from Hacker News

NSA uses Google cookies to pinpoint targets for hacking

by mikecane on 12/11/13, 2:15 AM with 173 comments

  • by Smerity on 12/11/13, 3:26 AM

    There are two primary issues here: the prevalence of Google Analytics and the unencrypted nature of the majority of websites.

    Google Analytics is on a substantial proportion of the Internet. 65% of the top 10k sites, 63.9% of the top 100k, and 50.5% of the top million[1]. My own partial results from a research project I'm doing using Common Crawl estimates approximately 39.7% of the 535 million pages processed so far have GA on them[2].

    That means that you're basically either on a site that has Google Analytics or you've likely just left one that did.

    If the page you're on has Google Analytics and isn't encrypted, the Javascript request and response is in the clear. That JS request to GA also has your referrer in it, in the clear.

    The aim of my research project is to end with understanding what proportion of links either start or end in a page with Google Analytics. If it starts with Google Analytics, your present "location" is known. If the link ends with Google Analytics, but doesn't start with it, then when you reach that end page, the referrer sent to GA in the clear will state where you came from. All of this is then tied to your identity.

    If people are interested when I get the results of my research, ping me. I'll also write it up and submit it to HN as it would seem to be of interest.

    [1]: http://trends.builtwith.com/analytics/Google-Analytics

    [2]: http://www.youtube.com/watch?v=pkoIUmP5ma8 (GA specific results at 1:20)

  • by suprgeek on 12/11/13, 3:56 AM

    A perfect reason to NOT let Google own all layers of the stack between you and the internet (or indeed the real world).

    Search - Check (goog.com)

    Mail - Check (Gmail)

    Browser - Check (chrome)

    Devices - Check (Android/Chrome books)

    Websites - Check (Double click/AdMob, Unknown number of other companies)

    Google Analytics - Check

    Your DNA - Check (23&Me)

    Cars - Check (self-driving cars)

    I am probably missing large chunks of tracking even with this list.

    Where do you draw the line so that organizations like Google do not handover (willingly or inadvertently) our life to NSA, GCHQ, ASIO, CSIS & whatever New Zealand's Intelligence spooks go by, on a platter?

    Heterogeneity - Make the buggers at least have to work a little bit to invade your privacy.

  • by gress on 12/11/13, 3:20 AM

    So all that paranoia about being tracked by Google... wasn't paranoid at all.

    Yes, I know Google likely didn't cooperate in this, but they built a giant tracking engine, so it's not surprising to see it repurposed.

  • by sehugg on 12/11/13, 3:05 AM

  • by gorhill on 12/11/13, 3:42 AM

    What a coincidence... I was just a few seconds ago, before taking a break to read HackerNews, investigating an issue with a Chromium blocker (https://github.com/gorhill/httpswitchboard/issues/79#), and was puzzled finding that the `pref` cookie of `.google.ca` changed every single time the tab of the page lost focus. Even went to Google privacy page to understand what this cookie did, with nothing in their statement that could explain this. Now this?

  • by cromwellian on 12/11/13, 3:28 AM

    Don't even need cookies if you have JS enabled (https://www.eff.org/deeplinks/2010/05/every-browser-unique-r...) Without JS and with HTTP headers alone, you might be able to reduce entropy by using Geo-IP.

  • by rl3 on 12/11/13, 8:33 AM

    To speculate: For connections that utilize NAT devices, NSA probably has analysis tools designed to attempt segregation of network traffic on a per-user basis.

    Browser string, viewed content, frequency and magnitude of access, user authentication cookies, and ad-tracking cookies all would be tremendously helpful for this purpose.

    Also, I'm betting they can easily tell when specific computers on a network are powered on or not based on fixed-interval network traffic from anything that polls regularly, such as anti-virus, news readers, mail clients and background updater services.

    All of the above could aid in painting a more complete per-user picture behind the NAT, without actually having to compromise the local network or individual computers in question.

  • by salient on 12/11/13, 8:12 AM

    Relevant:

    http://betanews.com/2013/12/09/tech-giants-surveillance-refo...

    As long as these companies build the best tracking engines the world has ever seen, that can identify anyone and everything they're doing, it's just a matter of time before governments get their hands on that data, legally or illegally. It's just too tempting to pass.

    If I were Google I'd start thinking long and hard about how to solve this problem, and try to make money by actually being on the user's side when it comes to privacy, not against them. Google will ultimately fail if their goals aren't aligned with those of the users anymore.

  • by drawkbox on 12/11/13, 7:40 AM

    So not only are businesses like cloud services, video games and messaging/devices affected by anti-business NSA trust breaches. But now we have the advertising industry that is going to be affected by the anti-privacy and anti-business practices of over the top spying on individuals. If any private company was doing this there would be legal issues.

  • by jimworm on 12/11/13, 8:10 AM

    Let's be charitable to the NSA for a minute, and imagine that they are following the plot of the God Emperor of Dune[1], where in seeing the danger posed to the Internet by the formation of cloud service giants, they became the fearsome yet benevolent tyrant, strategically planning an engineered leak, so that on their death the Internet would react by distributing its services among many providers in The Scattering, thus ensuring the safety and continued survival of the Internet.

    [1] https://en.wikipedia.org/wiki/God_Emperor_of_Dune

  • by chroem on 12/11/13, 3:11 AM

    Hah, the joke is on them: I browse with cookies disabled.

    Of course, I'm sure they have some other way to pwn me, but it's nice to know that I was doing something right.

  • by kissickas on 12/11/13, 9:01 AM

    I see a lot of you are using Ghostery, which I've never even downloaded because they get paid to whitelist and are run by ad executives. Is there a reason why I would want Ghostery in addition to Noscript, or is all of the (privacy-protecting) functionality redundant?

    This news makes me happy to see there's a point to me having Google Analytics blocked the last two years. I've noticed a new thing, Google tag manager, lately. Any point in whitelisting this? Anyone know what it does?

  • by bottled_poe on 12/11/13, 3:39 AM

    In my opinion, browsers should block all third party website content by default. Yeah, I know, the interwebs will break if they actually did this. Well perhaps someone should come up with some kind of website quality rating which indicates that a site can be viewed withing worrying about the prying eyes of FaceBook, Google, Twitter, LinkedIn, etc.

  • by gress on 12/11/13, 3:53 AM

    Also, it's worth pointing out that the tracking isn't for search. It's for more profitable advertising.

  • by chanux on 12/11/13, 2:57 PM

    For anyone who would find this useful: Self destructing cookies add-on for Firefox https://addons.mozilla.org/en-US/firefox/addon/self-destruct...

  • by judk on 12/11/13, 5:43 AM

    Is there a way for mobile browsers to block analytics cookies JS , a la ghostery and adblock?

  • by usrnam on 12/11/13, 1:38 PM

    Last weak i create extension for Firefox:

    Disable Google tracking, log off user FROM Google search engine: * keep login into Gmail * also remove ads * remove Cookie,Sess~/localstorage __ First run, need refresh Google page to log off ~~

    -- Also remove Google anal-itics Cookie :)

    https://addons.mozilla.org/pl/firefox/addon/googleantyspam/?...

  • by elwell on 12/11/13, 9:37 PM

    The problem with this is that most of the general public will read it as "Google helped NSA intentionally ..."

  • by bosch on 12/11/13, 8:33 AM

    Can someone answer this question:

    From a business perspective why is Google and Facebook getting involved in this and calling for the government to not track users. Won't that just bring more attention to their two business models of... wait for it... tracking users and selling their information?

  • by goldvine on 12/11/13, 5:16 PM

    This is beyond ridiculous at this point. Wondering what else is still to come...

  • by tejaswiy on 12/12/13, 5:51 AM

    I mean, disgust aside, technically NSA is doing some seriously cool shit. I wonder what you could do if you had access to a de-identified data dump from the NSA.

  • by dangayle on 12/11/13, 7:58 PM

    As someone who works closely with several web marketing folks, this hits close to home. Each time they open a Snowden file, things get weirder and weirder.

  • by timbro on 12/11/13, 7:43 AM

    No website has to have Google track their users. If you do it, you choose to do it (you're disrespecting your users).

    You can get your open-source and locally running web analytics here: https://prism-break.org/

  • by timbro on 12/11/13, 7:40 AM

    > it lets NSA home in on someone already under suspicion

    Like OWS protesters, for example.