Spy agency put 'cookies' on visitors' computers

http://www.suntimes.com/output/news/cst-nws-cookie29.html


NEW YORK -- The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most of them.

These files, known as ''cookies,'' disappeared after a privacy activist complained and the Associated Press made inquiries this week, and agency officials acknowledged Wednesday that they had made a mistake.

Nonetheless, the issue raises questions about privacy at a spy agency already on the defensive amid reports of a secretive eavesdropping program in the United States.

''Considering the surveillance power the NSA has, cookies are not exactly a major concern,'' said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington, D.C. ''But it does show a general lack of understanding about privacy rules when they are not even following the government's very basic rules for Web privacy.''

Track Web surfing

Until Tuesday, the NSA site created two cookie files that do not expire until 2035 -- likely beyond the life of any computer in use today.

The games there suck! :P

MANY commercial sites put cookies on your computer too. I guess it could go back to "intent", or why they are doing it.

I question WHY? What sites would concern them?

That's what they do...

Every site you visit has cookies, this site, yahoo, msn, even google. The claim that they could track visitors web surfing activities is highly misleading as they can only track their surfing activities for that one NSA domain.

How it works nowadays is that they can take the cookie's information (and your IP address), and cross reference that IP with the rest of their database.

For example, say you get a spam email with an image (visible or not) in it that loads from a remote server. If you view that email, and the image URL contains an encoded reference to your email address, the database can now match your IP address with your email address. It now knows 'who' you are.

Now they can take that new knowledge, and sift through the banner ad database, and see what sites your IP address has been loading ads from, ie., what sites you've been visiting. If a non-expiring cookie is also present, that cookie can be used to identify the user even if their IP address changes (such as if you surf via a public wireless node, etc...).

What the NSA did that was wrong is that they used cookies with an expiration date in the far, far future (2035, IIRC). This is considered 'wrong', since the longer the same cookie is used to track you, the more information about your traffic can be gathered. Typically, cookies should expire within a month or so. Client-side javascripts can read your browser's 'cookie jar', and websites can then read cookies that were originally placed there by a different site, such as this long-lived NSA cookie.

The NSA cookie didn't really open up any vulnerablilities or avenues of information gathering that weren't already there -- they just made it easier to gather more information, both for themselves and any spam site that knew about the existence of the NSA coookie and decided to use it.

It's part of the built-in session handling. So the NSA forgot to disable it... big deal, IMO. Nothing to see here.

Might want to consider it. Keep only those you want there.

If this bothers you, consider running privoxy and tor.

http://www.privoxy.org/

http://tor.eff.org/

However, I can't help but think that this is a deliberate distraction from the real crimes of the NSA.
This is small beer when compared to the wider scandal.