How advertising cookies let observers follow you across the web

85

Back in December, documents revealed the NSA had been using Google's ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks. A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA. The researchers were able to reconstuct as much as 90% of a user's web activity just from monitoring traffic to ad-trackers like Google's DoubleClick. Crucially, the researchers didn't need any special access to the ad data. They just sat back and watched public traffic across the network.

Tor was the only tool that escaped the researchers' dragnet

As it turns out, trackers are displaying a surprising amount of information in public. Each ad system gives a user a unique ID number, but by following the same browser session from system to system, the researchers were able to tie together the vast majority of a given user's web requests. By following those same cookies to identity-based services like Facebook and Google+, the researchers were able to give a name to each user.

The result is, for a given pageview, it's surprisingly easy to trace back to a person's name and the other pages they've visited. Security measures like HTTPS threw researchers off the case a little bit, but the density of ad cookies makes them easy to get around. The only solid protection was the routing network Tor, which scrambled IP addresses thoroughly enough to escape the researchers' impromptu dragnet.

More from The Verge

Back to top ^
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_5345_tracker