FISA Orders for Hacking Help

In its latest Snowden story, the WaPo reports that NSA has used Google’s cookies to help track people for hacking purposes.

The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance.

The agency’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.

[snip]

The NSA’s use of cookies isn’t a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion – akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.

This will be sure to make software opposition to NSA’s unbridled spying louder, if not less hypocritical (after all, every way Google limits its own tracking amounts to another tool the NSA can’t exploit).

I’m particularly interested in how NSA collects cookies it uses. The article suggests they may do it via FISC order (though they don’t say whether it would involve an individualized FISA order or bulk FAA collection).

These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.

That is, is a PREF cookie just one of many identifying details they’re asked to turn over on customers in general? If so, in what volume?

Remember, too, that one thing the Internet companies are fighting for in their transparency suit is the right to explicate metadata requests from content ones. This is the kind of information request that would be very informative for potential targets (because, if they don’t already, they can just keep their cookies clean).

I’m particularly interested in the disclosure that the NSA may be using information collected on a FISA order for offensive hacking purposes, not for information collection. That’s not surprising — it doesn’t necessarily clearly distinguish between information collection and hacking. And we know the NSA uses the content it collects to coerce informants, so why not aide in hacks?

But that does seem to extend the use of FISC orders beyond the spirit of their use.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

6 replies
  1. joanneleon says:

    I’ve avoided using the word “fascist” for a long, long time (until recently). But look at Roosevelt’s definition of fascism:

    “The first truth is that the liberty of a democracy is not safe if the people tolerate the growth of private power to a point where it becomes stronger than their democratic state itself. That, in its essence, is fascism — ownership of government by an individual, by a group, or by any other controlling private power”
    http://en.wikipedia.org/wiki/Definitions_of_fascism#Franklin_D._Roosevelt

    I’m really interested in knowing more about how they get the PREF cookies via FISC order too. I keep thinking of the articles about the lines between the Google data centers and how they vacuum up the data when the data centers are synchronizing, sending entire contact lists, email archives, etc.

    One of their biggest challenges has to be finding a unique identifier for people on the internet, like an international Social Security number. Because people use the internet from multiple devices and multiple locations which makes IP addresses and MAC Ids not particularly useful. And they get new devices, have multiple email addresses. None of those work for the one unique identifier. It sounds like Google has tackled that. I’ve wondered in the past how they sort out the different people using the internet in my own home. At times there are five of us on the same network and to the outside world, we’re all using the same IP address. Internally on the network, we have unique internal IP addresses, but those are assigned dynamically by the router.

    That PREFID would be a very valuable thing for the intel agencies to have for everyone.

  2. joanneleon says:

    Here is another thing that stuck with me.

    And apps that do not need geo-location data may still collect it anyway to share with third-party advertisers.

    http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/

    I’m sure this isn’t really news and a lot of people are aware of it. But my kid put a flashlight app on my smart phone. It’s come in handy a number of times! There is a pretty powerful LED light on the back of my Android that can be used for taking photos in low light. The app is a really simple app that just turns that light on or off. So did somebody write this simple app just because they were learning how to do smartphone programming or because they like open source or did somebody pay them to write and publish the app to collect location data? Is it collecting my location and sending it off all the time or only when I open up the app? Why doesn’t it tell me right up front that it’s doing this? Silly question, I know.

    I have, increasingly, a love hate relationship with this tracking device that is my smartphone.

  3. C says:

    What is interesting about this use of cookies is that it seems that it should be relatively easy to defeat. Most modern browsers have a capacity to refuse cookies or to store unique cookies on a session-by-session basis. The problem would lie with persistent logins such as setting your system to always store your google ID or facebook password which would use a persistent login.

    There are other ways that they can track you of course but cookies are quite easy to discard and many in-browser extensions exist that junk these things as needed.

    @joanneleon: I just have a hate-hate personally :)

  4. Saul Tannenbaum says:

    Amongst legal scholars of privacy – the sober, serious kind who inhabit law schools – one of the threads of debate is whether we’re on the brink of a surveillance state or are already in a surveillance state At the crux of that debate has been Fusion Centers because, in the belief of these scholars, the mixing of governmental entities with corporate entities, both of whom are doing surveillance for their own purposes, defines the line for them as to what constitutes a surveillance state. What we now know is that they were looking in the wrong place. If the state surveillance apparatus is using as one of its identifiers of people cookies assigned by adverstisers and marketers, we’ve crossed that line.

    That, I believe, is the far more chilling takeaway from this particular revelation.

  5. Eureka Springs says:

    While a cookie (spookie?) may be easy to remove… I rather suspect the spooks bother with removal themselves… Unless you remove it, it stays forever?

  6. greengiant says:

    Scroll down to the bottom of this page and click on the sitemeter box.
    Inactive for quite a while, but informative about what can be drained from your computer for starters.
    If a java script can download all your current tabs or link history they would have/will find things like the Citibank link with password hash that allowed hackers to rumble through thousands of accounts. Not to mention every news site and blog you have visted.

Comments are closed.