How Google Should Respond To Revelation That NSA Uses Its Cookies To Track And Exploit

from the moving-on-now dept

The latest Washington Post story from the Snowden leaks highlights how the NSA was able to effectively piggyback on Google's ad-tracking cookies to track someone's online activities and to "enable remote exploitation" (the details of that exploitation are not revealed, but there are a few ways that would be possible).
It's important to note, first off, that it does not appear that that the NSA is doing this in any "bulk" sense. Rather it appears to be accessing this and other data via more specific orders. That is, rather than going through everyone's surfing habits, it's using this particular "trick" when it's looking for someone (or something) specific, and likely getting a FISA court order to do so.

Still, this should raise very serious concerns -- and it should lead internet companies to rethink the way they use cookies. I know that some people want an extreme solution, in which cookies go away entirely, but that ignores the many benefits that cookies/tracking can provide. As we've said in the past, privacy is always about tradeoffs, and generally it should be about tradeoffs where individuals can assess if what they're giving up is worth what they get in return. The problem here is that the information on what they were giving up was not clear at all, and open to abuse -- meaning that things may have tilted pretty far in one direction.

There is value in cookies and being able to track certain user information, but the implementation has been done in a manner that makes it way too easy to let the NSA piggyback on the results.


Image courtesy of Parker Higgins.
There are solutions -- though they may not be easy. Prof. Ed Felten has a good discussion about how commercial websites can still track users without letting the NSA piggyback on their work: by extending HTTPS to more or less everything they do:
An approach that does work is for the tracking entity to use https, the secure web protocol, for its communication with the user’s computer. This ensures that the unique ID that is transmitted is protected by encryption in a way that doesn’t leak to an eavesdropper any information about which connections are to the same user. Implementing https on a larger site is not as easy as it should be, but it seems to be the price of surveillance-proof tracking.
For what it's worth "not as easy as it should be" would be considered by some to be something of an understatement. It's not easy, period. But it's becoming increasingly clear that it's something that probably needs to be done. Eight giant internet companies earlier this week took a strong stand on reforming surveillance. To show that they're serious about this, moving to an all HTTPS world would be a very clear step that they're not just saying things, but actually doing things to protect their users' privacy from an overreaching NSA.

Felten also notes another alternative, which would be storing everything on the client side:
Another approach to protecting users is to switch to a method that holds all of the stored information on the client side, that is, in the user’s browser. The idea is that rather than having the server accumulate a record of the user’s activities (or some kind of preference profile based on those activities), you would instead have the user’s browser store the same information for you. This approach is taken by some of the privacy-preserving behavioral advertising systems that have been proposed. If information is accumulated on the user’s own computer, there doesn’t need to be a unique identifier that is sent across the Internet every time the user accesses your site. Instead, you can send encrypted data only at the times you need it. This requires more aggressive re-engineering of an ad or analytics service, but it provides additional benefits to the user in terms of privacy and transparency.
As he notes, there are significant challenges there as well, and potential side effects in the way certain things would work, but it is also an approach worth exploring.

Either way, if companies are serious about protecting their users privacy, looking into ways to protect cookie data and stop the NSA cookie monster would be a good start.

Filed Under: ad tracking, cookies, encryption, https, nsa, privacy, surveillance
Companies: google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 11 Dec 2013 @ 2:31am

    Wouldn't work for me as I delete cookies upon closing the browsers =/

    Anyway, merely encrypting the communications is not enough if you use lousy encryption or portions of your site are sent via unencrypted connections. Google for instance doesn't seem to use extended validation certificates that make some types of attack harder and it seems from what I read that they are using encryption that has been compromised by the NSA (or at least part of their encryption is done via such tools). Surely EVs are not the panacea but for now they can help you spot MITM attacks, no? Eventually the certification system will have to be replaced with something more reliable.

    Techdirt is running with some pretty good encryption settings (again I'm not an expert, I'm going for what I've read) but it allows insecure stuff.

    Please those with more knowledge than me correct me if I'm wrong but is this line of thought right? I'm seeing people touting encryption as the way to go without thinking about these issues.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.