How Advertisers' Cookies Are Helping the NSA's Data-Collection Efforts
The National Security Agency's XKeyscore program, first reported by The Guardian, is designed to collect and analyze global Internet traffic. Along with information on the breadth and scale of the NSA's data collection, The Intercept revealed how the NSA relies on unencrypted cookie data to identify users:
"The NSA's ability to piggyback off of private companies' tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies."
Advertisers need good information about which ads are and are not working. Often they do this by identifying users via cookies in order to create specific user profiles. But the ability of the NSA to leverage this data is a huge privacy issue. Slides from leaked NSA presentations show agents discussing how to mine these cookies and automatically extract data that uniquely identifies users or their machines.
Worse yet, advertisers have not given the public any meaningful way to opt out of tracking, which means users have no way to protect themselves from this NSA piggybacking. Although initiatives like the Digital Advertising Alliance have guidelines which give users the option to opt out of targeted ads, they don't require advertisers to discontinue user tracking. Instead this data must, according to the DAA's About Ads site, "within a reasonable period of time from collection go through a de-identification process." Unfortunately this does nothing to mitigate the NSA's ability to use the cookies advertisers serve to track netizens. As a result, the advertising industry has become complicit in the NSA's bulk surveillance of the entire Internet. Fortunately, the solution is easy: Advertisers must discontinue all tracking of users who have opted out.
And that's not all advertisers need to do in order to stop being tools for bulk surveillance.
For users who do not opt-out, advertisers must also ensure that they are effectively protecting their tracking data. Sending cookies only over secure HTTPS connections is a clear start, making it much harder for the NSA to collect data through programs like Xkeyscore, but storing this data securely is necessary as well. Not only will the NSA happily seek this data in storage if they can't get it in transit, but other entities are after large troves of Internet users' data as well. Unencrypted or improperly protected data is a sitting duck for malicious actors, and the analytics data stored by many advertisers presents exactly this kind of easy target.
Of course, even the strongest encryption won't be able to stop the government from obtaining data from advertisers, since government agencies like the FBI are happy to obtain user data through a subpoena or National Security Letter (and even, occasionally, a warrant). In fact, during their recent testimony in the Senate on putting backdoors in encryption technology, FBI Director James Comey and Deputy Attorney General Sally Yates stated that their preferred method of getting user data is by demanding it from the companies that collect and store it. Thus as long as the data is accessible by advertisers -- even if it's stored in an encrypted manner -- it's just one subpoena away from being accessible by the government too, regardless of the outcome of the current "crypto wars."
Here's What Advertisers Can Do
What can advertisers do to mitigate this? Obviously they need access to the data so that they can analyze it and create meaningful statistics. But there are socially responsible ways to do this that would make it harder for government agencies to piggyback on advertisers' efforts. Foremost among these is the anonymization of tracking data. Given the problems posed by re-identification, proper anonymization requires careful thought and analysis, but the resulting benefits to Internet users everywhere would be huge. Similarly, advertisers could commit to retaining data for only as long as necessary; the shorter the retention period, the better.
Advertisers are often seen as poor stewards of user data, leading to decreased trust in them and the ads they provide. If advertisers want to change that perception they need to stand up for user privacy by allowing meaningful opt-outs, by increasing the use of encryption, and by anonymizing data and reducing retention times. Only then will they be able to clear themselves of their part in the NSA's bulk surveillance operations and regain the public's trust.