Cookies Used to Identify Individuals by GCHQ?

By: Richard Beaumont | Tuesday, December 16, 2014 | Tagged: Belgacom, Cookie Law, GCHQ, Snowden | Leave Comment

The UK spy agency GCHQ used the contents of common tracking cookies to help identify individuals as part of its surveillance operations, according to an article published by The Intercept over the weekend.

We haven’t talked very much about the Snowden story on this blog, largely because the issues raised are much broader than our agenda.  However, this particular part of the tale is very relevant as it demonstrates why cookies can sometimes be personal data.

The Intercept is a site set up by Glenn Greenwald and Laura Poitras, the first two journalists Edward Snowden shared his leaked documents with, as a vehicle for continuing the work of analysing and reporting on the documents and the associated revelations about state online surveillance.

The latest article from the site is an in-depth look at claims of how GCHQ gained access to Belgian telecommunications company Belgacom’s systems, as a way of tapping into vast amounts of European communications traffic.

According to the article GCHQ maintains a repository (named Mutant Broth apparently) of intercepted third party tracking cookies set by Google, Yahoo and LinkedIn.  These cookies contain codes unique to each device, which are supposedly anonymous in themselves to all except the providers.

However, GCHQ was able to correlate these cookies with IP addresses to help them identify target employees within Belgacom – engineers with high level access to key systems. Using this information they could then attack the devices used by those engineers, to then gain access to Belgacom’s systems directly.

This was essentially a task of data aggregation to reveal identity, and while the purpose of the activity in this case was different from normal commercial practice, the core methods were not.

Though individual cookies may be just strings of numbers that in themselves reveal little, when those are used to track devices across websites and over time, the trail they generate can be easily correlated with other data, such as an IP address, that makes someone directly identifiable.  This is how the data broking industry operates, how credit scoring is increasingly done, and how marketing can be ever more targeted to individuals.

It is also why the ability to refuse cookies, for those who don’t want such profiles to be built up, is an important element in online privacy, and therefore an important principle embodied in the cookie law.

Tag Cloud