How Google Should Respond To Revelation That NSA Uses Its Cookies To Track And Exploit

from the moving-on-now dept

The latest Washington Post story from the Snowden leaks highlights how the NSA was able to effectively piggyback on Google's ad-tracking cookies to track someone's online activities and to "enable remote exploitation" (the details of that exploitation are not revealed, but there are a few ways that would be possible).
It's important to note, first off, that it does not appear that that the NSA is doing this in any "bulk" sense. Rather it appears to be accessing this and other data via more specific orders. That is, rather than going through everyone's surfing habits, it's using this particular "trick" when it's looking for someone (or something) specific, and likely getting a FISA court order to do so.

Still, this should raise very serious concerns -- and it should lead internet companies to rethink the way they use cookies. I know that some people want an extreme solution, in which cookies go away entirely, but that ignores the many benefits that cookies/tracking can provide. As we've said in the past, privacy is always about tradeoffs, and generally it should be about tradeoffs where individuals can assess if what they're giving up is worth what they get in return. The problem here is that the information on what they were giving up was not clear at all, and open to abuse -- meaning that things may have tilted pretty far in one direction.

There is value in cookies and being able to track certain user information, but the implementation has been done in a manner that makes it way too easy to let the NSA piggyback on the results.


Image courtesy of Parker Higgins.
There are solutions -- though they may not be easy. Prof. Ed Felten has a good discussion about how commercial websites can still track users without letting the NSA piggyback on their work: by extending HTTPS to more or less everything they do:
An approach that does work is for the tracking entity to use https, the secure web protocol, for its communication with the user’s computer. This ensures that the unique ID that is transmitted is protected by encryption in a way that doesn’t leak to an eavesdropper any information about which connections are to the same user. Implementing https on a larger site is not as easy as it should be, but it seems to be the price of surveillance-proof tracking.
For what it's worth "not as easy as it should be" would be considered by some to be something of an understatement. It's not easy, period. But it's becoming increasingly clear that it's something that probably needs to be done. Eight giant internet companies earlier this week took a strong stand on reforming surveillance. To show that they're serious about this, moving to an all HTTPS world would be a very clear step that they're not just saying things, but actually doing things to protect their users' privacy from an overreaching NSA.

Felten also notes another alternative, which would be storing everything on the client side:
Another approach to protecting users is to switch to a method that holds all of the stored information on the client side, that is, in the user’s browser. The idea is that rather than having the server accumulate a record of the user’s activities (or some kind of preference profile based on those activities), you would instead have the user’s browser store the same information for you. This approach is taken by some of the privacy-preserving behavioral advertising systems that have been proposed. If information is accumulated on the user’s own computer, there doesn’t need to be a unique identifier that is sent across the Internet every time the user accesses your site. Instead, you can send encrypted data only at the times you need it. This requires more aggressive re-engineering of an ad or analytics service, but it provides additional benefits to the user in terms of privacy and transparency.
As he notes, there are significant challenges there as well, and potential side effects in the way certain things would work, but it is also an approach worth exploring.

Either way, if companies are serious about protecting their users privacy, looking into ways to protect cookie data and stop the NSA cookie monster would be a good start.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Dec 11th, 2013 @ 2:31am

    Wouldn't work for me as I delete cookies upon closing the browsers =/

    Anyway, merely encrypting the communications is not enough if you use lousy encryption or portions of your site are sent via unencrypted connections. Google for instance doesn't seem to use extended validation certificates that make some types of attack harder and it seems from what I read that they are using encryption that has been compromised by the NSA (or at least part of their encryption is done via such tools). Surely EVs are not the panacea but for now they can help you spot MITM attacks, no? Eventually the certification system will have to be replaced with something more reliable.

    Techdirt is running with some pretty good encryption settings (again I'm not an expert, I'm going for what I've read) but it allows insecure stuff.

    Please those with more knowledge than me correct me if I'm wrong but is this line of thought right? I'm seeing people touting encryption as the way to go without thinking about these issues.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 3:42am

    Regen the cookies

    Just submit a new different cookie (overwrite the previous one) with every new access. The real unique identifier can be encrypted within the cookie. This way, if the eavesdropper fails to see even a single request, he loses the track.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 4:24am

    I suspect everything should be Client side.

    A Distributed Social Network where Family/Friends/Public facing pages only exist in your browser linking to files in a safe folder on your computer would stop Facebook/Google having everything on you. Plus you would hold anonymous public pages of other folk (for when their computers are turned off. If that worked - then you could start encrypted email between Family/Friends/Public, and then a Distributed Search. By donating a small amount of processing power and storage you could have distributed everything which would be private and have the added benefit of killing off Facebook and google.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 4:48am

    In a world that a scammer doesn't even have to lie to dupe people anymore I say that whatever companies do to protect others it will not be enough.

    I am selling a picture of a bridge for $1 million dollars any takers?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 4:53am

    Selling pictures on eBay for a living.

    Do spies really need all that?
    C'mon, they could just tell it straight up what they want and I bet that someone in some other country would hand it to them, why all the cloak and dagger?

    This is a brave new world where even scammers are being straight up honest about what they are doing and people still give them money, without them having to lie, cheat or steal anything is unbelievable.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 5:00am

    Re: I suspect everything should be Client side.

    So, something equivalent to Folding@Home, but for packet and cookie transfer?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 5:07am

    Develop a "Least Untruthful Cookie" script that randomly right or left shifts cookie content. The only problem being they try to hide the buggers all over the place now.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Andy, Dec 11th, 2013 @ 5:09am

    Incognito is future

    What happens now if Google makes incognito the default mode and makes the original browser a feature addon? Yes it's more pain but I guess that's the only way to keep away from all these snooping issues.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    beech, Dec 11th, 2013 @ 5:10am

    With the news of the nsa inserting it's tendrils into all kinds of encryption systems, are we sure https is actually secure? (I'm serious, how certain are we https is secure and how do we know that?)

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 5:19am

    Re: Incognito is future

    No incognito means it stores all relevant data in memory, not that it doesn't store anything at all.

    It also won't help since what they are stealing from Google is basically a session cookie, after they get that they don't need your computer anymore they can pass themselves as you to Google servers or any of the services that you can access, is one of the most powerful ways to get access to all accounts hold by one person in Google and even insert evilware in some places like the Google dropbox, Google docs(it accepts scripts) or whatever, the minute you log in into any of those services your computer could get owned not just your online Google accounts.

    https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Cookie_Theft/Sess ion_Hijacking

    https://www.owasp.org/index.php/Session_hijacking_attack

    Most XSS attacks target session cookies is the best way to steal accounts around and it works to this day everywhere, the hard part is bypassing some browser security about cross domain javascript scope and finding the XSS but once that is done, you can say goodbye to that account.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 5:52am

    I like using virtual machines for anything internet.
    Is not 100% and can be compromised, but at least if I get infected or something the VM will be recreated in a pristine state and I mostly don't have to care about what it happens is like buying a new computer every time you access the internet.

    Sure there are ways around it but they are not easy, sure it won't protect your online accounts, still it will keep most of the unwanted out.

     

    reply to this | link to this | view in thread ]

  12. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Dec 11th, 2013 @ 6:04am

    No, problem is corporations trade OUR privacy for THEIR profits.

    As usual, Mike is trying to finesse and justify corporate greed in spite of the huge drawbacks becoming manifest.

    Cookies should be outlawed entirely. They're not necessary; like javascript, all can be done server side.

    When all you have is an economics degree, everything looks like a corporation.

    02:04:21[c-17-3]

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 6:11am

    Re: No, problem is corporations trade OUR privacy for THEIR profits.

    javascript:alert(document.cookie + \n"I Luv Cookies");

    blue, I have a picture of a secure DRM would you pay me $10K for it?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 6:15am

    Re:

    Eventually the certification system will have to be replaced with something more reliable.

    Two problems in securing Internet communications are.
    1) Trustworthy identification of who you are talking to.
    2) Secure operating systems and software.
    Certificate authorities have proven to be less than fully trustworthy. Desktop operating systems, along with their application, have become too complex to fully audit.
    This makes fully secure communication over the Internet very difficult. Unless you get keys in a fashion that ensure you know whose key it is, and use a system for which you have written all the software for, assume that a government can read your communication if they decide to target you.
    That said, widespread use of GPG, and Linus or BSD systems, will probably allow private person to person communications to remain private unless directly targeted by a government. As for the rest of anybodies Internet activities, getting lost in the haystacks is the main protection against an overbearing government. The weakness that NSA has is that the more data it gathers the more people it needs to employ to follow up on any leads that they develop. and the more leaky it will become.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 6:29am

    Re: No, problem is corporations trade OUR privacy for THEIR profits.

    Cookies should be outlawed entirely. They're not necessary;

    An IP address does not identify a person, or in most cases a single machine in a household. (Hint a router makes all machines sharing a broadband connection come from the same IP address). Also sometime several people have different accounts on the same machine. Without cookies they would all be the same person to a server. Therefore cookies are required in any circumstances where data has to be associated with a person, like a shopping list, Facebook logon etc.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    WakeUp, Dec 11th, 2013 @ 6:47am

    "HTTPS" is NOT a solution, because as we all should know by know, this depends on keys that the NSA can "legally" compel one to surrender - as is already the case with google.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 7:09am

    HTTPS is nothing but patchwork for a very insecure Internet to its core, and you need to convince every single website to use it anyway. If we want a secure Internet, we need encryption at the Transport and IP layers.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 8:19am

    Few years back, 10 or 15, there was a great raging debate on the web about cookies.s usual one side for and one against. The for side won under the assertion that there was nothing negative about cookies and a lot for as cookies allowed easer on line identification.

    Now we know where continuous online identification leads. And, it is not pretty.

    Total state totalitarianism here we come.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 8:39am

    It's what I told you.

    The metadata contains the cell info from which they get coarse location. The calls to Google location services and similar service they're mining for detailed location.

    You visits to some sites give them the identity and co-locational analysis gives them details of your friends, spouse, political meetings, donations, business, and all manner of stuff.

    That data is then handed over to the CIA for shaping, to be used to leverage politicians, turn them to CIA agendas, undermine democracies and all the other nasty stuff.

    What we need is a Snowden of the CIA next.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    blaktron (profile), Dec 11th, 2013 @ 10:08am

    Re:

    Exactly, all you need is a central authority handling key exchange and... wait... damnit.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 10:56am

    Re: Re: No, problem is corporations trade OUR privacy for THEIR profits.

    It's even better than that. An IP address DOES NOT necessarily identify a house, either. Unless you are using static IPs, which most households don't, your ISP reassigns whichever IP address it has available from it's block of addresses, to you when you log on. I got blasted by Wikipedia when I logged on, one time, because I had been assigned an IP address that was previously assigned to a person who had posted hateful messages to them. They wouldn't let me in.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Pathetic, Dec 11th, 2013 @ 4:46pm

    Why aren't cookies being encrypted already? if Data is the new gold, and everyone online wants it, why share your data by using unencrypted data gathering techniques? Seems this is a huge oversight on the part of all data gathering companies in the first place.

    Please, be a little more greedy guys, encrypt your cookies so no else can read them. it makes your data more valuable.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous, Dec 11th, 2013 @ 6:54pm

    Re:

    I block all cookies.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    John Fenderson (profile), Dec 11th, 2013 @ 8:02pm

    Re: Regen the cookies

    This was my first thought as well. It'd be a cheap, easy, and effective solution. Better to just completely encrypt the entire data stream, cookies included, though.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Dec 11th, 2013 @ 10:56pm

    Re: Re: Regen the cookies

    Is not that effective, the attacker can still use your own browser to do the decoding, so encryption won't help, neither will regeneration since he can send the valid cookie first and take over that session, leaving the account owner forced to login again or even unable to login since the server will not be capable of dicerning who is who, but even with a short window of opportunity machines are way faster than any human, by the time you are finished typing any login an automated script could have made thousands of requests

    It does stop however born man in the middle attacks.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Chris in Utah (profile), Dec 12th, 2013 @ 2:26am

    For those wondering, startpage is what I use now because of all this. I suggest you check it out, the "difficulties" were solved I think only a week after Snowden ha.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    quawonk, Dec 12th, 2013 @ 4:36am

    This assumes Google actually cares about user privacy and is not just playing lip service. Look at their track record of logging absolutely everything and keeping it indefinitely, the recent youtube merger with Google+ encouraging real names, and requiring phone numbers. I don't trust them as far as I can throw them.

    And also the assumption that the NSA hasn't compromised https and the other encryptions already. Wasn't there a story about them compromising some encryption schemes a while back? Can we really trust any of the existing ones anymore?

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Dec 13th, 2013 @ 10:39am

    Re: does Google care for user privacy

    This assumes Google actually cares about user privacy

    Trust me, Google values your privacy.

    In dollars.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This