How the NSA Piggy-Backs on Third-Party Trackers by Edward Felten and Jonathan Mayer
“Snooping on the Internet is tricky. The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do? One option is to plant a unique tag on every computer and smartphone, stamp every Internet message with the sender’s tag, and then capture the tagged traffic. Perhaps in a massive database with a quirky all-caps codename. But a project of that scale can’t be kept secret, and if it’s done openly the public will surely object. Luckily (for the spies) there’s an easier way: free ride on the private sector, which does its own pervasive tagging and monitoring. That’s precisely what the National Security Agency has been up to, as confirmed most recently by a front-page story in Wednesday’s Washington Post.Other countries’ spy agencies are probably doing the same thing. Companies track users for many reasons, such as to remember a login, to target ads, or to learn how users navigate. They usually do this by tagging each computer or smartphone with a tracking ID: a random-looking unique identifier, which is often stored in a browser cookie. Which companies are keeping tabs on you? You probably expect to be tracked by the sites you visit and the apps you run. But these “first parties” often pull in tracking content from unrelated “third parties,” most of which you probably have never heard of. Slate’s home page, for example, references at least a dozen third-party trackers. When we viewed the Post’s story about the NSA, our browser was directed to 39 third-party trackers, including one located in Japan. (This isn’t unusual, and Slate and the Post make no secret of it.) Spooks can easily watch these tracking IDs as they flit across the Net, unprotected by any encryption, and then use the IDs to build the mother of all tracking databases. The NSA collects vast amounts of international Internet traffic, and it retains the metadata—including tracking IDs—for at least a year.”