It isn’t just online advertisers that benefit from user-tracking cookies. The National Security Agency has been taking advantage of the cookies that companies force on users to pinpoint targets they want to hack, according to newly released Edward Snowden documents.
The NSA and the British spy agency GCHQ look for ad tracking cookies in their wiretapped internet packets to identify specific people browsing the Internet. They especially focus on Google’s ubiquitous “PREF” cookie, which doesn’t identify the user’s name or e-mail address, but does include unique numeric codes that identify the user’s browser to websites.
These codes help the spy agencies hone in on specific machines they want to attack, according to documents obtained by the Washington Post. The documents say the NSA uses the cookies to “enable remote exploitation.” CNE, or computer network exploitation, is the military’s term for hacking conducted to obtain intelligence.
The NSA also uses the cookies to identify and single out a specific individual’s communications among the massive amounts of data it collects through internet taps, allowing them to zero-in on the communications of someone who is already under suspicion, the Post reports.
The documents don’t indicate how the NSA obtains the Google PREF cookies, but they indicate that cookies are among the data that authorities can obtain under the Foreign Intelligence Surveillance Act with a court order. Google would not tell the Post if it has received requests for cookie data on users. Companies are generally prohibited from disclosing the nature of national security requests they receive from the government, but Google and others have been fighting the government in court for the ability to disclose general information about the requests they receive.
Advertisers and internet firms have long argued that the cookies they assign to users are innocuous and simply provide them with the ability to provide more relevant and targeted advertising and services to users. But news that the NSA is piggybacking on these cookies and using them to spy on users belies these assertions.