Back in December, documents revealed the NSA had been using Google's ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks.
A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA. The researchers were able to reconstuct as much as 90% of a user's web activity just from monitoring traffic to ad-trackers like Google's DoubleClick.
Crucially, the researchers didn't need any special access to the ad data. They just sat back and watched public traffic across the network. As it turns out, trackers are displaying a surprising amount of information in public.
Each ad system gives a user a unique ID number, but by following the same browser session from system to system, the researchers were able to tie together the vast majority of a given user's web requests. By following those same cookies to identity-based services like Facebook and Google+, the researchers were able to give a name to each user.
The result is, for a given pageview, it's surprisingly easy to trace back to a person's name and the other pages they've visited. Security measures like HTTPS threw researchers off the case a little bit, but the density of ad cookies makes them easy to get around. The only solid protection was the routing network Tor, which scrambled IP addresses thoroughly enough to escape the researchers' impromptu dragnet.