Who has their Fingers in the Google Cookie Jar?

The Washington Post revealed last week that the NSA is using Google browser cookies to discover personal identities. In the case of someone they want to investigate, the NSA can inject software on the remote computer to continuously track activities. The NSA documents don’t reveal how the organization was able to obtain the so-called PREF cookies. An example Google PREF cookie is shown below:


It is difficult to know what all of the fields in this cookie mean, since they are trade secrets, but you can observe two things. The first is the ID field. Security researchers know that this a random number assigned to the cookie when you first connect to any Google web site, like google.com. Since the number is unique, it knows that this is your computer. If you pack up your laptop and fly half-way around the world and connect to the Internet, Google knows this is your again. If you then login to your email or Facebook, whoever is spying on you now knows what name is associated with your computer. The cookie is set to expire in two years. That means unless you delete cookies from your browser, Google can keep track of your movements for quite a while.

What does this have to do with application performance management? That’s simple. If Google can access your cookies to target advertising, and the NSA can track your actions, who else can use your browser to access your computer, network, and applications? There is a long list: some benevolent, some commercial, and some whose motives are decidedly unpleasant. If you are a privacy-conscious organization, you may not want your activities to be tracked.

One option is to stop using Google for searches. Some companies restrict use for this reason. Still, in a BYOD (bring your own device) world, managing the process can be difficult for businesses.

There are commercial and open source alternatives. Duck Duck Go (DDG) is an open source product that does not track your search activity. When you search for information on the web, DDG strips your IP address and search terms from the HTTP headers when you click on one of the search links it shows you. That way the web site you visit does not know (a) who you are and (b) what you were searching for, because DDG does not tell them.

Another thing you can do is to block third-party cookies. Third-party cookies are those used to track you activities for various purposes like advertising. DoubleClick is the most widely known advertising company to do this. (Now owned by Google.) You can turn off third-party cookies in Firefox, Microsoft Internet Explorer, and Google Chrome. In Safari, they are blocked by default. There is also a browser setting to request that web sites protect your privacy (do not track), but there is no agreement from all sites to honor the policy.

Balancing privacy concerns at home and at work can be challenging, particularly if you use one computer in both environments. If you, or your company, want a higher level of anonymity, you can use the Tor Browser to hide your IP address and encrypt data sent to and from your browser. If your goal is to just keep advertisers from invading your privacy, then reconsider your browser selection, erase your cookies frequently, and block third-party cookies.