CookieLaw Blog December 16, 2014

Cookies Used to Identify Individuals by GCHQ?

The UK spy agency GCHQ used the contents of common tracking cookies to help identify individuals as part of its surveillance operations, according to an article published by The Intercept over the weekend.

We haven’t talked very much about the Snowden story on this blog, largely because the issues raised are much broader than our agenda.  However, this particular part of the tale is very relevant as it demonstrates why cookies can sometimes be personal data.

The Intercept is a site set up by Glenn Greenwald and Laura Poitras, the first two journalists Edward Snowden shared his leaked documents with, as a vehicle for continuing the work of analysing and reporting on the documents and the associated revelations about state online surveillance.

The latest article from the site is an in-depth look at claims of how GCHQ gained access to Belgian telecommunications company Belgacom’s systems, as a way of tapping into vast amounts of European communications traffic.

According to the article GCHQ maintains a repository (named Mutant Broth apparently) of intercepted third party tracking cookies set by Google, Yahoo and LinkedIn.  These cookies contain codes unique to each device, which are supposedly anonymous in themselves to all except the providers.

However, GCHQ was able to correlate these cookies with IP addresses to help them identify target employees within Belgacom – engineers with high level access to key systems. Using this information they could then attack the devices used by those engineers, to then gain access to Belgacom’s systems directly.

This was essentially a task of data aggregation to reveal identity, and while the purpose of the activity in this case was different from normal commercial practice, the core methods were not.

Though individual cookies may be just strings of numbers that in themselves reveal little, when those are used to track devices across websites and over time, the trail they generate can be easily correlated with other data, such as an IP address, that makes someone directly identifiable.  This is how the data broking industry operates, how credit scoring is increasingly done, and how marketing can be ever more targeted to individuals.

It is also why the ability to refuse cookies, for those who don’t want such profiles to be built up, is an important element in online privacy, and therefore an important principle embodied in the cookie law.

Recent Posts


January 13, 2017
Future of EU Cookie Compliance Webinar: ...

GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...

View Article
Recent blog thumbnail
December 14, 2016
Draft EU ePrivacy Regulation Leaked...

A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...

View Article
Recent blog thumbnail
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...

Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...

View Article
Recent blog thumbnail
September 21, 2016
Optanon Acquired by OneTrust...

We are pleased to announce that Optanon, along with parent company Governor Technology, has been acquired by OneTrust....

View Article

Be in the Know

Subscribe to our newsletter