In its latest Snowden story, the WaPo reports that NSA has used Google’s cookies to help track people for hacking purposes.
The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance.
The agency’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.
[snip]
The NSA’s use of cookies isn’t a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion – akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.
This will be sure to make software opposition to NSA’s unbridled spying louder, if not less hypocritical (after all, every way Google limits its own tracking amounts to another tool the NSA can’t exploit).
I’m particularly interested in how NSA collects cookies it uses. The article suggests they may do it via FISC order (though they don’t say whether it would involve an individualized FISA order or bulk FAA collection).
These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.
That is, is a PREF cookie just one of many identifying details they’re asked to turn over on customers in general? If so, in what volume?
Remember, too, that one thing the Internet companies are fighting for in their transparency suit is the right to explicate metadata requests from content ones. This is the kind of information request that would be very informative for potential targets (because, if they don’t already, they can just keep their cookies clean).
I’m particularly interested in the disclosure that the NSA may be using information collected on a FISA order for offensive hacking purposes, not for information collection. That’s not surprising — it doesn’t necessarily clearly distinguish between information collection and hacking. And we know the NSA uses the content it collects to coerce informants, so why not aid in hacks?
But that does seem to extend the use of FISA orders beyond the spirit of their use.