This Google ad has been brought to you by the National Security Agency
The NSA is trying to de-anonymize Tor users using Web ads and tracking cookies. As predicted, the spooks and the marketers are merging.
Every Netizen with more than two brain cells to rub together knows ad companies and their partners are using cookies to track our movements across the Web. Of course, we also know the NSA has the capability to track almost anyone, anywhere, at any time, for any reason.
The almost in that sentence, however, is key. There are still some tools that allow people to surf the Net in relative anonymity, the best known of which is Tor.
So it shouldn’t come as any surprise that the spooks have been spending a good deal of time and energy trying to crack Tor -- or at least subvert it -- using a variety of fiendishly clever tools.
The latest tool in its arsenal is probably the simplest: Tracking cookies.
First, if you’re not familiar with Tor, here’s a quick Tortorial.
When you use the Tor software to browse the Web, it obfuscates your IP address by passing Internet traffic through three Web servers (or nodes) before sending it on to its ultimate destination. Each server removes the IP address of the computer that sent the traffic and substitutes its own. By the time the traffic emerges from the last server, or exit node, the original IP address has been erased. So, in theory, anyone who’s watching Internet traffic coming into a site will have no idea of its actual origin.
You can see why the NSA might not appreciate this feature. It wants to know where that traffic is coming from, especially if it's traffic to, say, Kill-All-Americans.com.
Remember: Pretty much all traffic traveling over US Internet backbones passes through machines controlled by the NSA. We’ve known this since at least 2006. So one of the first things the NSA’s super-secret servers do is try to identify which people are using Tor. When it identifies a user, it goes through a variety of techniques to try and ‘tag’ that machine so that when the traffic passes out of the Tor exit node, the spooks can still identify the machine it originally came from.
According to a report by CNET’s Seth Rosenblatt, one of the ways the spooks allegedly do this is via ads that leave behind tracking cookies – the same kind of tracking cookies used by hundreds of ad networks on across the Web, including on the site you are now reading.
The system that the NSA uses to locate and identify Tor users begins, at least sometimes, with the buying of ads on networks like Google's AdSense.
"Just because you're using Tor doesn't mean that your browser isn't storing cookies," said Jeremiah Grossman, … who also specializes in browser vulnerabilities….
"The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other Web users," he wrote.
The NSA buys ads from ad display companies like Google and seeds them around Tor's access points….
The NSA, he said, is not spending much money on it since Internet ads are so cheap. Grossman speculated that an ad campaign would only cost around $1,000 to seed ads with the NSA's cookies around the Web.
Most tracking cookies are simply unique series of letters and numbers that serve to identify your machine (and really, just your browser) to other machines on the Internet. Your IP address is also a unique number. But while Tor can obscure your IP address, it has no effect on browser cookies. Hence, this technique.
Exactly how this works is unclear. (I, for one, would like a little more clarification about what the phrase “seeds them around Tor’s access points” actually means. The notion that a Tor node would be a regular site that displays Google ads seems rather unlikely to me. But I digress.)
The good news, such as it is: Running Tor on a virtual machines – like the NinjaStik I wrote about a while back – negates any effect a tracking cookie might have.
Who’s hacking whom?
Google ads aren’t the NSA’s only method, or even its preferred one, for identifying Tor users. As security wonk Bruce Schneier details at some length in The Guardian, the spooks have a whole toolkit of hacker toys they can deploy to identify and infect the machines of potential threats – by intercepting traffic, rerouting it to spoofed sites (including fake Googles), and sending back malware, for example. In other words, they are behaving like very skilled cybercriminals.
The NSA’s response to all these revelations is invariably the same: We have strict oversight. We are only targeting non Americans and/or overseas communications. We are only interested in hunting terrorists and other threats to our nation. Tools like Tor are being used by the bad guys, so we have the right to break them.
But regardless of the pious statements that emanate from Director of National Intelligence James Clapper at regular intervals, and ignoring the direct lies that have occasionally dropped from Clapper’s lips, the fact remains that it’s the spooks – and only the spooks – who determine what a credible threat is. And to do that they have to spy on millions of others who are not and never will be a credible threat. Like the tens of thousands of political dissidents, human rights workers, journalists and others who use Tor, because to do otherwise could pose a genuine threat to their safety.
If you use Tor – or email encryption – you go to the top of the list of possible threats, and so does anyone you communicate with. You are assumed guilty until classified otherwise, in a process that is utterly opaque. That’s now how this country is supposed to work.
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.