watch?v=pkoIUmP5ma8)
(GA specific results at 1:20)

~~~
quesera
Please do post your research when it's cooked. It sounds like useful stuff.

Firefox, ABE, NoScript, Request Policy, Ghostery, HTTPS-everywhere, hygiene.

The irony of my militant approach toward privacy is that I probably make
myself more interesting to would-be eavesdroppers by my carefulness than I
would if they could see it all -- I'm just not that interesting.

On the plus side, the LCD of legitimate-threat hostiles is greatly increased.
I'm fairly boring even to neighbors and law enforcement and copyright holders
and scam artists and advertisers. I imagine I'm pretty stultifying to nation-
state actors. :)

Still, I'd like everyone else to join me so that I can get lost in the crowd.
The untracked, encrypted, well-rested crowd.

Come on in, the water's fine.

~~~
sdoering
Greetings. I nearly have the same policy, regarding surfing and my addons.

I would only advise against Ghostery, as they whitelist some trackers, if
being paid. With every update I had to reselect these trackers.

And Evidon (Ghostery's mothership) selling usageinformation really bugs me:
[http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-
bl...](http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-
actually-helps-the-ad-industry/)

I would recommend the FF-addon Diconnect: [https://addons.mozilla.org/en-
US/firefox/addon/disconnect/](https://addons.mozilla.org/en-
US/firefox/addon/disconnect/)

Does anybody have an idea, how I could make my own sites secure in a
relatively cheap way? Just a personal site with not that much traffic, so
spending much money seems a bit off to me.

Ideas?

~~~
byoogle
This.

I work on Disconnect. I don't understand why any hacker would still put
Ghostery on their machine:

* Ghostery is run by former ad execs (7/9ths of their executive team): [http://www.evidon.com/our-team](http://www.evidon.com/our-team)

* They make their money (I've heard tens of millions of dollars per year) selling user data to ad co's and data brokers: [http://www.evidon.com/#block-views-from_our_partners-block](http://www.evidon.com/#block-views-from_our_partners-block)

~~~
dictum
Why is the Disconnect trackers list
([https://services.disconnect.me/disconnect.json](https://services.disconnect.me/disconnect.json),
referenced in
[https://github.com/disconnectme/disconnect/blob/master/firef...](https://github.com/disconnectme/disconnect/blob/master/firefox/content/services.js))
an encrypted blob?

That seems to go against the OS nature of the project.

~~~
byoogle
See the commit message at
[https://github.com/disconnectme/disconnect/commit/691897e21d...](https://github.com/disconnectme/disconnect/commit/691897e21d2a9ad7f11b036b20292ac7464209ce).

The unencrypted list is at
[https://github.com/disconnectme/disconnect/blob/b27abbf033c6...](https://github.com/disconnectme/disconnect/blob/b27abbf033c6f80f157fe9d98cb767c87065fbf4/firefox/content/disconnect.safariextension/opera/chrome/scripts/data.js).

And formatted as JSON at [https://disconnect.me/services-
plaintext.json](https://disconnect.me/services-plaintext.json).

The encrypted list is also trivial to decrypt with the SJCL code in
[https://github.com/disconnectme/disconnect/blob/master/firef...](https://github.com/disconnectme/disconnect/blob/master/firefox/content/services.js).

~~~
dictum
Thanks! I was setting up a proxy for devices that can't use Disconnect or
Adblock. I thought of adapting the Disconnect list to the proxy's block list,
but a cursory reading of the source only showed the URL of the encrypted list.

~~~
byoogle
Cool, ping me if you need help (byoogle everywhere).

------
suprgeek
A perfect reason to NOT let Google own all layers of the stack between you and
the internet (or indeed the real world).

Search - Check (goog.com)

Mail - Check (Gmail)

Browser - Check (chrome)

Devices - Check (Android/Chrome books)

Websites - Check (Double click/AdMob, Unknown number of other companies)

Google Analytics - Check

Your DNA - Check (23&Me)

Cars - Check (self-driving cars)

I am probably missing large chunks of tracking even with this list.

Where do you draw the line so that organizations like Google do not handover
(willingly or inadvertently) our life to NSA, GCHQ, ASIO, CSIS & whatever New
Zealand's Intelligence spooks go by, on a platter?

Heterogeneity - Make the buggers at least have to work a little bit to invade
your privacy.

~~~
eli
Your larger point might be true, but has nothing to do with the current
revelation.

If every site switched from Google Analytics to, say, Mixpanel... nothing
would change. The NSA would just target the equivalent mixpanel cookie. So
long as their are popular third-party cookies, this will be a problem.

~~~
jdubs
It also seems like does the risk of being eased dropped upon outway the
benefit of having data to drive business needs?

------
gress
So all that paranoia about being tracked by Google... wasn't paranoid at all.

Yes, I know Google likely didn't cooperate in this, but they built a giant
tracking engine, so it's not surprising to see it repurposed.

~~~
psbp
"I know Google likely didn't cooperate in this"

I'm sure they have plausible deniability.

~~~
eli
It is indeed quite plausible.

------
sehugg
Interesting choice of cookie:

[http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-
tha...](http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-that-seems-
to-come-out-of-nowhere/)

[https://bugzilla.mozilla.org/show_bug.cgi?id=368255](https://bugzilla.mozilla.org/show_bug.cgi?id=368255)

~~~
PavlovsCat
Gotta love the arrogance of "This is intend behavior of the feature. WONTFIX
for me.", without the ability to explain why this cookie would be required for
the feature to function.

~~~
simfoo
Also "...I am not worried that google is misusing this data...". This clearly
isn't acceptable in a post-Snowden world.

------
gorhill
What a coincidence... I was just a few seconds ago, before taking a break to
read HackerNews, investigating an issue with a Chromium blocker
([https://github.com/gorhill/httpswitchboard/issues/79#](https://github.com/gorhill/httpswitchboard/issues/79#)),
and was puzzled finding that the `pref` cookie of `.google.ca` changed _every
single time_ the tab of the page lost focus. Even went to Google privacy page
to understand what this cookie did, with nothing in their statement that could
explain this. Now this?

~~~
gorhill
That part (value of `S`) changes everytime the tab loses focus:
pref=[...]:S=J3ITrb9DNMWLQBzc

What kind of "preferences" changes in that way each time the user browse away
the page and how does it help "user experience"?

~~~
samstave
So, are you saying that through this - NSA can see exactly which tab you are
viewing at which time?

~~~
gorhill
No. I prefer the scientific approach. At this point, I just reported what I
observed. Maybe somebody will come up with a sensible hypothesis as to why a
value changes so often. Google could just come forward and tell us the exact
meaning of each field in its cookie. That would be a start.

------
cromwellian
Don't even need cookies if you have JS enabled
([https://www.eff.org/deeplinks/2010/05/every-browser-
unique-r...](https://www.eff.org/deeplinks/2010/05/every-browser-unique-
results-fom-panopticlick)) Without JS and with HTTP headers alone, you might
be able to reduce entropy by using Geo-IP.

------
rl3
To speculate: For connections that utilize NAT devices, NSA probably has
analysis tools designed to attempt segregation of network traffic on a per-
user basis.

Browser string, viewed content, frequency and magnitude of access, user
authentication cookies, and ad-tracking cookies all would be tremendously
helpful for this purpose.

Also, I'm betting they can easily tell when specific computers on a network
are powered on or not based on fixed-interval network traffic from anything
that polls regularly, such as anti-virus, news readers, mail clients and
background updater services.

All of the above could aid in painting a more complete per-user picture behind
the NAT, without actually having to compromise the local network or individual
computers in question.

------
salient
Relevant:

[http://betanews.com/2013/12/09/tech-giants-surveillance-
refo...](http://betanews.com/2013/12/09/tech-giants-surveillance-reform-rally-
is-disingenuous-and-self-serving/)

As long as these companies build the best tracking engines the world has ever
seen, that can identify anyone and everything they're doing, it's just a
matter of time before governments get their hands on that data, legally or
illegally. It's just too tempting to pass.

If I were Google I'd start thinking long and hard about how to solve this
problem, and try to make money by actually being on the user's side when it
comes to privacy, not _against_ them. Google will ultimately fail if their
goals aren't aligned with those of the users anymore.

------
drawkbox
So not only are businesses like cloud services, video games and
messaging/devices affected by anti-business NSA trust breaches. But now we
have the advertising industry that is going to be affected by the anti-privacy
and anti-business practices of over the top spying on individuals. If any
private company was doing this there would be legal issues.

------
jimworm
Let's be charitable to the NSA for a minute, and imagine that they are
following the plot of the God Emperor of Dune[1], where in seeing the danger
posed to the Internet by the formation of cloud service giants, they became
the fearsome yet benevolent tyrant, strategically planning an engineered leak,
so that on their death the Internet would react by distributing its services
among many providers in The Scattering, thus ensuring the safety and continued
survival of the Internet.

[1]
[https://en.wikipedia.org/wiki/God_Emperor_of_Dune](https://en.wikipedia.org/wiki/God_Emperor_of_Dune)

------
chroem
Hah, the joke is on them: I browse with cookies disabled.

Of course, I'm sure they have some other way to pwn me, but it's nice to know
that I was doing something right.

~~~
misiti3780
if you browse with cookies disabled, that means you cannot successful browse
arounds sites logged in - correct ? you basically do a ctrl+shift+N in chrome
every time you open a new window ?

~~~
chroem
I have a select few sites whitelisted, but they're disabled by default.

Also, I'm on Iceweasel/ Firefox instead of Chrome. It's _probably_ nothing to
worry about, but you can never be too careful these days.

~~~
kzrdude
It's interesting but also annoying how my browsing is now diverged from the
web as others see it. I mean, with increased amounts of blocking addons, the
difference between an adblocked, ghostery'd, etc browsing experience to the
vanilla experience is growing bigger.

------
kissickas
I see a lot of you are using Ghostery, which I've never even downloaded
because they get paid to whitelist and are run by ad executives. Is there a
reason why I would want Ghostery in addition to Noscript, or is all of the
(privacy-protecting) functionality redundant?

This news makes me happy to see there's a point to me having Google Analytics
blocked the last two years. I've noticed a new thing, Google tag manager,
lately. Any point in whitelisting this? Anyone know what it does?

~~~
fixanoid
Heh, Ghostery is not paid to whitelist anyone, I would know since I run the
database for Ghostery.

As to your question: NoScript does a different thing -- it concentrates on
limiting known security issues by disabling Javscript. Tracking is
accomplished in a variety of ways, and only some of them are Javascript based.
Ghostery looks for all of these and lets users know who is tracking them on
any given web page.

~~~
koide
Why would you know how or why Ghostery is paid just because you run their
database?

Unless you are something more than Ghostery's DBA.

~~~
fixanoid
Indeed, I am Ghostery Lord & Master =) -- one of the people who run, develop,
and see to the success of it.

------
bottled_poe
In my opinion, browsers should block all third party website content by
default. Yeah, I know, the interwebs will break if they actually did this.
Well perhaps someone should come up with some kind of website quality rating
which indicates that a site can be viewed withing worrying about the prying
eyes of FaceBook, Google, Twitter, LinkedIn, etc.

~~~
pktgen
Here's my ideal security policy:

\- Cross-site requests not allowed without whitelisting. This means some setup
will be required at first (for example, for separate image domains used by
Amazon, Google, Yahoo, etc.), but after a bit it shouldn't be a problem. This
also serves as a "better adblock" in some ways, as it blocks ad networks
without relying on a database that needs to be updated.

\- All cookies blocked by default; whitelist as necessary

\- JavaScript disabled by default; whitelist-enable as necessary

\- No Flash or Java, period. If I need Flash for something, I'll launch a VM.

Sadly, Safari doesn't support whitelisting for any of this. Chrome supports
whitelisting of cookies and JS by default, but the Chrome UX is worse than
Safari's IMO (for a few reasons, but that's another topic entirely).

RequestPolicy handles the first one quite well, but is unfortunately Firefox-
only.

~~~
quesera
Safari is effectively ungovernable, and Chrome is part of the problem.

Firefox is the answer. No other option makes any sense, if you're serious
about this stuff. I understand that some people like the UI or process model
of other browsers better, and that's where the evaluation of priorities comes
in.

The good news is that the days of Chrome's technical superiority are truly
over.. Speed, memory consumption, rendering engine...Firefox is all there and
sometimes better.

Firefox is also the only browser with an ability to sanely handle tabs on the
side, which is the only sane place to put tabs on modern screens. If I had to
choose between sane tabs and sane privacy policies, I might have some soul-
searching to do. I understand that everyone has their own equivalent, but be
sure not to dismiss Firefox based on historical issues.

~~~
ars_technician
>but be sure not to dismiss Firefox based on historical issues.

It's incredible how much inertia there is with that. The majority of the
people I know that switched to chrome did it back when firefox was blatantly
slower and that's the image that's stuck in their head. It's incredibly hard
to remove and to get someone to try it long enough to change their mind again.

Firefox has a tough issue with marketing right now. They need to start a nice
"firefox is faster" campaign.

------
gress
Also, it's worth pointing out that the tracking isn't for search. It's for
more profitable advertising.

------
chanux
For anyone who would find this useful: Self destructing cookies add-on for
Firefox [https://addons.mozilla.org/en-US/firefox/addon/self-
destruct...](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-
cookies/)

~~~
reginaldjcooper
This is a polished and wonderful add-on.

------
judk
Is there a way for mobile browsers to block analytics cookies JS , a la
ghostery and adblock?

~~~
maxerickson
Adblock Plus is available for Firefox on Android.

------
usrnam
Last weak i create extension for Firefox:

Disable Google tracking, log off user FROM Google search engine: * keep login
into Gmail * also remove ads * remove Cookie,Sess~/localstorage __ First run,
need refresh Google page to log off ~~

\-- Also remove Google anal-itics Cookie :)

[https://addons.mozilla.org/pl/firefox/addon/googleantyspam/?...](https://addons.mozilla.org/pl/firefox/addon/googleantyspam/?src=userprofile)

------
elwell
The problem with this is that most of the general public will read it as
"Google helped NSA intentionally ..."

------
bosch
Can someone answer this question:

From a business perspective why is Google and Facebook getting involved in
this and calling for the government to not track users. Won't that just bring
more attention to their two business models of... wait for it... tracking
users and selling their information?

~~~
arbitrage
Because their customers are pissed off, and if they don't do something to
mollify them, they'll lose money.

Previously, when the customers didn't care, they did nothing to involve
themselves with this, and almost certainly aided the government.

It's purely business. Google and Facebook don't have morals, they have a
bottom line. You can understand their actions by following the money.

------
goldvine
This is beyond ridiculous at this point. Wondering what else is still to
come...

------
tejaswiy
I mean, disgust aside, technically NSA is doing some seriously cool shit. I
wonder what you could do if you had access to a de-identified data dump from
the NSA.

------
dangayle
As someone who works closely with several web marketing folks, this hits close
to home. Each time they open a Snowden file, things get weirder and weirder.

------
timbro
No website _has_ to have Google track their users. If you do it, you _choose_
to do it (you're disrespecting your users).

You can get your open-source and locally running web analytics here:
[https://prism-break.org/](https://prism-break.org/)

------
timbro
> it lets NSA home in on someone already under suspicion

Like OWS protesters, for example.

