NSA Uses Google Cookies To Pinpoint Targets For Hacking 174
Hugh Pickens DOT Com writes "For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. Now the Washington Post reports that the NSA secretly piggybacks on the tools that enable Internet advertisers to track consumers, using 'cookies' and location data to pinpoint targets for government hacking and to bolster surveillance. The agency uses a part of a Google-specific tracking mechanism known as the 'PREF' cookie to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. 'On a macro level, "we need to track everyone everywhere for advertising" translates into "the government being able to track everyone everywhere,"' says Chris Hoofnagle. 'It's hard to avoid.' Documents reviewed by the Post indicate cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. Google declined to comment for the article, but chief executive Larry Page joined the leaders of other technology companies earlier this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests."
Re:Use Google-like monopolies to your advantage (Score:5, Informative)
Big data monopolies like Google are the stuff of nightmare for privacy-minded individuals.
But there's a silver lining to that particular cloud: as the most important player in the field, they're the most visible target for abuse of all kinds. Which means that you have a better chance of dodging the abuse if you simply don't put yourself in the center of the target, by not using any Google product.
Kind of like when Windows had the lion's share of the OS market, and you could avoid most viruses by running another OS, not because the other OS was more secure, but because virus writers had a better return on investment writing viruses for Windows and left your fringe OS alone.
Simply not using Google products won't protect you from this as it is using scripts embedded in web pages. Google analytics Gstatic and Googleadservices just to name a few present here on slashdot embeded and reporting back to Google and by extension the NSA.
To block them you need to either completely block javascript which will break many if not modern web pages or learn to use ghostery, request policy, AND OR noscript, oh and https everywhere. then block everything by default and whitelist and temporarily allow as needed to make the pages viewable.
Re:Self destruct cookie (Score:5, Informative)
If you plug the number into a unix timestamp to GMT converter, it returns Wed, 11 Dec 2013 10:52:19 GMT, so it looks like it is a time stamp, probably LastModified or something.
Re:Self destruct cookie (Score:5, Informative)
I answer myself because I looked for it and found this paper (PDF) [cmu.edu] titled "An Analysis of Google Logs Retention Policies".
LM is the timestamp of the last modification to the user Google's preference. It can be used to track down the user because we update our preferences at different times. This applies also to non logged in users like me.
Luckily it's easy to reset LM. Just go to google.com, click the menu, turn on or off Safe Search, click again and turn it back to its original value. LM is different.
Obviously Google could store the old and new value and link them into a db ;-)
Comment removed (Score:4, Informative)
Re:Use Google-like monopolies to your advantage (Score:5, Informative)
You can easily run ghostery, request policy, refcontrol, noscript, https everywhere, cookie monster, and BetterPrivacy all at the same time.
How does anyone browse without these? I setup all of those, except request policy and noscript, for every user I help. They're nearly all passive.
The laws need changing/revoking... (Score:5, Informative)
Re:Now 2 good reasons not to allow cookie tracking (Score:0, Informative)
Why block cookies?
Allowing third-party cookies, of course, is a bad idea. But blocking first-party cookies is stupid. Oh, no! Cookies can track you! This is terrible news! Unless, by "news", you mean something we haven't known about for nearly the last 20 years.
News flash! (There goes that "news" word again, being all sarcastic.) Firefox lets you wipe your cookies after every browsing session, and it's a built-in feature that has been there for years. Just go to the options/preferences dialog, to the Privacy tab, and make sure "Clear history when Firefox closes" is checked. Next to that option, there is a "Settings..." button, which, when clicked, brings up another dialog to let you be more specific about what kinds of history are cleared when you close Firefox. The "Cookies" option does what it says on the tin.
Now, close and reopen Firefox. Go to Google's homepage. You now have a PREF cookie. You can see it if you have the web developer toolbar add-on installed and use View Cookie Information from it. You will be able to see the unique value from the PREF cookie. Now close and reopen Firefox again. Go to Google's homepage again. View Cookie Information again. The PREF cookie's value has changed. You aren't (to Google or anyone else's knowledge) the same person you were 30 seconds before, at least not from this PREF cookie's point of view.
Beware, though. While the PREF cookie isn't quite the monster TFA/TFS makes it out to be, there are other ways of tracking you. Try out Panopticlick [eff.org] and you'll see just how your exact browsing setup can be tracked. It's difficult to get a good read with Panopticlick, though. Very high numbers mean you're not unique and can't be easily tracked because you blend in with a large crowd. Very low numbers mean you're extremely unique and your browser is likely discarding that profile immediately after you end the session. Numbers in the middle (wherever that is) mean you probably are trackable.