The National Security Agency is monitoring a certain type of cookie – deployed by the search giant Google – as yet another tool in their increasingly public surveillance apparatus.
This, according to slides from an April 2013 NSA presentation acquired by the Washington Post, is the latest revelation from former National Security Agency contractor Edward Snowden.
The slides indicate that the NSA is monitoring the Google’s PREF cookie. The NSA is reportedly utilizing an analytics tool called HAPPYFOOT that aggregates leaked location data, in this case the PREF cookie. It is unclear exactly how the NSA’s HAPPYFOOT tool acquires these PREF cookies, though the slides seem to suggest that the spy agency may be exploiting a data leak vulnerability of some sort. However, the Washington Post reports that the NSA may be acquiring these cookies with Foreign Intelligence Surveillance Act court orders.
The slides also reveal that the NSA has partnered with National Geospatial-Intelligence Agency, and the Washington Post reports that the two groups are using these PREF cookies to determine the locations of surveillance targets in order for the NSA to perform remote spying operations.
Cookies are small pieces of data that companies send from their websites and install on the browsers’ of the individuals visiting their websites. When a user revisits one of these sites, that user’s browser sends the cookie back, and the server handling the site then recognizes the browser of the user.
A Wall Street Journal article from February 2012 examined the discovery of the PREF cookie by a man named Stephen Frankel. Frankel’s case was particularly odd because he observed the cookie present in his Safari browser despite the fact that he had blocked all tracking cookies and – even odder yet – had not visited any sites in his Safari browser.
The Journal reported that the PREF cookies primarily serve Google’s Safe Browsing malware protection feature.
Wall Street Journal technological consultant, Ashkan Soltani, noted that the cookie – despite not being an advertising cookie – contains a unique identification number and can not be disabled without disabling Google’s phishing and malware protection feature. Basically what is happening, Soltani explained, is that other browsers are periodically pinging Google for updated lists of dangerous sites. In turn, Google responds by installing this PREF cookie on user machines. This is how the cookie ended up in Frankel’s unused Safari browser.
Of course, the PREF cookie serves another purpose as well, and this other purpose seems to be that which the NSA is exploiting. On a Google policies and principles page that had to be translated from Spanish, the company notes that the PREF cookie gives Google the ability to determine user locations so that Web-content is displayed in the user’s preferred language. Per Google’s explanation, the cookie also grants location data to certain sites that want to display location-sensitive content like local news, traffic, and weather reports.
The PREF cookie may appeal to the NSA because of these characteristics. Namely that it seems to be innocuous if not beneficial, that it works when all other cookies are blocked, is present even on unused browsers, and also has the capacity to collect location data.