I briefly mentioned in a previous blog post the tracking capabilities of cookies, and how cookies can be used to do things like scan networks behind firewalls. Well, the documentation has now surfaced of how the NSA uses one particular Google cookie to track users and determine who to target for closer surveillance (i.e. attack with software exploits).
Google's PREF Cookie
Google assigns a unique PREF cookie anytime someone's browser makes a connection to any of the company's Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit Web sites that contain embedded "widgets" for the company's social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users to "personalize ads" and measure how they use other Google products.
Given the widespread use of Google services and widgets, most Web users are likely to have a Google PREF cookie even if they've never visited a Google property directly.
That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google's PREF cookie. Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet's backbone and from technology companies' own systems. The slide indicates that SSO was sharing information containing "logins, cookies, and GooglePREFID" with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.