Law Enforcement and the World Wide Web of Spies

By Nicholas Weaver
Monday, October 5, 2015, 4:26 PM

Administrative subpoenas, grand jury subpoenas, and search warrants are incredibly powerful tools, that interact strongly with the web's construction. For the typical web page is part of a world wide web of spies, reporting a user's behavior back to third parties. With a well structured subpoena or warrant to Google, Facebook, or Twitter, it is possible to reconstruct the majority of a typical target's browsing history.

Almost every web page is a minefield of tracking devices, little elements that report "This person visited a webpage" back to a third party service. Some are analytics tools which notify the site operator of how users behave, others are social widgets like the ubiquitous "Like" button, and some are advertisements which don't just bombard the page with advertisements but also report back to the advertising network.

Each connection generated by these elements sends a cookie, a small identifier back to the third party service. Some cookies (such as those to Facebook or Google) directly identify the user while others (such as the DoubleClick cookie) are pseudonymous, supposidly unlinked to an actual identity. Even a well-constructed site like Lawfare contains trackers reporting back to Google, Twitter, Crazy Egg, Facebook, and Adobe, a small number compared to the New York Time's 35!

Silicon Valley companies don't tend to like discussing this web of spies. Facebook's guide for law enforcement doesn't even mention the tracking inherent in the Like button, although Facebook does admit that it collects this data for use in advertising, building up a better profile of the user. Since this data exists, however, law enforcement can ask for it.

A search warrant to Google, Twitter, or Facebook could specify all pageview tracking information collected. This allows a reconstruction of the bulk of the user's page views, not just their search history, email, and profile. For Google, the warrant could also demand the separate DoubleClick cookie's advertising-related tracking. For although the DoubleClick cookie is pseudonymous, Google can trivially tie the DoubleClick cookie to the Google identity (and, if they value their investors, already do).

In addition to the web history, this also gets the target's pattern of movement. Each logged page view also includes the IP address. Such metadata can then reconstruct the target's movements by using an IP geolocation database. Handy if the target has enough sense not to use a cellphone.

It is the company, not the user, that gets to object to this request as it is the company's data. Depending on the laws and company policy, the companies may attempt to fight such orders but, in the end, they are likely to lose. By any reasonable standard, this is data remarkably similar to the phone data in Smith v. Maryland, data freely provided by the user's browser to the third party. The only real protection is that law enforcement appears unaware of what they can ask for.

It is not just law enforcement that can demand such access. With the increasing use of encryption, it is harder for the NSA to passively suck up a user's pageviews. But a 702 order to Google can reveal every page the target viewed on the Washington Post's encrypted site and any other site containing Google's trackers, regardless of encryption or whether a NSA wiretap recorded the user's pageviews.

I personally find the tracking that occurs on the web repugnant, and take individual steps (notably using Ghostery) to mitigate this web of spies. I also find the notion that I have no say in protecting my data from law enforcement disturbing. So why am I writing this?

Because the only way to mitigate the problem of ubiquitous tracking is to publicize it.

The World Wide Web of spies is a dangerous phenomenon, and the only way to mitigate it is for everyone to understand what it has created. I would much rather that Silicon Valley not collect this data. I would much rather that the law allow me to challenge any attempt to access the data. But as long as they collect it, and the law does not protect it, law enforcement has a right to use it.