gives trackers info on pregnancy, income and more

The U.S. government’s healthcare insurance sign-up site is quietly handing over deeply personal information to advertising and social networks, according to a Tuesday Associated Press report.

The Electronic Frontier Foundation (EFF) followed up by checking out what’s being passed on, and discovered it includes things like pregnancy status, income level, zipcode, smoking status, parental status and age. The information is being sent in the referrer header, which lets requested resources linked to from within know which page the request is coming from. It’s also sometimes “embedded in the request string itself,” the EFF said.

The EFF found that the information is being sent in both the referrer header and request string to analytics sites [company]Chartbeat[/company] and [company]Optimizely[/company], [company]Google[/company]’s DoubleClick ad service, and Google itself. Personal-data-rich referrer headers are also finding their way to services such as [company]Twitter[/company], [company]Yahoo[/company], [company]YouTube[/company], [company]Akamai[/company] and – according to AP – [company]Facebook[/company]. does this even if the user has turned on Do Not Track. spokesman Aaron Albright told AP that outside vendors “are prohibited from using information from these tools on for their companies’ purposes,” and they’re only there for site performance measurement purposes. There is indeed no evidence of the data being misused.

However, experts questioned why the likes of Facebook and Google had to get this information (Google itself denied allowing its systems to target ads based on medical history information.) As the EFF’s Cooper Quintin pointed out, there are enormous opportunities for a service like DoubleClick to match up the data with other tracking information about the target. He also noted that the use of third-party resources creates more of an “attack surface” that hackers could use to gain access to the site.

Chinese attacks cost U.S. Defense Department over $100M

Chinese army hackers apparently caused more than $100 million worth of damage to U.S. Department of Defense networks, according to NSA research detailed in documents from the Edward Snowden cache.

On Saturday Germany’s Der Spiegel published a story, based on the Snowden documents, that described some of the offensive “digital weapons” the NSA has developed and generally outlined the chaotic, unregulated arms race that’s ramping up in the digital realm.

A large part of the article focused on the capabilities of other countries – something that’s not previously come through very strongly in publications of Snowden’s revelations – and how the NSA tracks what foreign intelligence agencies steal, then steals that information from them. This cunning practice is apparently known as “Fourth Party Collection”.

One Snowden document, however, outlined damage perpetrated by the Chinese Army on the U.S.’s own military infrastructure. It’s a presentation from a few years back that’s based on the findings of the NSA’s “Byzantine Hades” research into Chinese computer network exploitation, and it referred to more than 30,000 incidents involving Department of Defense (DoD) systems, over 500 of which it called “significant intrusions”. More than 1,600 computers on the DoD network were penetrated.

The presentation stated that it cost the DoD more than $100 million to assess the damage and rebuild its networks. It also suggested that the Chinese were after information on U.S. missile navigation and tracking systems, nuclear submarine and anti-air missile designs, space-based laser technology, and various military jets.

According to the documents, when the NSA traced back one Chinese attack on the DoD, they found not only the source of the attack but also information that the Chinese had stolen from others, including the United Nations.

Other documents, drawn up by the Canadian NSA partner CSEC, detailed spyware implants dubbed Snowball and Snowman (a system collectively referred to as Snowglobe) that CSEC thought “with moderate certainty” was the work of the French. The targets here included Iran, former French colonies such as Algeria and the Ivory Coast, and European countries such as Greece, Norway and Spain. The malware also appeared to have targets within France itself.

Europe’s response to U.S. surveillance is hopeful rather than harsh

The European Commission has set out its plan for restoring “trust” in the way the U.S. treats Europeans’ data. However, while it calls for more respect for EU ciitizens’ rights, the plan mostly amounts to asking the Americans to stick to the rules they’ve agreed to, and to be clearer about when surveillance may take place.

Dear stupid, stupid NSA

Who thought subverting not only widely-used security mechanisms, but the security standards-setting process itself, was a good idea?