NSA uses Google cookies to pinpoint targets for hacking

There are two primary issues here: the prevalence of Google Analytics and the unencrypted nature of the majority of websites.<p>Google Analytics is on a substantial proportion of the Internet. 65% of the top 10k sites, 63.9% of the top 100k, and 50.5% of the top million[1]. My own partial results from a research project I&#x27;m doing using Common Crawl estimates approximately 39.7% of the 535 million pages processed so far have GA on them[2].<p>That means that you&#x27;re basically either on a site that has Google Analytics or you&#x27;ve likely just left one that did.<p>If the page you&#x27;re on has Google Analytics and isn&#x27;t encrypted, the Javascript request and response is in the clear. That JS request to GA also has your referrer in it, in the clear.<p>The aim of my research project is to end with understanding what proportion of links either start or end in a page with Google Analytics. If it starts with Google Analytics, your present &quot;location&quot; is known. If the link ends with Google Analytics, but doesn&#x27;t start with it, then when you reach that end page, the referrer sent to GA in the clear will state where you came from. All of this is then tied to your identity.<p>If people are interested when I get the results of my research, ping me. I&#x27;ll also write it up and submit it to HN as it would seem to be of interest.<p>[1]: <a href="http://trends.builtwith.com/analytics/Google-Analytics" rel="nofollow">http:&#x2F;&#x2F;trends.builtwith.com&#x2F;analytics&#x2F;Google-Analytics</a><p>[2]: <a href="http://www.youtube.com/watch?v=pkoIUmP5ma8" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pkoIUmP5ma8</a> (GA specific results at 1:20)

A perfect reason to NOT let Google own all layers of the stack between you and the internet (or indeed the real world).<p>Search - Check (goog.com)<p>Mail - Check (Gmail)<p>Browser - Check (chrome)<p>Devices - Check (Android&#x2F;Chrome books)<p>Websites - Check (Double click&#x2F;AdMob, Unknown number of other companies)<p>Google Analytics - Check<p>Your DNA - Check (23&amp;Me)<p>Cars - Check (self-driving cars)<p>I am probably missing large chunks of tracking even with this list.<p>Where do you draw the line so that organizations like Google do not handover (willingly or inadvertently) our life to NSA, GCHQ, ASIO, CSIS &amp; whatever New Zealand&#x27;s Intelligence spooks go by, on a platter?<p>Heterogeneity - Make the buggers at least have to work a little bit to invade your privacy.

So all that paranoia about being tracked by Google... wasn&#x27;t paranoid at all.<p>Yes, I know Google likely didn&#x27;t cooperate in this, but they built a giant tracking engine, so it&#x27;s not surprising to see it repurposed.

Interesting choice of cookie:<p><a href="http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-that-seems-to-come-out-of-nowhere/" rel="nofollow">http:&#x2F;&#x2F;blogs.wsj.com&#x2F;digits&#x2F;2012&#x2F;02&#x2F;28&#x2F;the-google-cookie-tha...</a><p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=368255" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=368255</a>

What a coincidence... I was just a few seconds ago, before taking a break to read HackerNews, investigating an issue with a Chromium blocker (<a href="https://github.com/gorhill/httpswitchboard/issues/79#" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;httpswitchboard&#x2F;issues&#x2F;79#</a>), and was puzzled finding that the `pref` cookie of `.google.ca` changed <i>every single time</i> the tab of the page lost focus. Even went to Google privacy page to understand what this cookie did, with nothing in their statement that could explain this. Now this?

Don&#x27;t even need cookies if you have JS enabled (<a href="https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2010&#x2F;05&#x2F;every-browser-unique-r...</a>) Without JS and with HTTP headers alone, you might be able to reduce entropy by using Geo-IP.

To speculate: For connections that utilize NAT devices, NSA probably has analysis tools designed to attempt segregation of network traffic on a per-user basis.<p>Browser string, viewed content, frequency and magnitude of access, user authentication cookies, and ad-tracking cookies all would be tremendously helpful for this purpose.<p>Also, I&#x27;m betting they can easily tell when specific computers on a network are powered on or not based on fixed-interval network traffic from anything that polls regularly, such as anti-virus, news readers, mail clients and background updater services.<p>All of the above could aid in painting a more complete per-user picture behind the NAT, without actually having to compromise the local network or individual computers in question.

Relevant:<p><a href="http://betanews.com/2013/12/09/tech-giants-surveillance-reform-rally-is-disingenuous-and-self-serving/" rel="nofollow">http:&#x2F;&#x2F;betanews.com&#x2F;2013&#x2F;12&#x2F;09&#x2F;tech-giants-surveillance-refo...</a><p>As long as these companies build the best tracking engines the world has ever seen, that can identify anyone and everything they&#x27;re doing, it&#x27;s just a matter of time before governments get their hands on that data, legally or illegally. It&#x27;s just too tempting to pass.<p>If I were Google I&#x27;d start thinking long and hard about how to solve this problem, and try to make money by actually being on the user&#x27;s side when it comes to privacy, not <i>against</i> them. Google will ultimately fail if their goals aren&#x27;t aligned with those of the users anymore.

So not only are businesses like cloud services, video games and messaging&#x2F;devices affected by anti-business NSA trust breaches. But now we have the advertising industry that is going to be affected by the anti-privacy and anti-business practices of over the top spying on individuals. If any private company was doing this there would be legal issues.

Let&#x27;s be charitable to the NSA for a minute, and imagine that they are following the plot of the God Emperor of Dune[1], where in seeing the danger posed to the Internet by the formation of cloud service giants, they became the fearsome yet benevolent tyrant, strategically planning an engineered leak, so that on their death the Internet would react by distributing its services among many providers in The Scattering, thus ensuring the safety and continued survival of the Internet.<p>[1] <a href="https://en.wikipedia.org/wiki/God_Emperor_of_Dune" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;God_Emperor_of_Dune</a>

Hah, the joke is on them: I browse with cookies disabled.<p>Of course, I&#x27;m sure they have some other way to pwn me, but it&#x27;s nice to know that I was doing something right.

I see a lot of you are using Ghostery, which I&#x27;ve never even downloaded because they get paid to whitelist and are run by ad executives. Is there a reason why I would want Ghostery in addition to Noscript, or is all of the (privacy-protecting) functionality redundant?<p>This news makes me happy to see there&#x27;s a point to me having Google Analytics blocked the last two years. I&#x27;ve noticed a new thing, Google tag manager, lately. Any point in whitelisting this? Anyone know what it does?

In my opinion, browsers should block all third party website content by default. Yeah, I know, the interwebs will break if they actually did this. Well perhaps someone should come up with some kind of website quality rating which indicates that a site can be viewed withing worrying about the prying eyes of FaceBook, Google, Twitter, LinkedIn, etc.

Also, it&#x27;s worth pointing out that the tracking isn&#x27;t for search. It&#x27;s for more profitable advertising.

For anyone who would find this useful: Self destructing cookies add-on for Firefox <a href="https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;self-destruct...</a>

Is there a way for mobile browsers to block analytics cookies JS , a la ghostery and adblock?

Last weak i create extension for Firefox:<p>Disable Google tracking, log off user FROM Google search engine: * keep login into Gmail * also remove ads * remove Cookie,Sess~&#x2F;localstorage __ First run, need refresh Google page to log off ~~<p>-- Also remove Google anal-itics Cookie :)<p><a href="https://addons.mozilla.org/pl/firefox/addon/googleantyspam/?src=userprofile" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;pl&#x2F;firefox&#x2F;addon&#x2F;googleantyspam&#x2F;?...</a>

The problem with this is that most of the general public will read it as &quot;Google helped NSA intentionally ...&quot;

Can someone answer this question:<p>From a business perspective why is Google and Facebook getting involved in this and calling for the government to not track users. Won&#x27;t that just bring more attention to their two business models of... wait for it... tracking users and selling their information?

This is beyond ridiculous at this point. Wondering what else is still to come...

I mean, disgust aside, technically NSA is doing some seriously cool shit. I wonder what you could do if you had access to a de-identified data dump from the NSA.

As someone who works closely with several web marketing folks, this hits close to home. Each time they open a Snowden file, things get weirder and weirder.

No website <i>has</i> to have Google track their users. If you do it, you <i>choose</i> to do it (you&#x27;re disrespecting your users).<p>You can get your open-source and locally running web analytics here: <a href="https://prism-break.org/" rel="nofollow">https:&#x2F;&#x2F;prism-break.org&#x2F;</a>

&gt; it lets NSA home in on someone already under suspicion<p>Like OWS protesters, for example.