It’s difficult to tell just how upset to be about the latest NSA techno-super power uncovered by Washington Post reporters, because it’s unclear just what exactly is going on. A series of Snowden-leaked slides from an NSA meeting entitled “NSA signal-surveillance success stories” has revealed that the agency is collecting location and browsing data through the cookies and geo-tags openly used by third-party programs and apps. These include, but are not limited to, the browser cookies used by virtually every major website, and the privileged location data transmitted by many mobile apps, and by mobile operating systems themselves. The problem is that the how of this collection remains mostly opaque — it’s possible the NSA is crossing every “t” and dotting every “i,” making legal its pursuit of omniscient knowledge of every citizen’s location and online activity.
A conventional browser cookie, like Google’s PREF cookie — which was a major target for exploitation in this NSA program — contains detailed but technically anonymous information. It doesn’t have your name, email, or even your IP address, but it can store things like your physical location and preferred language. It stores these things to improve response time and reduce server load, so your whole, meticulously cross-referenced Google search profile need not be loaded every time you ask the internet what Christian Slater has done lately. The NSA can “piggypack” on these signals to gain information, though exactly what “piggyback” means is anyone’s guess.
It’s certainly possible that it’s collecting this information via classical “hacking” techniques like the Man In the Middle scheme recently revealed to be leaching off the internet’s very backbone. In such a setup, someone in an intermediary position to sender and receiver grabs a package headed, for example, from Google to your PC, and duplicates it with or without a slight addition. Sending on its (nigh-)clone message, the listener can then redefine itself as the other side of the conversation, effectively becoming Google’s server in the eyes of your machine. The PREF cookie can be transmitted any time your computer contacts Google, either directly or through an embedded element like a map for directions, so such attacks could be implemented virtually any time — upwards of 60% of all online-capable devices contact Google at least once per day.
That seems quite likely to be at least the partial source of this information, actually. A division known as the Special Source Operations (SSO) is (we think) the NSA division tasked with overseeing the internet’s aforementioned spinal wiretap, and it is SSO that’s credited for collecting the geo- and browsing tags at issue here. The slides indicate that SSO was sharing the “logins, cookies, and GooglePREFID” with other NSA divisions, including the offensive hacking section called Tailored Access Operations (TAO). TAO is a major operational component of the XKeyscore program, and one of the divisions driving the sale of tinfoil in the paranoid (but who can blame them?) community.
However, as the Washington Post points out in its own breakdown of this information, there’s currently no reason to think that Google isn’t coughing up the information in response to legal access demands placed under the Foreign Intelligence Surveillance Act (FISA). SSO could simply be asking the companies here for the information, and the companies may be legally required to hand it over, and equally required to stay silent about it. Google and other companies have been fighting for the right to release at least the numbers and statistics that describe the government’s quest for access to their customers’ information, let alone such detailed information as the actual pieces of data it wants most.
Note that this issue isn’t unique to Google at all, but the search giant’s online ubiquity make its security vulnerabilities much more pressing than everyone else’s. Whatever the collection methodology for browser cookie information, that same technique would work (and appears to be working) to grab location data from basic Android and iOS services, or from their first- or third-party apps. It should also be remembered that these are targeted techniques used against known individuals, not trawling attacks used for indiscriminate intelligence gathering. Still, TAO is known to prefer wide-base attacks against routers and whole networks, rather than individual hacks; simply working in the same office building as a security target could be enough to get your info onto an analyst’s screen, if only for a moment.
If they want to, the NSA can get you online. It can get in between you and the fundamental online infrastructure, negating the majority of all security efforts entirely. It can exploit zero-day hacks it forced companies to build into “security” software, and walk right past your most paranoid encryption efforts. It can turn simple ownership of an internet-capable smartphone into a virtual certainty of one-a-day government location checks, with an option to upgrade to total annihilation of privacy. At this point any further revelations about the NSA would likely tell us more about the state of surveillance technology than about the agency’s fundamental abilities; in terms of the actual ability to see what they want when they want, the NSA really doesn’t have much space left to explore.