Third-party cookies can be linked to provide global surveillance

In 2014, researchers at Princeton University outlined an attack that uses multiple third-party cookies to link traffic so that individual users can be identified and tracked from anywhere in the world. A nation-state wishing to surveil particular users outside its jurisdiction, for example, may have access only to data that passes through routers within their country. Linking cookies and using only web page header data to track 25 simulated users browsing from a US location over a three-month timespan, the researchers were able to link 62% of an average user's page visits together. Linking clusters of pages can also sometimes reveal real-world identities. Given what is known of the US National Security Agency's legal restrictions on surveillance and the assumption that most wiretapping happens within US borders or undersea cables, the researchers also considered "one-end foreign" connections - that is, traffic between the US and Europe or Asia and concluded that this type of traffic can potentially be surveilled. Users can defend themselves somewhat by using browser privacy tools; the researchers find that Ghostery is the most effective one, but it still allows a quarter of traffic to be surveilled. Website owners can help by enabling HTTPS secure connections.

Writer: Stephen Englehardt
Publication: Freedom to Tinker