Over a year ago it was discovered that government surveillance programs can use digital ad tracking software to keep tabs on Internet users. Now it appears more widespread than most thought.
In fact, 100 popular news sites were found to be susceptible to security issues that could help spies learn about what websites you browse and the data you share.
The fact that the government uses ad tracking software to surveil citizens isn’t necessarily new, but recently published research shows just how widespread the issue is.
This is in the wake of the one the top ad organisations publically saying that the majority of its ad tracking programs are safe and secure. The truth is that almost half of the software used by the most popular global news websites are unsecure and provide an easy way for governments to snoop, according to the new research.
A Toronto-based researcher named Andrew Hilts performed his own audit of the 100 top media sites to see how secure data exchange really was. Hilt is a fellow at the University of Toronto’s Citizen Lab, as well as the executive director of the nonprofit Open Effect.
Hilt decided to check out if ad trackers — third-party ad software that sends and receives data — were encrypted. If the trackers were found to be unencrypted, it meant that personal data was in plain sight and easy to hack. (In essence, ad trackers leave cookies on users’ browsers, which are used to remember information such as personal preferences and previous logins. If this data is not protected it’s ripe for the taking.)
Of the pages Hilt loaded, he discovered 47 different third parties that were transmitting data to and from the sites. Of those third parties, 19 of them left what’s called a “unique identifier.” Hilt explained to me that unique identifiers are basically used to compile “a profile of who you are and what you’re interested in.”
Now this is the important, albeit slightly complicated, part of Hilt’s analysis:
An average of 53% of the third party hosts transmitting data on top news websites support HTTPS. News websites, on average, initiated communications with 10 different third parties that led to transmissions of uniquely identifying cookies that could not be secured with HTTPS. An average of 9 unique ID transmissions were to servers that support HTTPS. In other words, network snoops can take advantage of many insecurely-transmitted unique identifiers to help them identify just who is reading what news.
In laymen terms this means that on average nearly half of all third-party data transfers happening on the most popular news websites are unencrypted. Hilt explained to me the ramifications: “If an ad tracking system is being done unencrypted, other actors like your ISP or the NSA can collected this data,” he said.
Looking at the analysis, you can see that websites like the New York Post and the Economist transmit myriad data through third parties. Both of which, according to his chart, transmit well over 20 unencrypted identifiers that could be used by hackers.
The discoveries began in 2013. One of the many Snowden documents described a program that “piggybacked” on internet advertising technologies, using ad tracking technology to keep tabs on people of interest. The NSA discovered a handy loophole; many trackers are unencrypted. Thus, the NSA could easily tap into a website’s data exchange and also collect the traffic data of users.
More than a year after this initial revelation the Internet Advertising Bureau wrote a blog post calling for more widespread ad tracker encryption. This organisation called for all ad companies to support the encrypted HTTPS protocol — even the ad trackers. A website that uses the HTTPS protocol communicates encrypted data, which makes external snooping much harder to do.
The problem is that all parts of the website need to use HTTPS, not just the website itself. So if a news organisation uses third-party ad software that doesn’t use HTTPS, the website could very easily be tapped by spies. That’s why the IAB called for more data security.
“Once a website decides to support HTTPS,” the IAB wrote, “they need to make sure that their primary ad server supports encryption.” This way a user can be sure that all information exchanged on the page is secure and invisible to any unwanted eyes. The IAB added in its post that “nearly 80% of [its] members ad delivery systems supported HTTPS.”
Hilt’s findings show that this may not be the case.
Privacy advocates freaked out yesterday over Hilt’s findings. “A dubious congratulations to the St Louis Post-Dispatch, topping the news charts with 168 tracking URLs per page load,” tweeted Electronic Frontier Foundation activist Parker Higgins.
While the IAB’s message to advertisers is a step in the right direction, the fact that it doesn’t seem aware of how prevalent unencrypted tracking is means there’s a huge problem. In order for a website to truly ensure that its users aren’t being tracked by unknown third parties, it must ensure that both it and all of its third parties are communicating using HTTPS.
Hilt said the he’s happy the IAB is working to correct this issue, but it also needs to be aware of the work that needs to be done.
“The findings show they still have a ways to go,” he said.