How Advertisers' Cookies Are Helping the NSA's Data-Collection Efforts
[Commentary] It turns out advertisers and the data they rely on are facilitating the government's bulk surveillance. The National Security Agency's XKeyscore program is designed to collect and analyze global Internet traffic. Along with information on the breadth and scale of the NSA's data collection, The Intercept revealed how the NSA relies on unencrypted cookie data to identify users: "The NSA's ability to piggyback off of private companies' tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies." Advertisers need good information about which ads are and are not working. Often they do this by identifying users via cookies in order to create specific user profiles. But the ability of the NSA to leverage this data is a huge privacy issue. Slides from leaked NSA presentations show agents discussing how to mine these cookies and automatically extract data that uniquely identifies users or their machines. Worse yet, advertisers have not given the public any meaningful way to opt out of tracking, which means users have no way to protect themselves from this NSA piggybacking.
Although initiatives like the Digital Advertising Alliance have guidelines which give users the option to opt out of targeted ads, they don't require advertisers to discontinue user tracking. Instead this data must, according to the DAA's About Ads site, "within a reasonable period of time from collection go through a de-identification process." Unfortunately this does nothing to mitigate the NSA's ability to use the cookies advertisers serve to track netizens. As a result, the advertising industry has become complicit in the NSA's bulk surveillance of the entire Internet. Fortunately, the solution is easy: Advertisers must discontinue all tracking of users who have opted out.
[Noah Swartz is a staff technologist at the Electronic Frontier Foundation]
How Advertisers' Cookies Are Helping the NSA's Data-Collection Efforts