How the NSA Piggy-Backs on Third-Party Trackers

The Citizen's Guide to the Future
Dec. 13 2013 5:02 PM

How the NSA Piggy-Backs on Third-Party Trackers

103009085
Got cookies?

Photo by Lili Warren/AFP/Getty Images

Snooping on the Internet is tricky. The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do?

One option is to plant a unique tag on every computer and smartphone, stamp every Internet message with the sender’s tag, and then capture the tagged traffic. Perhaps in a massive database with a quirky all-caps codename. But a project of that scale can’t be kept secret, and if it’s done openly the public will surely object.

Advertisement

Luckily (for the spies) there’s an easier way: free ride on the private sector, which does its own pervasive tagging and monitoring.

That’s precisely what the National Security Agency has been up to, as confirmed most recently by a front-page story in Wednesday’s Washington Post.Other countries’ spy agencies are probably doing the same thing.

Companies track users for many reasons, such as to remember a login, to target ads, or to learn how users navigate. They usually do this by tagging each computer or smartphone with a tracking ID: a random-looking unique identifier, which is often stored in a browser cookie.

Which companies are keeping tabs on you? You probably expect to be tracked by the sites you visit and the apps you run. But these “first parties” often pull in tracking content from unrelated “third parties,” most of which you probably have never heard of. Slate’s home page, for example, references at least a dozen third-party trackers. When we viewed the Post’s story about the NSA, our browser was directed to 39 third-party trackers, including one located in Japan. (This isn’t unusual, and Slate and the Post make no secret of it.)

Spooks can easily watch these tracking IDs as they flit across the Net, unprotected by any encryption, and then use the IDs to build the mother of all tracking databases. The NSA collects vast amounts of international Internet traffic, and it retains the metadata—including tracking IDs—for at least a year.

Unique identifiers solve many surveillance problems. What if several users share an Internet connection? Use tracking IDs to tell them apart. What if a user moves from home to a coffee shop or between cell towers? Follow the tracking IDs. What if you need to pinpoint a computer break-in? Aim at the target’s tracking IDs. None of this requires the cooperation—or even awareness—of the tracking companies.

Geolocation is yet another freebie from the private sector. An Internet address provides only a rough estimate of a device’s location; greater precision requires access to hardware features like GPS or Wifi. What spy agency would risk tapping directly into devices’ GPS or Wifi chips? They don’t need to—advertising and analytics software queries the onboard sensors, then phones home with an unencrypted and precise location. One NSA program, HAPPYFOOT, appears specifically designed to take advantage of this data.

The proliferation of third-party trackers also increases the reach of Internet surveillance. No government, not even the United States, can monitor every network path. Most Web pages include multiple third parties, each typically contacted through a different route, giving spies more places to capture user activity. What’s more, the largest third parties are in the United States, where the NSA’s technical capabilities are at their zenith. Even if you’re outside the United States and viewing a local webpage, for example, there might be a tipoff to an American advertiser. And the NSA.

If online services don’t like this, they can go beyond lobbying for legal changes—useful as that is—and upgrade their technology. Tracking servers can switch to HTTPS, the secure, encrypted version of the Web’s protocol. The expert consensus seems to be that even the NSA cannot accomplish mass surveillance of encrypted network traffic; HTTPS would put tracking IDs beyond a bulk eavesdropper’s reach.

But technical security is not enough. The NSA can legally compel an American company to disclose records about any foreigner, with no individualized judicial review and scant transparency. The legal process is slower and more cumbersome than technical surveillance, to be sure, but still leaves much of the globe at risk. And the NSA has demonstrated it knows how to expedite the legal process using technology—that’s precisely what the PRISM program does. As long as companies collect and retain tracking data, there will be a risk of disclosure through legal process, and users, especially those overseas, will be wary.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Edward Felten is a professor of computer science and public affairs at Princeton University and the director of Princeton’s Center for Information Technology Policy. He served as chief technologist for the Federal Trade Commission in 2011–2012.

Jonathan Mayer is a doctoral student in computer science at Stanford University, where he received his law degree in 2013.

TODAY IN SLATE

Jurisprudence

Scalia’s Liberal Streak

The conservative justice’s most brilliant—and surprisingly progressive—moments on the bench.

Colorado Is Ground Zero for the Fight Over Female Voters

There’s a Way to Keep Ex-Cons Out of Prison That Pays for Itself. Why Don’t More States Use It?

The NFL Explains How It Sees “the Role of the Female”

The Music Industry Is Ignoring Some of the Best Black Women Singing R&B

Culturebox

Theo’s Joint and Vanessa’s Whiskey

No sitcom did the “Very Special Episode” as well as The Cosby Show.

Television

The Other Huxtable Effect

Thirty years ago, The Cosby Show gave us one of TV’s great feminists.

Cliff Huxtable Explains the World: Five Lessons From TV’s Greatest Dad

Why Television Needs a New Cosby Show Right Now

  News & Politics
Weigel
Sept. 18 2014 8:20 PM A Clever Attempt at Explaining Away a Vote Against the Farm Bill
  Business
Moneybox
Sept. 18 2014 6:02 PM A Chinese Company Just Announced the Biggest IPO in U.S. History
  Life
The Slate Quiz
Sept. 18 2014 11:44 PM Play the Slate News Quiz With Jeopardy! superchampion Ken Jennings.
  Double X
Doublex
Sept. 18 2014 8:07 PM Crying Rape False rape accusations exist, and they are a serious problem.
  Slate Plus
Behind the Scenes
Sept. 18 2014 1:23 PM “It’s Not Every Day That You Can Beat the World Champion” An exclusive interview with chess grandmaster Fabiano Caruana.
  Arts
Brow Beat
Sept. 18 2014 4:33 PM The Top 5 Dadsplaining Moments From The Cosby Show
  Technology
Future Tense
Sept. 18 2014 6:48 PM By 2100 the World's Population Could Be 11 Billion
  Health & Science
Science
Sept. 18 2014 3:35 PM Do People Still Die of Rabies? And how do you know if an animal is rabid?
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.